Do Spring vulnerabilities announced 14/01/2014 affect Grails?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Do Spring vulnerabilities announced 14/01/2014 affect Grails?

Tim R
Reply | Threaded
Open this post in threaded view
|

Re: Do Spring vulnerabilities announced 14/01/2014 affect Grails?

Lari Hotari -

Regarding the XSS problem, Grails 2.3 isn't using JavaScriptUtils.javaScriptEscape .

It is used in pre 2.3.x, so the "encodeAsJavaScript" of those versions is vulnerable:
https://github.com/grails/grails-core/blob/2.2.x/grails-plugin-codecs/src/main/groovy/org/codehaus/groovy/grails/plugins/codecs/JavaScriptCodec.groovy#L28
I'm not sure how many applications have actually been using "encodeAsJavaScript" at all. Usually applications that pass values in to inline SCRIPT blocks are vulnerable.

Grails 2.3 Javascript escaping is very strict, these are the replacements it does:
https://github.com/grails/grails-core/blob/master/grails-plugin-codecs/src/main/groovy/org/codehaus/groovy/grails/plugins/codecs/JavaScriptEncoder.java#L45
It already had the replacements that got added by the Spring fix:
https://github.com/spring-projects/spring-framework/commit/7a7df663

XSS prevention support for DOM based XSS attacks will be improved in Grails 2.4:
http://jira.grails.org/browse/GRAILS-10813
I've already done an initial implementation: https://github.com/grails/grails-core/commit/76cb748
Basicly it helps applying both HTML and Javascript escaping for the input. (OWASP DOM XSS prevention: RULE #1 - HTML Escape then JavaScript Escape Before Inserting Untrusted Data into HTML Subcontext within the Execution Context)
This is needed when you pass values to inline SCRIPT blocks within GSPs.

These are good resources for XSS prevention. Grails cannot prevent XSS attacks automaticly and therefore the developer must understand the guidelines.
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet

Grails manual about XSS prevention:
http://grails.org/doc/2.3.x/guide/security.html#xssPrevention

Lari


15.01.2014 13:34, Tim R kirjoitti:
Do yesterdays announced vulnerabilities in Spring Framework affect Grails in
any way?

CVE-2013-6430 POSSIBLE XSS WHEN USING SPRING MVC
<http://gopivotal.com/security/cve-2013-6430>  

CVE-2013-6429 FIX FOR XML EXTERNAL ENTITY (XXE) INJECTION (CVE-2013-4152) IN
SPRING FRAMEWORK WAS INCOMPLETE
<http://gopivotal.com/security/cve-2013-6429>  


Tim..



--
View this message in context: http://grails.1312388.n4.nabble.com/Do-Spring-vulnerabilities-announced-14-01-2014-affect-Grails-tp4653308.html
Sent from the Grails - user mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email



Reply | Threaded
Open this post in threaded view
|

Re: Do Spring vulnerabilities announced 14/01/2014 affect Grails?

Rafael Luque Leiva

Regarding this topic, the following talks we presented the last year maybe of interest:

* "XSS Countermeasures in Grails" at Madrid GUG:
   Slides: http://www.slideshare.net/theratpack/xss-countermeasures-in-grails
   Video (spanish): http://www.youtube.com/watch?v=2kFhGQF2CNo

* "Grails vs XSS: Defending Grails against XSS attacks":
  Slides: http://www.slideshare.net/theratpack/grails-vsxss

Rafa.

--
Rafael Luque

OSOCO - http://osoco.es
La empresa de los programadores profesionales

Edificio RN
Avda. de las Nieves, 37. Portal 1. 1º C
Móstoles, E28935 Madrid
Reply | Threaded
Open this post in threaded view
|

Re: Do Spring vulnerabilities announced 14/01/2014 affect Grails?

Tim R
Thanks for the hasty response.