search

atom / fuzzy-finder

Find and open files quickly
MIT License
275 stars 138 forks source link

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an al... #284

Closed nahamsec closed 5 years ago

nahamsec commented 7 years ago

Hey there,

This was a happy accident while I accidentally opened my pentest related files. Might seem interesting to you.

[Enter steps to reproduce:]

  1. Create a file in your current folder (mine is my downloads folder) with the name <script>alert()<%2fscript>.csv

  2. Ctrl+T to open up fuzzy finder. Atom: 1.15.0 x64 Electron: 1.3.13 OS: Mac OS X 10.12.3 Thrown From: fuzzy-finder package 1.4.1

Stack Trace

Uncaught EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

At /Users/UUUNAME/Downloads/Atom.app/Contents/Resources/app.asar/node_modules/jquery/dist/jquery.js:328

EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self'".

    at Function.globalEval (/app.asar/node_modules/jquery/dist/jquery.js:328:5)
    at jQuery.domManip (/app.asar/node_modules/jquery/dist/jquery.js:5435:16)
    at jQuery.append (/app.asar/node_modules/jquery/dist/jquery.js:5218:15)
    at ProjectView.module.exports.FuzzyFinderView.populateAlternateList (/app.asar/node_modules/fuzzy-finder/lib/fuzzy-finder-view.js:290:21)
    at ProjectView.module.exports.FuzzyFinderView.populateList (/app.asar/node_modules/fuzzy-finder/lib/fuzzy-finder-view.js:264:21)
    at ProjectView.module.exports.SelectListView.setItems (/app.asar/node_modules/atom-space-pen-views/lib/select-list-view.js:167:12)
    at ProjectView.module.exports.FuzzyFinderView.setItems (/app.asar/node_modules/fuzzy-finder/lib/fuzzy-finder-view.js:370:49)
    at ProjectView.module.exports.ProjectView.populate (/app.asar/node_modules/fuzzy-finder/lib/project-view.js:103:14)
    at ProjectView.module.exports.ProjectView.toggle (/app.asar/node_modules/fuzzy-finder/lib/project-view.js:87:14)
    at /app.asar/node_modules/fuzzy-finder/lib/main.js:15:46)
    at CommandRegistry.module.exports.CommandRegistry.handleCommandEvent (/app.asar/src/command-registry.js:259:29)
    at /app.asar/src/command-registry.js:3:59
    at KeymapManager.module.exports.KeymapManager.dispatchCommandEvent (/app.asar/node_modules/atom-keymap/lib/keymap-manager.js:599:16)
    at KeymapManager.module.exports.KeymapManager.handleKeyboardEvent (/app.asar/node_modules/atom-keymap/lib/keymap-manager.js:390:22)
    at WindowEventHandler.module.exports.WindowEventHandler.handleDocumentKeyEvent (/app.asar/src/window-event-handler.js:106:36)
    at /app.asar/src/window-event-handler.js:3:59)

Commands

  3x -6:57.9.0 fuzzy-finder:toggle-file-finder (input.hidden-input)
     -4:53.6.0 editor:consolidate-selections (input.hidden-input)
     -4:53.6.0 core:cancel (input.hidden-input)
  6x -4:52.8.0 fuzzy-finder:toggle-file-finder (input.hidden-input)
     -1:53.2.0 editor:consolidate-selections (input.hidden-input)
  2x -1:53.1.0 core:cancel (input.hidden-input)
  2x -1:46.8.0 fuzzy-finder:toggle-file-finder (atom-workspace.workspace.scrollbars-visible-always.theme-one-dark-syntax.theme-one-dark-ui)
     -1:07.0 editor:consolidate-selections (input.hidden-input)
     -1:07.0 core:cancel (input.hidden-input)
     -1:07.0 editor:consolidate-selections (input.hidden-input)
     -1:07.0 core:cancel (input.hidden-input)
  2x -0:56.4.0 core:close (ol.tree-view.full-menu.list-tree.has-collapsable-children.focusable-panel)
     -0:52.7.0 core:select-all (input.hidden-input)
     -0:52.5.0 core:backspace (input.hidden-input)
     -0:51.7.0 core:save (input.hidden-input)
  3x -0:50.8.0 fuzzy-finder:toggle-file-finder (input.hidden-input)

Non-Core Packages

Screenshot:

http://imgur.com/a/NjYHA

rsese commented 7 years ago

Thanks for the report! I just gave this a try but wasn't able to reproduce - just to confirm, do you get the error in safe mode as well (atom --safe)?

nahamsec commented 7 years ago

Hm. Strange. Here's what my screen looked like: http://imgur.com/a/NjYHA

I just know that somehow the fuzzy finder is somehow parsing HTML when you pull it up.

no-response[bot] commented 5 years ago

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.