Prevent swf attack in jsonp responses.

ykahlon@gmail.com · ykahlon@gmail.com · commit a5ab1906de46 · 2012-11-21T18:26:45.000Z
diff --git a/ReleaseNotes.txt b/ReleaseNotes.txt
@@ -1,3 +1,7 @@
+Version 1.1.2
+-----------------------------------------
+- Fix security threat of swf injection in jsonp.
+
 Version 1.1.1
 -----------------------------------------   
 - Move from google-collect-1.0 to guava-r07.
diff --git a/pom.xml b/pom.xml
@@ -10,7 +10,7 @@
   <groupId>com.google.visualization</groupId>
   <artifactId>visualization-datasource</artifactId>
   <name>Google Visualization Data Source Library</name>
-  <version>1.1.1</version>
+  <version>1.1.2</version>
   <description>This library makes it easy to implement a Visualization data source so that you can
     easily chart or visualize your data from any of your data stores.
     The library implements the Google Visualization API wire protocol and query language.
diff --git a/src/main/java/com/google/visualization/datasource/DataSourceHelper.java b/src/main/java/com/google/visualization/datasource/DataSourceHelper.java
@@ -285,7 +285,9 @@ public static String generateResponse(DataTable dataTable, DataSourceRequest dat
         response = HtmlRenderer.renderDataTable(dataTable, dataSourceRequest.getUserLocale());
         break;
       case JSONP:
-        response = JsonRenderer.renderJsonResponse(
+        // Appending a comment to the response to prevent the first characters to be the
+        // response handler which is not controlled by the server.
+        response = "// Data table response\n" + JsonRenderer.renderJsonResponse(
             dataSourceRequest.getDataSourceParameters(), responseStatus, dataTable);
         break;
       case JSON:
diff --git a/src/main/java/com/google/visualization/datasource/base/DataSourceParameters.java b/src/main/java/com/google/visualization/datasource/base/DataSourceParameters.java
@@ -223,7 +223,8 @@ public void setOutputType(OutputType outputType) {
    * @return The response handler.
    */
   public String getResponseHandler() {
-    return responseHandler;
+    // Remove characters that can be a threat when injecting scripts.
+    return responseHandler.replaceAll("[^a-zA-Z0-9_\\.]", "");
   }
 
   /**
diff --git a/src/test/java/com/google/visualization/datasource/DataSourceHelperTest.java b/src/test/java/com/google/visualization/datasource/DataSourceHelperTest.java
@@ -226,7 +226,7 @@ public void testGenerateResponse() throws DataSourceException {
         new DataSourceParameters("out:jsonp"),
         ULocale.UK);
     assertEquals(
-        "google.visualization.Query.setResponse("
+        "// Data table response\ngoogle.visualization.Query.setResponse("
         + "{\"version\":\"0.6\",\"status\":\"ok\",\"sig\":\"1548939605\","
         + "\"table\":{\"cols\":[{\"id\":\"col1\",\"label\":\"column1\","
         + "\"type\":\"number\",\"pattern\":\"\"},"

Original file line number	Diff line number	Diff line change
`@@ -223,7 +223,8 @@ public void setOutputType(OutputType outputType) {`
`223`	`223`	`* @return The response handler.`
`224`	`224`	`*/`
`225`	`225`	`public String getResponseHandler() {`
`226`		`- return responseHandler;`
	`226`	`+ // Remove characters that can be a threat when injecting scripts.`
	`227`	`+ return responseHandler.replaceAll("[^a-zA-Z0-9_\\.]", "");`
`227`	`228`	`}`
`228`	`229`
`229`	`230`	`/**`