Handle multiple JSON Vulnerability Prefixes in same response

riaann · riaann · commit 02e04977479a · 2015-10-09T16:42:10.000+02:00
An error ("Unable to parse JSON string") occurs when the same batch response contains multiple JSON vulnerability prefixes (such as when multiple GET operations that return arrays are batched). A unit test was added to illustrate this scenario. This occurred only with multiple prefixes because string.replace was used on the entire response text, and string.replace only replaces the first occurrence of the substring. To fix this, I moved the trim function to the "httpAdapter", because that allowed finer control over when the prefix was trimmed - the prefix is now trimmed for each batch response separately and only when parsing a response with a 'json' content type. Further, trimming JSON vulnerability prefixes don't appear relevant for multifetch: the returned data is in an object form, not an array - so the vulnerability does not apply (see this for more details of how the vulnerability manifests: http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/ ).
diff --git a/src/services/adapters/httpAdapter.js b/src/services/adapters/httpAdapter.js
@@ -177,11 +177,22 @@ function HttpBatchAdapter($document, $window, httpBatchConfig) {
     return boundary;
   }
 
+  /**
+   * see https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection
+   * @param data
+   * @returns {*|void|string}
+   */
+  function trimJsonProtectionVulnerability(data) {
+    return typeof (data) === 'string' ? data.replace(')]}\',\n', '') : data;
+  }
+
   function convertDataToCorrectType(contentType, dataStr) {
     var data = dataStr;
     contentType = contentType.toLowerCase();
 
     if (contentType.indexOf('json') > -1) {
+      // only remove json vulnerability prefix if we're parsing json
+      dataStr = trimJsonProtectionVulnerability(dataStr);
       data = angular.fromJson(dataStr);
     }
 
diff --git a/src/services/httpBatcher.js b/src/services/httpBatcher.js
@@ -34,27 +34,14 @@ function addRequestFn(request) {
   return true;
 }
 
-/**
- * see https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection
- * @param data
- * @returns {*|void|string}
- */
-function trimJsonProtectionVulnerability(data) {
-  return typeof (data) === 'string' ? data.replace(')]}\',\n', '') : data;
-}
-
 function sendFn() {
   var self = this,
     adapter = self.getAdapter(),
     httpBatchConfig = adapter.buildRequest(self.requests, self.config);
 
   self.sendCallback();
   self.$injector.get('$http')(httpBatchConfig).then(function (response) {
-    var batchResponses;
-
-    response.data = trimJsonProtectionVulnerability(response.data);
-
-    batchResponses = adapter.parseResponse(self.requests, response, self.config);
+    var batchResponses = adapter.parseResponse(self.requests, response, self.config);
 
     angular.forEach(batchResponses, function (batchResponse) {
       batchResponse.request.callback(
diff --git a/tests/services/httpBatcher.spec.js b/tests/services/httpBatcher.spec.js
@@ -724,6 +724,77 @@
           $httpBackend.flush();
         });
 
+        it('should parse the response of a single batch request which contains the Angular "JSON Vulnerability Protection" prefix and multiple responses', function (done) {
+          var batchConfig = {
+              batchEndpointUrl: 'http://www.someservice.com/batch',
+              batchRequestCollectionDelay: 200,
+              minimumBatchSize: 1,
+              adapter: defaultBatchAdapter
+            },
+            postData = '--31fcc127-a593-4e1d-86f3-57e45375848f\r\nContent-Type: application/http; msgtype=request\r\n\r\nGET /resource HTTP/1.1\r\nHost: www.gogle.com\r\n\r\n\r\n--31fcc127-a593-4e1d-86f3-57e45375848f' +
+            '\r\nContent-Type: application/http; msgtype=request\r\n\r\nGET /resource-two HTTP/1.1\r\nHost: www.gogle.com\r\n\r\n\r\n--31fcc127-a593-4e1d-86f3-57e45375848f--',
+            responseData = '--31fcc127-a593-4e1d-86f3-57e45375848f\r\nContent-Type: application/http; msgtype=response\r\n\r\n' +
+            'HTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\n\r\n' +
+            ')]}\',\n' + // JSON Vulnerability Protection prefix (see https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection )
+            '{"results":[{"BusinessDescription":"Some text here"}],"inlineCount":35}' +
+            '\r\n--31fcc127-a593-4e1d-86f3-57e45375848f\r\n' +
+            '\r\nContent-Type: application/http; msgtype=response\r\n\r\n' +
+            'HTTP/1.1 200 OK\r\nContent-Type: application/json; charset=utf-8;\r\n\r\n' +
+            ')]}\',\n' + // JSON Vulnerability Protection prefix (see https://docs.angularjs.org/api/ng/service/$http#json-vulnerability-protection )
+            '[{"name":"Jon","id":1,"age":30},{"name":"Laurie","id":2,"age":29}]' +
+            '\r\n--31fcc127-a593-4e1d-86f3-57e45375848f--\r\n',
+
+            completedFnInvocationCount = 0,
+
+            completedFn = function () {
+              completedFnInvocationCount += 1;
+              if (completedFnInvocationCount === 2) {
+                done();
+              }
+            };
+
+          $httpBackend.expectPOST(batchConfig.batchEndpointUrl, postData).respond(200, responseData, {
+            'content-type': 'multipart/mixed; boundary="31fcc127-a593-4e1d-86f3-57e45375848f"'
+          }, 'OK');
+
+          sandbox.stub(httpBatchConfig, 'calculateBoundary').returns('31fcc127-a593-4e1d-86f3-57e45375848f');
+          sandbox.stub(httpBatchConfig, 'getBatchConfig').returns(batchConfig);
+
+          httpBatcher.batchRequest({
+            url: 'http://www.gogle.com/resource',
+            method: 'GET',
+            callback: function (statusCode, data) {
+              expect(data).to.deep.equal({
+                results: [{
+                  BusinessDescription: 'Some text here'
+                }],
+                inlineCount: 35
+              });
+              completedFn();
+            }
+          });
+
+          httpBatcher.batchRequest({
+            url: 'http://www.gogle.com/resource-two',
+            method: 'GET',
+            callback: function (statusCode, data) {
+              expect(data).to.deep.equal([{
+                name: 'Jon',
+                id: 1,
+                age: 30
+              }, {
+                name: 'Laurie',
+                id: 2,
+                age: 29
+              }]);
+              completedFn();
+            }
+          });
+
+          $timeout.flush();
+          $httpBackend.flush();
+        });
+
         it('should return original data for non strings when trim Angular "JSON Vulnerability Protection" prefix', function (done) {
           var responseData = [{
               "headers": {
