Hacker News new | ask | show | jobs
by angry-hacker 3532 days ago
Can someone explain me:

If angular can do it, so can just plain javascript? Then it's a problem with their extension architecture?

As much as I hate bundling big libraries everywhere, why ban angular?

Also, is it possible the researcher wants to get money from Google and didn't want the vulnerability to be shared?
2 comments
AgentME 3532 days ago
Yes, you can write vulnerable code in plain javascript:

    eval(document.querySelector('.foo').textContent);
In a regular web page where you don't allow the user to insert arbitrary HTML, it's a perfectly fine line allowing you to store code in the DOM.

If you do that in a browser extension where the DOM is controlled by the web page, then you've got a big security vulnerability: the webpage can put anything it wants into a foo tag and then your extension will execute it with its privileges! Your extension will be taken down from the Firefox Addons Marketplace if it's reviewed and this line is found running. If lots of extensions added this line, then Mozilla would probably automate blocking extensions from containing it.

Angular 1.x does something like this line. It's perfectly fine in web pages where you control the DOM, but is insecure if the DOM comes from an untrusted outsider!

link
ctide 3532 days ago
I had an extension a while ago that I was attempting to publish to the Firefox app store and it was rejected on grounds of using eval. I don't remember why I needed to use eval, but basically this is something they do already. I'm guessing that previously they were allowing for an Angular exception.
link
angry-hacker 3532 days ago
Why doesn't Firefox simply disallow eval? You would get an error in console explaining and that's it.
link
kevingadd 3532 days ago
Lots of perfectly sensible JavaScript code uses eval for things like feature detection and runtime code generation. If you removed eval they'd just use 'new Function' instead, which has most of the same problems.
link
AgentME 3532 days ago
There are legitimate uses of eval. And there are plenty of other ways for extensions to be insecure besides by using eval!
link
positr0n 3532 days ago
I have no information one way or the other, but maybe the issue isn't that angular can do it, but that angular does do it. So any extension using angular is vulnerable by default.
link