Closed Bug 1550471 Opened 6 years ago Closed 5 years ago

Usage of `new Function` in third-party library jszip.js

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla70

Tracking Flags:

Tracking

Status

firefox70

---

fixed

People

(Reporter: jallmann, Assigned: jdescottes)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Attachments

(2 files)

Bug 1550471 - Migrate to JSZip v3.2.1 to avoid usage of eval-like code 5 years ago Julian Descottes [:jdescottes] (deleted), text/x-phabricator-request		Details
Bug 1550471 - Remove jszip.js from nsContentSecurityManager whitelist 5 years ago Julian Descottes [:jdescottes] (deleted), text/x-phabricator-request		Details

Jonas Allmann [:jallmann]

Reporter

Description

•

6 years ago

All eval()-like functions (eval(), new Function(), setTimeout("")) are being removed from code running with system privileges, see Bug 1473549. An assertion is active to enforce this.

There are two occurences of new Function in jszip.js that require the file to be whitelisted for this assertion. In order to clear jszip.js from the whitelist, new Function needs to be removed or refactored.

new Function to get the global object:

https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/jszip.js#4298

Not sure about second ocurence:

https://searchfox.org/mozilla-central/source/devtools/client/shared/vendor/jszip.js#4393

Julian Descottes [:jdescottes]

Assignee

Comment 1

•

5 years ago

Thankfully the latest version of JSZip doesn't rely on the very old setImmediate polyfill that was present in our old version. Let's update it.

Assignee: nobody → jdescottes

Status: NEW → ASSIGNED

Julian Descottes [:jdescottes]

Assignee

Comment 2

•

5 years ago

Attached file Bug 1550471 - Migrate to JSZip v3.2.1 to avoid usage of eval-like code (deleted) — Details

Depends on D38516

The new version of JSZip doesn't rely on any eval like code.

Julian Descottes [:jdescottes]

Assignee

Comment 3

•

5 years ago

Attached file Bug 1550471 - Remove jszip.js from nsContentSecurityManager whitelist (deleted) — Details

Depends on D38517

Pulsebot

Comment 4

•

5 years ago

Pushed by jdescottes@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/cad92991c22e Migrate to JSZip v3.2.1 to avoid usage of eval-like code r=Honza https://hg.mozilla.org/integration/autoland/rev/22539b8e0829 Remove jszip.js from nsContentSecurityManager whitelist r=ckerschb

Daniel Varga [:dvarga]

Comment 5

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/cad92991c22e
https://hg.mozilla.org/mozilla-central/rev/22539b8e0829

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox70: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla70

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Usage of `new Function` in third-party library jszip.js

Categories

(Core :: DOM: Security, enhancement, P3)

Tracking

()

People

(Reporter: jallmann, Assigned: jdescottes)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type