search

google / gitiles

A simple browser for Git repositories.
https://gerrit.googlesource.com/gitiles/
Other
582 stars 174 forks source link

Bad JSON output #82

Closed spearce closed 7 years ago

spearce commented 7 years ago

Originally reported on Google Code with ID 90

The JSON output for every link I've tried under https://chromium.googlesource.com/breakpad/breakpad/+/master
is bad:
$ curl "https://chromium.googlesource.com/breakpad/breakpad/+/master?format=JSON"
)]}'
{
  "commit": "86d5e9e7f94a9cc90c9fe90584d7c8eda6057d17",
  "tree": "1dca71600fec8c736164fdc9f5033c1bac1d8924",
<...>

Note the first line in the output, I have no idea what's going on there.

Reported by None on 2015-12-02 10:57:34

spearce commented 7 years ago 
The JSON output for every link I've tried under https://chromium.googlesource.com/breakpad/breakpad/+/master
is bad:
$ curl "https://chromium.googlesource.com/breakpad/breakpad/+/master?format=JSON"
)]}'
{
  "commit": "86d5e9e7f94a9cc90c9fe90584d7c8eda6057d17",
  "tree": "1dca71600fec8c736164fdc9f5033c1bac1d8924",
<...>

Note the first line in the output, I have no idea what's going on there.

Reported by None on 2015-12-02 10:57:34

spearce commented 7 years ago 
This is intentional, the first line is a cross site scripting protection to prevent
external sites from slurping the output of a private site based on user cookies.

So WAI.

If you want to parse this JSON, you need to strip the first line before handing over
to a JSON parser.

Reported by None on 2015-12-02 16:39:59

spearce commented 7 years ago 
I'm a little confused--what attack vector are you trying to close here, the "malicious
site loads JSON URL as a script"? I don't think that's ever been exploitable if you're
returning an object at the top-level of the JSON:
http://flask.pocoo.org/docs/0.10/security/#json-security

Reported by None on 2015-12-03 03:53:43