Escape intercom settings (XSS).

marshall-lee · marshall-lee · commit 6f4a884870ed · 2017-04-05T20:10:31.000+03:00
diff --git a/lib/intercom-rails/script_tag.rb b/lib/intercom-rails/script_tag.rb
@@ -97,7 +97,7 @@ def find_lead_attributes
     def intercom_javascript
       intercom_settings_json = ActiveSupport::JSON.encode(intercom_settings).gsub('<', '\u003C')
 
-      str = "window.intercomSettings = #{intercom_settings_json};(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()"
+      str = "window.intercomSettings = JSON.parse('#{escape_javascript(intercom_settings_json)}');(function(){var w=window;var ic=w.Intercom;if(typeof ic===\"function\"){ic('reattach_activator');ic('update',intercomSettings);}else{var d=document;var i=function(){i.c(arguments)};i.q=[];i.c=function(args){i.q.push(args)};w.Intercom=i;function l(){var s=d.createElement('script');s.type='text/javascript';s.async=true;s.src='#{Config.library_url || "https://widget.intercom.io/widget/#{j app_id}"}';var x=d.getElementsByTagName('script')[0];x.parentNode.insertBefore(s,x);}if(w.attachEvent){w.attachEvent('onload',l);}else{w.addEventListener('load',l,false);}};})()"
 
       str
     end
diff --git a/spec/auto_include_filter_spec.rb b/spec/auto_include_filter_spec.rb
@@ -162,13 +162,13 @@ def current_user
   it 'to_s non numeric user_id to avoid nested structure for bson ids' do
     get :with_mongo_like_user
     expect(response.body).not_to include("oid")
-    expect(response.body).to include('"user_id":"deadbeaf1234mongo"')
+    expect(response.body).to include('\\"user_id\\":\\"deadbeaf1234mongo\\"')
   end
 
   it 'leaves numeric user_id alone to avoid unintended consequences' do
     get :with_numeric_user_id
     expect(response.body).not_to include("oid")
-    expect(response.body).to include('"user_id":123')
+    expect(response.body).to include('\\"user_id\\":123')
   end
 
   it 'defaults to have no user_hash' do
@@ -226,7 +226,7 @@ def current_user
 
   it 'escapes strings with \\s' do
     get :with_some_tricky_string
-    expect(response.body).to include("\"email\":\"\\\\\\\"foo\\\"\"")
+    expect(response.body).to include('\\"email\\":\"\\\\\\\\\\\\\\"foo\\\\\\"\\"')
   end
 
   it 'can be disabled in non whitelisted environments' do
diff --git a/spec/script_tag_helper_spec.rb b/spec/script_tag_helper_spec.rb
@@ -35,7 +35,7 @@
         :email => 'marco@intercom.io',
         :user_id => 'marco',
       })
-      expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='")
+      expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='")
     end
 
     it 'inserts a valid nonce if present' do
diff --git a/spec/script_tag_spec.rb b/spec/script_tag_spec.rb
@@ -173,7 +173,7 @@ def sha256_hmac(secret, input)
         :email => 'marco@intercom.io',
         :user_id => 'marco',
       })
-      expect(script_tag.csp_sha256).to eq("'sha256-qLRbekKD6dEDMyLKPNFYpokzwYCz+WeNPqJE603mT24='")
+      expect(script_tag.csp_sha256).to eq("'sha256-ejA+RwRQBXGtcHVnRlsp8dTW9BaZpvIX2n1/lJhpSaQ='")
     end
 
     it 'inserts a valid nonce if present' do
