search

OpenRefine / OpenRefine

OpenRefine is a free, open source power tool for working with messy data and improving it
https://openrefine.org/
BSD 3-Clause "New" or "Revised" License
10.84k stars 1.94k forks source link

Remove JSONP callback support (was Cross-Site Scripting: Reflected) #4082

Open QiAnXinCodeSafe opened 3 years ago

QiAnXinCodeSafe commented 3 years ago

per https://github.com/OpenRefine/OpenRefine/issues/4082#issuecomment-1020944785 - Remove use of JSONP callbacks and use pure JSON instead. This will require changes on both the front and back ends.

This is a generalization of the originally reported issue below:

https://github.com/OpenRefine/OpenRefine/blob/409cf2c30097ae7a5981e941d4bbee49896cd590/main/src/com/google/refine/commands/row/GetRowsCommand.java#L149-L165

Sending unvalidated data to a web browser can result in the browser executing malicious code.

In line 149, ‘callback’ is regarded to as tainted data, it will be affect line 165.

wetneb commented 2 years ago

We should just remove support for JSONP and use plain JSON. This will require updating the frontend too.

tfmorris commented 10 months ago

I've expanded the original issue to encompass the suggestion by @wetneb

tfmorris commented 4 days ago

Note that rather than just silently converting JSONP requests and responding with JSON, we should ideally return an error to help the caller (who might be us!) figure out what's going on.