Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(SmartNTT): support new file name for sponsored images #994

Closed
wants to merge 1 commit into from

Conversation

IanKrieger
Copy link

@IanKrieger IanKrieger commented Oct 11, 2024

During the development of SmartNTT, we ran into a blocker where we realized that with the addition of conditionMatchers to the wallpapers section of an NTT would not be honored in legacy browsers (1.72.x). This means that a SmartNTT would show to anyone below that version. In order to remedy this, the "quick-fix" idea was to create a new file called si-photo.json. So that way, all new browsers could read the new file, while legacy browsers kept the the same photo.json they were used to, without the SmartNTT present in them (as determined by the ntp-si-assets packager)

@@ -126,7 +126,7 @@ const prepareAssets = (jsonFileUrl, targetResourceDir, targetJsonFileName) => {
return reject(error)
}

createPhotoJsonFile(path.join(targetResourceDir, 'photo.json'), JSON.stringify(photoData))
createPhotoJsonFile(path.join(targetResourceDir, targetJsonFileName), JSON.stringify(photoData))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[semgrep] Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Source: https://semgrep.dev/r/javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal


Cc @thypon @kdenhartog

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like it could be an issue on first glance without knowing how this is called everywhere. As a quick and simple fix we could validate that the targetJsonFileNames and targetResourceDir are values we expect within this function to be certain we're not introducing a path traversal vulnerability.

The issue I'm thinking might be possible (but will require further digging in how this code works) is that a sponsored image is named in a particular way such that it could load an unexpected image (and count it as viewing a sponsored image) or potentially overwrite a file on disk. I'm not certain this is possible at the moment, but have you considered this and handled it else where?

@IanKrieger IanKrieger changed the title feat(SmartNTT): support new file name feat(SmartNTT): support new file name for sponsored images Oct 11, 2024
Copy link
Collaborator

@tackley tackley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't ready to go.

For each campaign, si-photo.json is a strict superset of the content of photo.json. Therefore the proposed promise.all will, in parallel, download the same image files to the same location. This is likely to cause corruption.

Will revisit once we've finished refining the upstream asset generation logic in ntp-si-assets.

@tackley
Copy link
Collaborator

tackley commented Oct 15, 2024

We've decided to go with evolving the content of the existing photo.json rather than introducing a new file. There will still need to be a minor change needed here, but it will be much smaller in scope.

This PR can be closed, which I will do as soon as I have access to do so ;)

@tackley tackley closed this Oct 15, 2024
@tackley tackley deleted the feat/support-smart-ntt-with-next-version branch October 15, 2024 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants