Fix XSS vulnerability in Firefox

bhollis · Dec 17, 2023 · 5109951 · 5109951
1 parent fae867a
commit 5109951
Show file tree

Hide file tree

Showing 8 changed files with 177 additions and 32 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -7,7 +7,7 @@
   "eslint.packageManager": "yarn",
   "eslint.validate": ["javascript", "typescript"],
   "editor.codeActionsOnSave": {
-    "source.fixAll": true
+    "source.fixAll": "explicit"
   },
   "jest.jestCommandLine": "yarn test",
   "[javascript]": {
@@ -19,5 +19,10 @@
     "editor.codeActionsOnSave": {
       "source.organizeImports": false
     }
+  },
+  "[javascript][typescript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "never"
+    }
   }
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+## JSONView 2.5.0
+
+- Fix a cross-site scripting vulnerability in the Firefox version of the extension.
+
 ## JSONView 2.4.3
 
 - Fix recognizing content types like application/hal+json

diff --git a/README.md b/README.md
@@ -5,6 +5,7 @@ JSONView
 
 * [Install for Firefox](https://addons.mozilla.org/en-US/firefox/addon/jsonview/)
 * [Install for Chrome](https://chrome.google.com/webstore/detail/jsonview/gmegofmjomhknnokphhckolhcffdaihd)
+* [Install for Edge](https://microsoftedge.microsoft.com/addons/detail/jsonview/kmpfgkgaimakokfhgdahhiaaiidiphco)
 
 Normally, when encountering a [JSON](http://json.org) document (content type `application/json`), Firefox simply prompts you to download the view. With the JSONView extension, JSON documents are shown in the browser similar to how XML documents are shown. The document is formatted, highlighted, and arrays and objects can be collapsed. Even if the JSON document contains errors, JSONView will still show the raw text.
 

diff --git a/package.json b/package.json
@@ -14,7 +14,8 @@
     "startWindows": "Powershell.exe -File ./buildWindows.ps1",
     "lint": "eslint src --ext .js,.ts --fix",
     "watch": "npm-watch",
-    "rollup": "rollup"
+    "rollup": "rollup",
+    "tests": "http-server ./tests/"
   },
   "watch": {
     "start": {
@@ -124,6 +125,7 @@
     "eslint-plugin-array-func": "^3.1.8",
     "eslint-plugin-github": "^4.7.0",
     "eslint-plugin-radar": "^0.2.1",
+    "http-server": "^14.1.1",
     "npm-watch": "^0.11.0",
     "rollup": "^3.21.3",
     "typescript": "^5.0.4",

diff --git a/src/background.ts b/src/background.ts
@@ -15,30 +15,6 @@ function isRedirect(status: number) {
   return status >= 300 && status < 400;
 }
 
-/**
- * Use the filterResponseData API to transform a JSON document to HTML. This
- * converts to the same HTML that Chrome does by default - it's only used in
- * Firefox.
- */
-function transformResponseToJSON(details: chrome.webRequest.WebResponseHeadersDetails) {
-  const filter = browser.webRequest.filterResponseData(details.requestId);
-
-  const dec = new TextDecoder("utf-8");
-  const enc = new TextEncoder();
-  let content = "";
-
-  filter.ondata = (event) => {
-    content += dec.decode(event.data, { stream: true });
-  };
-
-  filter.onstop = (_event: Event) => {
-    content += dec.decode();
-    const outputDoc = `<!DOCTYPE html><html><head><meta charset="utf-8"></head><body><pre>${content}</pre></body></html>`;
-    filter.write(enc.encode(outputDoc));
-    filter.disconnect();
-  };
-}
-
 function detectJSON(event: chrome.webRequest.WebResponseHeadersDetails) {
   if (!event.responseHeaders || isRedirect(event.statusCode)) {
     return;
@@ -50,10 +26,6 @@ function detectJSON(event: chrome.webRequest.WebResponseHeadersDetails) {
       isJSONContentType(header.value)
     ) {
       jsonUrls.add(event.url);
-      if (typeof browser !== "undefined" && "filterResponseData" in browser.webRequest) {
-        header.value = "text/html";
-        transformResponseToJSON(event);
-      }
     }
   }
 

diff --git a/src/content.ts b/src/content.ts
@@ -25,7 +25,14 @@ chrome.runtime.sendMessage({}, (response: boolean) => {
   }
 
   // At least in chrome, the JSON is wrapped in a pre tag.
-  const content = document.getElementsByTagName("pre")[0].textContent;
+  const jsonElems = document.getElementsByTagName("pre");
+  let content: string | null = null;
+  if (jsonElems.length >= 1) {
+    content = jsonElems[0].textContent;
+  } else {
+    // Sometimes there's no pre? I'm not sure why this would happen
+    content = document.body.textContent;
+  }
   let outputDoc = "";
   let jsonObj = null;
 

diff --git a/tests/xss.json b/tests/xss.json
@@ -0,0 +1 @@
+{"status":"success","message":"User Input received","userInput":"XSS<img src=x onerror=alert(origin)>"}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"status":"success","message":"User Input received","userInput":"XSS<img src=x onerror=alert(origin)>"}