Clever Geek Handbook

AngularJS JSON protection vulnerability not disabled

I have an angular app linked to an Api where I prefixed JSON responses only consist of an array with )]}',

as angular's official documentation recommends.

The problem is my browser seems to be trying to decode the response to angular.

I went step by step into the debugger, and right after the callback xhr.onload

, the response is already null .

The code I'm talking about is the following:

// From angular.js(1.5.9):12122
xhr.onload = function requestLoaded() {
        var statusText = xhr.statusText || '';

        // responseText is the old-school way of retrieving response (supported by IE9)
        // response/responseType properties were introduced in XHR Level2 spec (supported by IE10)
        var response = ('response' in xhr) ? xhr.response : xhr.responseText;

        // normalize IE9 bug (http://bugs.jquery.com/ticket/1450)
        var status = xhr.status === 1223 ? 204 : xhr.status;

        // fix status code when it is 0 (0 status is undocumented).
        // Occurs when accessing file resources or on Android 4.1 stock browser
        // while retrieving files from application cache.
        if (status === 0) {
          status = response ? 200 : urlResolve(url).protocol === 'file' ? 404 : 0;
        }

        completeRequest(callback,
            status,
            response,
            xhr.getAllResponseHeaders(),
            statusText);
      };
}

xhr.response

is null before angular does anything (I think).

angular try to remove the prefix with this code:

function defaultHttpResponseTransform(data, headers) {
  if (isString(data)) {
    // Strip json vulnerability protection prefix and trim whitespace
    var tempData = data.replace(JSON_PROTECTION_PREFIX, '').trim();

    if (tempData) {
      var contentType = headers('Content-Type');
      if ((contentType && (contentType.indexOf(APPLICATION_JSON) === 0)) || isJsonLike(tempData)) {
        data = fromJson(tempData);
      }
    }
  }

  return data;
}

But the data is never a string at the moment, the browser has already tried to decode it (and failed).

Api output looks like this:

)]}',
[{"name": "A"},{"name": "B"}]

If I remove the prefix it works fine. I've tried: - Opera 45.0 - Firefox 46 - Chrome 58

They all behave the same way, so I might be missing something.

The response headers contain the following:

HTTP/1.1 200 OK
Server: nginx/1.11.5
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Cache-Control: no-cache, private
[...]
Content-Length: 1793

Any idea?

Thank you very much.

+3


source to share


1 answer


As Jeff List pointed out in this answer , your request config object can contain responseType: 'json'

. This can cause the object to be deleted by the browser underlying the XMLHttpRequest implementation that specifies this property before it is passed back to the application.

Removing the property responseType

or setting it to text should fix the problem.

responseType

is documented on MDN where it states that



Setting the responseType value to "document" is ignored if done in production. When setting responseType to a specific value, the author must ensure that the server is actually sending a response that is compatible with that format. If the server returns data that does not match the set responseType, the response will be null. Additionally, setting responseType for synchronous requests will throw an InvalidAccessError exception.

(emphasis mine)

+1


source






More articles:


All Articles