Adding support for Sencha Ext JS in Chrome Extension

[arthurakay]

Retire.js version: (retire --version):

Not relevant; I cloned the repo today and am trying to run unpacked Chrome Extension.

node version: (node --version):

8.11.3, though again I'm not using the node tool.

Type: Bug/Feature/Question

Bug

Description:

I am trying to add support for Sencha Ext JS to the Chrome Extension, but I am hitting errors as I debug locally.

To reproduce, simply clone the repo and load as unpacked Chrome extension (literally no changes). Inspect background.html from chrome://extensions/

Visit this page: note the error:

VM72:3 Uncaught TypeError: Cannot set property 'classic' of undefined
    at eval (eval at <anonymous> (VM71 innersandbox.js:26), <anonymous>:3:17218)

Visit this page: note the errors like:

Uncaught ReferenceError: Ext is not defined
    at eval (eval at <anonymous> (VM71 innersandbox.js:26), <anonymous>:73:1)

Expected behaviour:

I wouldn't expect these errors at all... the packed extension from the Chrome Web Store does not appear to throw the same errors.

I don't know enough about what's supposed to be happening inside the sandbox to really continue. I have the following JSON (untested) that I'd like to begin testing with, but I'm pretty sure the aforementioned errors prevent anything from getting that far:

    "ExtJS" : {
        "vulnerabilities" : [
            {
                "below"       : "6.6.0",
                "atOrAbove"   : "4.0.0",
                "severity"    : "high",
                "identifiers" : {
                    "CVE"     : [
                        "CVE-2018-8046"
                    ],
                    "summary" : "XSS in Sencha Ext JS 4 to 6 via getTip() method of Action Columns"
                },
                "info"        : [
                    "http://seclists.org/fulldisclosure/2018/Jul/8",
                    "https://nvd.nist.gov/vuln/detail/CVE-2018-8046"
                ]
            },
            {
                "below"       : "6.0.0",
                "severity"    : "high",
                "identifiers" : {
                    "CVE"     : [
                        "CVE-2007-2285"
                    ],
                    "summary" : "Directory traversal and arbitrary file read"
                },
                "info"        : [
                    "https://www.cvedetails.com/cve/CVE-2007-2285/",
                    "https://packetstormsecurity.com/files/132052/extjs-Arbitrary-File-Read.html",
                    "https://www.akawebdesign.com/2018/08/14/should-js-frameworks-prevent-xss/"
                ]
            },
            {
                "below"       : "4.0.0",
                "atOrAbove"   : "3.0.0",
                "severity"    : "high",
                "identifiers" : {
                    "CVE"     : [
                        "CVE-2010-4207",
                        "CVE-2012-5881"
                    ],
                    "summary" : "XSS vulnerability in ExtJS charts.swf"
                },
                "info"        : [
                    "https://www.acunetix.com/vulnerabilities/web/extjs-charts-swf-cross-site-scripting",
                    "https://typo3.org/security/advisory/typo3-core-sa-2014-001/",
                    "https://www.akawebdesign.com/2018/08/14/should-js-frameworks-prevent-xss/"
                ]
            }
        ],
        "extractors" : {
            "filename" : [
                "/ext-all\\.js",
                "/ext-all-debug\\.js",
                "/ext-base\\.js"
            ],
            "func"     : [
                "Ext && Ext.versions && Ext.versions.extjs.version",
                "Ext && Ext.version"
            ]
        }
    },

Also... running node validate with my JSON in place throws the following error which I don't quite understand:

$ node repository/validate
Checking that jsrepository is valid json...
Validating regexes...
RegExp error  ExtJS filename 0
/Users/arthur.kay/www/aka/retire.js/repository/validate:35
                throw e;
                ^

TypeError: Cannot read property 'indexOf' of undefined
    at Object.<anonymous> (/Users/arthur.kay/www/aka/retire.js/repository/validate:28:71)
    at Module._compile (module.js:652:30)
    at Object.Module._extensions..js (module.js:663:10)
    at Module.load (module.js:565:32)
    at tryModuleLoad (module.js:505:12)
    at Function.Module._load (module.js:497:3)
    at Function.Module.runMain (module.js:693:10)
    at startup (bootstrap_node.js:191:16)
    at bootstrap_node.js:612:3

[arthurakay]

I solved my latter problem... it seems that checking the filename must include a version number, I didn't realize that. Obvious in retrospect.

My greater problem is the errors like Ext is not defined, and I believe I've tracked it down to a CSP issue relating to line 26 of innersandbox.js. From what I gather, the code is basically re-evaluating all existing scripts on the page in a fake window.

The problem with ExtJS is that is uses eval under the hood, and per stackoverflow Chrome extensions no longer allow you to run random script content that utilize eval. That's a bummer.

If I removed lines 26 and 27, I get past those errors... but I'm wondering if you'd even accept a PR that removed those.

[eoftedal]

Eval can still be used in chrome extensions in the sandboxed iframes, just not in the chrome extension code. So it should still work. I don't think that's the problem there. There are frequently error messages in the console there, as code doesn't necessarily run perfectly in that sandboxed iframe due to missing HTML elements, missing files etc., but that isn't necessarily a problem.

[eoftedal]

I added it now, and also included some other extractors. I removed the middle CVE as it didn't seem to be related to the js framework per se.

[arthurakay]

I'd actually argue that the middle CVE is related to the framework because of the way most ExtJS developers deployed applications for many years.

From my blog post (one of the links in that middle block that you removed):

The vulnerability itself has nothing to do with JavaScript — an example file written in PHP allowed for directory traversal. The reason this particular vulnerability is a big deal is that historically Ext JS developers would upload the entire ExtJS bundle downloaded from the website, which happened to include all of the working examples (and these could be navigated to via your browser).

Sadly this very vulnerability (in feed-proxy.php) remained a part of the Ext JS examples in various forms through at least version 5.0.0 (and possibly still exists; I didn’t bother to look).

Common sense would dictate not uploading the example folder to your production server… but given the way in which the Ext JS bundle was distributed for many years, thousands (or more!) of applications have this vulnerability in the wild today. Doing a quick Google dork gave me roughly 200 results, and considering most of these ExtJS examples would be unlinked Google likely wouldn’t be able to crawl (i.e. identify) every affected site.

I understand your position that the vulnerability "isn't the fault" of the ExtJS framework, but I'd still argue that the vast majority of developers never thought twice about this. It's a vulnerability that you have a N% chance (IMO could be higher than 50%) of encountering just by using an older version of ExtJS.

In case you're thinking I'm just some random dude complaining about ExtJS, I used to work for Sencha for a number of years. 😎

[eoftedal]

Ah, I see. That makes sense. We should add it back then. :)

[eoftedal]

We should probably check that the filecontent extractor I added works for older versions of ExtJS. Not sure if that comment exists in older versions of the framework.