From eb90a66de07f6ec8ed90e0a707463e855689fcf7 Mon Sep 17 00:00:00 2001 From: Vladimir Kochnev Date: Wed, 5 Apr 2017 20:10:31 +0300 Subject: [PATCH] Escape intercom settings (XSS). --- lib/intercom-rails/script_tag.rb | 2 +- spec/auto_include_filter_spec.rb | 6 +++--- spec/script_tag_helper_spec.rb | 2 +- spec/script_tag_spec.rb | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/intercom-rails/script_tag.rb b/lib/intercom-rails/script_tag.rb index f4a5521..5bf869c 100644 --- a/lib/intercom-rails/script_tag.rb +++ b/lib/intercom-rails/script_tag.rb @@ -111,7 +111,7 @@ def intercom_javascript plaintext_javascript = ActiveSupport::JSON.encode(plaintext_settings).gsub('<', '\u003C') intercom_encrypted_payload_javascript = encrypted_mode.encrypted_javascript(intercom_settings) - str = "window.intercomSettings = #{plaintext_javascript};#{intercom_encrypted_payload_javascript}(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()" + str = "window.intercomSettings = JSON.parse('#{escape_javascript(plaintext_javascript)}');#{intercom_encrypted_payload_javascript}(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()" str end diff --git a/spec/auto_include_filter_spec.rb b/spec/auto_include_filter_spec.rb index eda6537..2b112a4 100644 --- a/spec/auto_include_filter_spec.rb +++ b/spec/auto_include_filter_spec.rb @@ -163,13 +163,13 @@ def current_user it 'to_s non numeric user_id to avoid nested structure for bson ids' do get :with_mongo_like_user expect(response.body).not_to include("oid") - expect(response.body).to include('"user_id":"deadbeaf1234mongo"') + expect(response.body).to include('\\"user_id\\":\\"deadbeaf1234mongo\\"') end it 'leaves numeric user_id alone to avoid unintended consequences' do get :with_numeric_user_id expect(response.body).not_to include("oid") - expect(response.body).to include('"user_id":123') + expect(response.body).to include('\\"user_id\\":123') end it 'defaults to have no user_hash' do @@ -227,7 +227,7 @@ def current_user it 'escapes strings with \\s' do get :with_some_tricky_string - expect(response.body).to include("\"email\":\"\\\\\\\"foo\\\"\"") + expect(response.body).to include('\\"email\\":\"\\\\\\\\\\\\\\"foo\\\\\\"\\"') end it 'can be disabled in non whitelisted environments' do diff --git a/spec/script_tag_helper_spec.rb b/spec/script_tag_helper_spec.rb index 8fab37a..38f6d91 100644 --- a/spec/script_tag_helper_spec.rb +++ b/spec/script_tag_helper_spec.rb @@ -35,7 +35,7 @@ :email => 'marco@intercom.io', :user_id => 'marco', }) - expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='") + expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='") end it 'inserts a valid nonce if present' do diff --git a/spec/script_tag_spec.rb b/spec/script_tag_spec.rb index 0746371..2323b6a 100644 --- a/spec/script_tag_spec.rb +++ b/spec/script_tag_spec.rb @@ -195,7 +195,7 @@ def sha256_hmac(secret, input) :email => 'marco@intercom.io', :user_id => 'marco', }) - expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='") + expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='") end it 'inserts a valid nonce if present' do