Hacker News new | ask | show | jobs
by laurent123456 3528 days ago
That doesn't make much sense. If there's a vulnerability in Angular, doesn't it mean that there's a vulnerability in the JS engine that runs the Firefox addons? And in that case, can't an attacker replicates whatever Angular is doing to make an exploit? Basically it sounds like it's something for Mozilla to fix, not the Angular team.
2 comments
AgentME 3528 days ago
Angular runs eval-like functions on HTML in the DOM. The DOM can be controlled by the webpage. When Angular runs in an extension (which has more permissions than the page) using the DOM controlled by the webpage, then the webpage can write code into the DOM that Angular executes from within the extension's security context. It's not the browser's fault that Angular trusts the webpage's DOM like that; Angular just isn't built for extensions.
link
jonny_eh 3528 days ago
But Angular only reads HTML that it's told to read, specified by the "ng-app" attribute/directive.
link
bzbarsky 3528 days ago
Yes, but in a browser extension context the web page controls the HTML involved and is the thing you want to defend against. So relying on the HTML to play nice is not OK.

[Disclaimer: I work for Mozilla.]

link
AgentME 3528 days ago
And the webpage can place the ng-app directive into itself.
link
odbol_ 3528 days ago
Exactly. If you can write a vulnerability in Angular, you can write it in vanilla Javascript as well. Unless Angular is using `eval()` or something and Firefox bans any use of `eval()`, which is reasonable...
link
bzbarsky 3528 days ago
> Unless Angular is using `eval()`

Which it is, as far as I can see, though it tried to make it slightly safer ... until version 1.6, when it gave up on pretending it's at all safe. The linked slide share from the github issue talks about this a bit. See http://www.slideshare.net/x00mario/an-abusive-relationship-w... slides 16-31 which talk about the sandbox angular tried to apply to the environment it did the eval() in, but in the end it's grabbing text from the DOM and doing an eval().

Note that in a browser extension doing text from the DOM (controlled by the web page) and doing an eval (with the privileges of the extension!) is obviously really really bad.

[Disclaimer: I work for Mozilla and I'm not an expert on Angular.]

link
AgentME 3527 days ago
Firefox Addons Marketplace reviews and bans malicious and insecure extensions. There are legitimate uses of eval. Angular's use of eval (on DOM content) is insecure within the context of browser extensions.
link