Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
UIMenuItem: isDisabled() is not checked inside decode()
See original GitHub issue1) Environment
- PrimeFaces version: ALL
- Does it work on the newest released PrimeFaces version? Version? NO
- Does it work on the newest sources in GitHub? NO
- Application server + version: ALL
- Affected browsers: ALL
2) Expected behavior
UIMenuItem should conform to every other UICommand component, checking for isDisabled() before enqueuing an ActionEvent inside decode() method.
3) Actual behavior
It is possible to invoke a DISABLED UIMenuItem using javascript, leading to execution of unintended code on server
4) Steps to reproduce
create a
<h:form id="form">
...
<p:menuitem id="menuitem" disabled="true" action="#{someBean.someAction}" value="disabled menuitem" />
...
</h:form>
and execute PrimeFaces.ab({s:"form:menuitem",p:"form",u:"form",f:"form"}).
Despite the disabled=“true”, the menuitem is decoded and the action is invoked!
5) Sample XHTML
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ui="http://xmlns.jcp.org/jsf/facelets"
xmlns:h="http://xmlns.jcp.org/jsf/html" xmlns:f="http://xmlns.jcp.org/jsf/core" xmlns:p="http://primefaces.org/ui">
<h:head>
</h:head>
<h:body>
<h:form id="form">
<p:panel>
<ul>
<li>
execute
<pre>PrimeFaces.ab({s:"form:commandButton2",p:"form",u:"form",f:"form"})</pre>
and the following timestamp will be resetted to "[NOT SET]".
<br />
This means that "#{'#{testMenuitemBean.updateTimestamp}'}" has not been invoked (testMenuitemBean is
@RequestScoped).
</li>
<br />
<br />
<li>
execute
<pre>PrimeFaces.ab({s:"form:menuitem2",p:"form",u:"form",f:"form"})</pre>
and the following timestamp
<h1>will be updated!!</h1>
</li>
</ul>
</p:panel>
<br />
<p:panel id="timestampPanel">timestamp: [#{testMenuitemBean.timestamp}]</p:panel>
<br />
<p:panel>
<p:menuButton id="menuButton1" value="menuButton1">
<p:menuitem id="menuitem1" action="#{testMenuitemBean.updateTimestamp}" process="@form" update="timestampPanel"
value="enabled menuitem" />
<p:menuitem id="menuitem2" disabled="true" action="#{testMenuitemBean.updateTimestamp}" process="@form"
update="timestampPanel" value="disabled menuitem" />
</p:menuButton>
<p:commandButton id="commandButton1" action="#{testMenuitemBean.updateTimestamp}" process="@form"
update="timestampPanel" value="enabled commandButton" />
<p:commandButton id="commandButton2" disabled="true" action="#{testMenuitemBean.updateTimestamp}" process="@form"
update="timestampPanel" value="disabled commandButton" />
</p:panel>
</h:form>
</h:body>
</html>
6) Sample bean
import javax.enterprise.context.RequestScoped;
import javax.inject.Named;
@Named
@RequestScoped
public class TestMenuitemBean {
private String timestamp = "NOT SET";
public void updateTimestamp() {
timestamp = String.valueOf(System.currentTimeMillis());
}
public String getTimestamp() {
return timestamp;
}
}
7) Solution
this is the current decode() of https://github.com/primefaces/primefaces/blob/master/src/main/java/org/primefaces/component/menuitem/UIMenuItem.java
@Override
public void decode(FacesContext facesContext) {
Map<String, String> params = facesContext.getExternalContext().getRequestParameterMap();
String clientId = getClientId(facesContext);
if (params.containsKey(clientId)) {
queueEvent(new ActionEvent(this));
}
ComponentUtils.decodeBehaviors(facesContext, this);
}
just add:
@Override
public void decode(FacesContext facesContext) {
if(isDisabled()) { // <------------ this check
return;
}
Map<String, String> params = facesContext.getExternalContext().getRequestParameterMap();
String clientId = getClientId(facesContext);
if (params.containsKey(clientId)) {
queueEvent(new ActionEvent(this));
}
ComponentUtils.decodeBehaviors(facesContext, this);
}
However, since UIMenuItem has to be used inside another “menu-enabled” component (like TieredMenu , SlideMenu, MenuButton, …), it would be better to check also if the “menu-enabled” ancestor is disabled.
As of now, I didn’t found a simpler way to reach that ancestor, so I’m doing:
@Override
public void decode(FacesContext facesContext)
{
if(isDisabled()) {
return;
}
UIComponent ancestor = getParent();
while(ancestor instanceof UICommand || ancestor instanceof AbstractMenu || ancestor instanceof Submenu) {
if(!ancestor.isRendered() || Boolean.valueOf(String.valueOf(ancestor.getAttributes().get("disabled")))) {
return;
}
ancestor = ancestor.getParent();
}
super.decode(facesContext);
}
Thank you and good work!
Issue Analytics
- State:
- Created 4 years ago
- Comments:12 (7 by maintainers)
Top Results From Across the Web
How to Recognise which menuItem is disabled?
in onCreateOptionsMenu() store the menu into a local class field, and then to check if a certain menu item is enabled/disabled use isEnabled ......
Read more >wwdc2022-10049 | Apple Developer Forums
I am using UIMenuControllerWillShowMenuNotification in my app. but in iOS16 UIMenuController is deprecated. I want to check when menu is open but in...
Read more >Swift should allow for suppression of warnings, especially ...
The case I just ran into involves the warning "'catch' block is unreachable because no errors are thrown in 'do' block'". Here is...
Read more >Diff - d723882358..4b3282a5d6 - chromium/src - Git at Google
-172,9 +172,11 @@ void SearchBoxView::UpdateSearchIcon() { const ... ErrorMessages) { - // Error strings should not be modified in case of success.
Read more >Lightning Aura Components Developer Guide
eval() Function is Limited by Lightning Locker . ... that you've created when used in Lightning markup, but not in expressions or JavaScript....
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@Rapster
You are right, I focused on containers of just menuitems, but we should look also for generic containers that can have
disabledand, eventually,readonlyattributes.Yes, I know. See the final code below for a better compromise.
The definition does not specify the layer on purpose. It’s necessary and sufficient condition that the same check is performed on server-side, any layer. In this respect, the developer should be relieved of the burden and must be able to trust the framework as a delegate for server side access control rules enforcement, which is exactly the duty of JSF ViewState and Component-Tree. In other words, you shouldn’t be required to check twice by yourself (it’s the JSF killer-feature), otherwise it’s not JSF anymore, but another spring-whatever-DIY-like framework. The framework is doing a great job at this, just need to fill some small hole.
Checking the component hierarchy in
decode()for everyUICommandis overwhelming: it adds O(n * h) to theAPPLY_REQUEST_VALUESphase. Nevertheless, using a globalActionListenerdoes not have a relevant impact on performance, since it’s called only for the component to be invoked, and will just traverse the tree bottom-up, using O(h) complexity - which is negligible. In the end, is it worth it? Of course. Is there a better solution? There is, but it requires more work (see below).I agree.
In this specific case, the big problem is that
UIMenuItem.decode()does not check forisDisabled()in contrast with all othersUICommandcomponents. More generally, allowing execution of aUICommandthat is a descendant of adisabledcomponent is not a theoretical violation, but it’s clearly an unwanted behavior, since it’s impossible to achive that behavior with normal user actions on the GUI, but it can be achieved with specially crafted JS. This seems to me the exact definition of vulnerability.This is the last version of the test page:
And the following it’s the rendering
As you can see, the salmon colored represent the critical bypass, while the orange colored represent the unwanted behavior (the GUI does not allow to “click” those menuitems, but JS code can execute them anyway). Unrendered components are safe.
To prevent the critical bypass while having no performance impact, we should update the
UIMenuItem.decode()adding just theisDisabled()check:To prevent the unwanted behavior while having no performance impact (we got a little speedup instead), we should add the
AbstractMenu.processDecodes()adding just theisDisabled()check:The downsides of this approach are:
UICommands(i.e.Tabcomponent is another one that’s impacted)Yep open another issue. We will close this one with just the simply fix of #1 checking for disabled in UIMenuItem.