Consider compiling your application with style=PRETTY or DETAILED so you can see more detail on the name of methods and the classes that surround the code you have questions about, it can make it easier to hunt these down.
I pretty-printed the code snippet you shared, which results in this:
{
j = k.substring(Z, m);
l = k.substring(m + $)
} else {
j = k;
l = fb
}
c[j] = l
}
}
else if (j == xb) {
k = i.getAttribute(vb);
if (k) {
try {
d = eval(k)
} catch (a) {
alert(yb + k + zb)
}
}
} else if (j == Ab) {
k = i.getAttribute(vb);
if (k) {
try {
e = eval(k)
} catch (a) {
alert(yb + k + Bb)
}
}
}
}
}
__gwt_getMetaProperty = function(a) {
var b = c[a];
return b == null ? null : b
};
j = k.substring(Z, m);
l = k.substring(m + $)
} else {
j = k;
l = fb
}
c[j] = l
}
}
else if (j == xb) {
k = i.getAttribute(vb);
if (k) {
try {
d = eval(k)
} catch (a) {
alert(yb + k + zb)
}
}
} else if (j == Ab) {
k = i.getAttribute(vb);
if (k) {
try {
e = eval(k)
} catch (a) {
alert(yb + k + Bb)
}
}
}
}
}
__gwt_getMetaProperty = function(a) {
var b = c[a];
return b == null ? null : b
};
The catch blocks have an alert in them, not something we typically see in GWT. It turns out this is part of the default linker, what looks like an old workaround to support extra meta tags contributing error handling code.
https://github.com/gwtproject/gwt/blob/6cf9146a8c53743c99e48b1d1db42a2e2010e1d7/dev/core/src/com/google/gwt/core/ext/linker/impl/processMetas.js
if (eq >= 0) {
name = content.substring(0, eq);
value = content.substring(eq + 1);
} else {
name = content;
value = '';
}
metaProps[name] = value;
}
} else if (name == 'gwt:onPropertyErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
propertyErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content +
'\" for \"gwt:onPropertyErrorFn\"');
}
}
} else if (name == 'gwt:onLoadErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
onLoadErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content + '\" for \"gwt:onLoadErrorFn\"');
}
}
}
}
}
// Set some of the variables in the main script
__gwt_getMetaProperty = function(name) {
var value = metaProps[name];
return (value == null) ? null : value;
}
name = content.substring(0, eq);
value = content.substring(eq + 1);
} else {
name = content;
value = '';
}
metaProps[name] = value;
}
} else if (name == 'gwt:onPropertyErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
propertyErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content +
'\" for \"gwt:onPropertyErrorFn\"');
}
}
} else if (name == 'gwt:onLoadErrorFn') {
content = meta.getAttribute('content');
if (content) {
try {
onLoadErrorFunc = eval(content);
} catch (e) {
alert('Bad handler \"' + content + '\" for \"gwt:onLoadErrorFn\"');
}
}
}
}
}
// Set some of the variables in the main script
__gwt_getMetaProperty = function(name) {
var value = metaProps[name];
return (value == null) ? null : value;
}
This is used by most of the built-in linkers - there is an alternative file, processMetasNull.js, which could be used to remove these entirely. To use that, extend your current linker (presumably CrossSiteIframeLinker) and override getJsProcessMetas to return "com/google/gwt/core/ext/linker/impl/processMetasNull.js".
I've filed https://github.com/gwtproject/gwt/issues/9967 to explore phasing these out or making them easier to disable.
On Tuesday, June 4, 2024 at 4:54:38 AM UTC-5 giacomo....@gmail.com wrote:
When we run automated security scan against our GWT project, one of the main vulnerability is related to the presence of eval() functions in the xxxx.nocache.js file...{j=k.substring(Z,m);l=k.substring(m+$)}else{j=k;l=fb}c[j]=l}}else if(j==xb){k=i.getAttribute(vb);if(k){try{d=eval(k)}catch(a){alert(yb+k+zb)}}}else if(j==Ab){k=i.getAttribute(vb);if(k){try{e=eval(k)}catch(a){alert(yb+k+Bb)}}}}}__gwt_getMetaProperty=function(a){var b=c[a];return b==null?null:b};w=d;ipmweb.__errFn=e}...We added the CSP that blocks eval executions and the application runs correctly, meaning that those eval() is not called at runtime.Is there a way to get rid of those eval() functions? Is there someone who knows in which cases those eval() gets executed?
You received this message because you are subscribed to the Google Groups "GWT Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-web-toolkit/5257c8e3-db4d-4f5f-8b93-0b952ac569b5n%40googlegroups.com.
No comments:
Post a Comment