From 148e7abb5143a4003d01989c89424900d94e65aa Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Thu, 16 Mar 2017 23:03:02 +0100
Subject: [PATCH] Harden JS by disabling jQuery eval

Disable execution of eval in jQuery. We do require an allowed eval CSP
configuration at the moment for handlebars et al. But for jQuery there is
not much of a reason to execute JavaScript directly via eval.

This thus mitigates some unexpected XSS vectors. As example try to insert
`$('.fileinfo').html('<a href="asd"><script>alert(1)</script></a>');`
with and without this patch in your browsers JS console when the file list
is opened.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 core/js/js.js | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/js/js.js b/core/js/js.js
index c8907cdfc90..5c737d41793 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1264,6 +1264,15 @@ function initCore() {
 		}
 	});
 
+	/**
+	 * Disable execution of eval in jQuery. We do require an allowed eval CSP
+	 * configuration at the moment for handlebars et al. But for jQuery there is
+	 * not much of a reason to execute JavaScript directly via eval.
+	 *
+	 * This thus mitigates some unexpected XSS vectors.
+	 */
+	jQuery.globalEval = function(){};
+
 	/**
 	 * Set users locale to moment.js as soon as possible
 	 */
-- 
GitLab