From 6f4a884870ed1e8a3c475dbba4349df8bed641d3 Mon Sep 17 00:00:00 2001 From: Vladimir Kochnev Date: Wed, 5 Apr 2017 20:10:31 +0300 Subject: [PATCH] Escape intercom settings (XSS). --- lib/intercom-rails/script_tag.rb | 2 +- spec/auto_include_filter_spec.rb | 6 +++--- spec/script_tag_helper_spec.rb | 2 +- spec/script_tag_spec.rb | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/intercom-rails/script_tag.rb b/lib/intercom-rails/script_tag.rb index 43fe0dd..9c17b9c 100644 --- a/lib/intercom-rails/script_tag.rb +++ b/lib/intercom-rails/script_tag.rb @@ -97,7 +97,7 @@ def find_lead_attributes def intercom_javascript intercom_settings_json = ActiveSupport::JSON.encode(intercom_settings).gsub('<', '\u003C') - str = "window.intercomSettings = #{intercom_settings_json};(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()" + str = "window.intercomSettings = JSON.parse('#{escape_javascript(intercom_settings_json)}');(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()" str end diff --git a/spec/auto_include_filter_spec.rb b/spec/auto_include_filter_spec.rb index fabdb74..767954b 100644 --- a/spec/auto_include_filter_spec.rb +++ b/spec/auto_include_filter_spec.rb @@ -162,13 +162,13 @@ def current_user it 'to_s non numeric user_id to avoid nested structure for bson ids' do get :with_mongo_like_user expect(response.body).not_to include("oid") - expect(response.body).to include('"user_id":"deadbeaf1234mongo"') + expect(response.body).to include('\\"user_id\\":\\"deadbeaf1234mongo\\"') end it 'leaves numeric user_id alone to avoid unintended consequences' do get :with_numeric_user_id expect(response.body).not_to include("oid") - expect(response.body).to include('"user_id":123') + expect(response.body).to include('\\"user_id\\":123') end it 'defaults to have no user_hash' do @@ -226,7 +226,7 @@ def current_user it 'escapes strings with \\s' do get :with_some_tricky_string - expect(response.body).to include("\"email\":\"\\\\\\\"foo\\\"\"") + expect(response.body).to include('\\"email\\":\"\\\\\\\\\\\\\\"foo\\\\\\"\\"') end it 'can be disabled in non whitelisted environments' do diff --git a/spec/script_tag_helper_spec.rb b/spec/script_tag_helper_spec.rb index 8fab37a..38f6d91 100644 --- a/spec/script_tag_helper_spec.rb +++ b/spec/script_tag_helper_spec.rb @@ -35,7 +35,7 @@ :email => 'marco@intercom.io', :user_id => 'marco', }) - expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='") + expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='") end it 'inserts a valid nonce if present' do diff --git a/spec/script_tag_spec.rb b/spec/script_tag_spec.rb index 16c2e56..3220502 100644 --- a/spec/script_tag_spec.rb +++ b/spec/script_tag_spec.rb @@ -173,7 +173,7 @@ def sha256_hmac(secret, input) :email => 'marco@intercom.io', :user_id => 'marco', }) - expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='") + expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='") end it 'inserts a valid nonce if present' do