Issue metadata
Sign in to add a comment
|
Security: Python scripts use HTTP to interact with Closure compiler web service |
||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS The Chrome-NFC and text-app repositories contains a script that interacts with the Closure Compiler web service: https://github.com/GoogleChrome/chrome-nfc/blob/master/compile.py https://github.com/GoogleChrome/text-app/blob/master/build.py (There may be others, but these I picked up with a quick search on https://github.com/GoogleChrome) This interfaces with the Closure Compiler App Engine service over HTTP, rather than HTTPS with certificate validation. As a result, there is a possibility for someone performing a MITM attack to replace the compiled JavaScript code for the repository with something else. I note the Closure compiler API tutorial has a similar issue (which I'll open a separate internal bug for). VERSION Chrome Version: These are auxiliary tools associated with the Chrome project, but impacts the versions at git master today (2017-08-30) Operating System: any REPRODUCTION CASE A URL handler listening to http://closure-compiler.appspot.com/compile responding with this JSON file would demonstrate the issue: ''' { "compiledCode": "alert(1);", } '''
,
Aug 30 2017
Thanks for the report. I might suggest filing bugs against the GitHub repositories for the nfc and text-app projects to get them to update to using HTTPS to connect to Closure. tbreisacher/dschuyler, is it possible to update jstemplate to connect to Closure over HTTPS?
,
Aug 31 2017
I wasn't sure what you folks were happy with regarding disclosure, as this would typically only impact maintainers, but if pulled off without being noticed, would have significant impact to other parties. If you're happy for me to file public bugs against those other GitHub projects I'll go ahead and do so.
,
Sep 4 2017
I think this should be fine to file public bugs. Thanks! :)
,
Sep 5 2017
,
Sep 5 2017
re comment 1, it looks like that is easily fixed by changing httplib.HTTPConnection to httplib.HTTPSConnection. I've done this locally but I'm having trouble getting 'git cl upload' to work. By the way, I would like to remind you that the Closure Compiler team provides no SLA for closure-compiler.appspot.com
,
Sep 6 2017
,
Sep 22 2017
,
Dec 28 2017
,
Apr 18 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/da75cc7ae653ba9da3e21dd4f1d8f6012cb5fa39 commit da75cc7ae653ba9da3e21dd4f1d8f6012cb5fa39 Author: Tyler Breisacher <tbreisacher@chromium.org> Date: Wed Apr 18 20:50:10 2018 Connect to closure-compiler.appspot.com using https instead of http BUG= 760416 Change-Id: Id94e43e1540f78de7f57b126a242c5197dbfc8a2 Reviewed-on: https://chromium-review.googlesource.com/650535 Reviewed-by: Nico Weber <thakis@chromium.org> Commit-Queue: Tyler Breisacher <tbreisacher@chromium.org> Cr-Commit-Position: refs/heads/master@{#551816} [modify] https://crrev.com/da75cc7ae653ba9da3e21dd4f1d8f6012cb5fa39/third_party/jstemplate/compile.py
,
Jul 27
It seems that this has been fixed.
,
Jul 27
,
Nov 2
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Aug 30 2017