Uploaded image for project: 'Kuali Rice Development'
  1. Kuali Rice Development
  2. KULRICE-6675

UI Framework - Configurable modal dialog (the back-end to support rich lightbox, question framework)

    Details

    • Rice Module:
      KRAD
    • Application Requirement:
      KS
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Not Required

      Description

        Attachments

          Issue Links

            Activity

            Hide
            jkneal Jerry Neal (Inactive) added a comment -

            Please address security concern from KNS if applicable in KRAD:

            Here's the thread on security issues with question framework.

            -------- Original Message --------
            Subject: RE: FW: security question
            Date: Fri, 13 Jan 2012 13:36:02 -0500
            From: Stapleton, Heather J <hstaplet@indiana.edu>
            To: Smith, James K. <smith750@indiana.edu>, Warren Liang <wliang@uci.edu>
            CC: Jonathan Keller <keller.jonathan@gmail.com>, "Westfall, Eric
            Curtis" <ewestfal@indiana.edu>, "Bennett III, James William"
            <jawbenne@indiana.edu>

            If everyone is ok with Warren’s suggestion, then I’ll create an IU Rice jira to get this fixed which will eventually get contributed back to the foundation. Unless there is a strong desire to wait until after KRAD to look into lightboxes? We’d like this fixed for our IU release, so I’m inclined to proceed with Warren’s suggestion.

            Thoughts?

            hjs

            *From:*Smith, James K.
            Sent: Monday, December 19, 2011 9:36 AM
            To: Warren Liang
            Cc: Jonathan Keller; Westfall, Eric Curtis; Bennett III, James William; Stapleton, Heather J
            Subject: Re: FW: security question

            That makes sense to me. Thanks Warren!

            On 12/18/2011 7:42 PM, Warren Liang wrote:

            Hey James,

            You are probably right about concurrency issues w/ the automatic removal. Here's another idea, add the String with the
            UserSession.addObject() object, which will return a unique "object key"
            every time something's added. Then you won't have to bother making the SHA hash.

            W

            On Fri, Dec 16, 2011 at 7:20 AM, James Smith <smith750@indiana.edu <smith750@indiana.edu>> wrote:

            Would this raise concurrency issues? Let's say a user is doing similar documents in two different tabs of their browser, hitting the same question screen - first in one tab, then in the next. In that case...well, the String would have to be held in either a ThreadLocal Map (in which case, I begin to wonder if we need a map at all); or the hash could have a timestamp as part of what it hashed so every key is basically guaranteed to be unique; or...well, that's why I was suggesting that question texts get evicted if it isn't used for a "reasonable" period of time... Even if the question text was put in a session with a hash as a key, this would be a problem; you'd need to generate a unique guid I'm guessing. Anyway: guess my idea still has problems!

            On 12/15/2011 4:48 PM, Warren Liang wrote:

            I like the solution.

            If fixes a second (and I think more important than XSS) issue: that of text injection. If you're worried about the map becoming too large, you can just remove the map entry once it's been used.

            Warren

            On Thu, Dec 15, 2011 at 1:00 PM, Smith, James K. <smith750@indiana.edu <smith750@indiana.edu>> wrote:

            Hi all. Ailish, Heather, and I just had a meeting where we were discussing the question text security issue. UA had run into an issue with this earlier while I was consulting so I had thought of a solution (but they didn’t have time to implement); Ailish liked it though and she wanted me to share.

            First, Jonathan is correct in that at some point, questions may just be lightboxes and this whole stupid problem would just go away. Yay! For the time being though, we looked at some pre rules and Jonathan’s solution won’t work: we can’t pass property names because some question texts come from properties, some from parameters, and in my (and UA’s!)
            favorite: from the VendorType BO. So we can’t pass around a property name and have that work.

            My solution was that the pre rules would interpolate the text and pass that to, say, askOrAnalyzeYesNoQuestion. askOrAnalyzeYesNoQuestion would NOT simply pass the text on as a parameter. Instead, it would find, say, the SHA hash of the message and then go to a special map in GlobalVariables where it would put the question text as the value with the hash as the key. Then it would pass the hash as a parameter. When the question displayed, it would take the hash, go back to GlobalVariables, retrieve the actual question text and then display it.
            I had concerns about growth of that question text Map over time but certainly it could be a special map which evicted entries after a certain reasonable period of time.

            Does this seem like an amenable solution?

            Show
            jkneal Jerry Neal (Inactive) added a comment - Please address security concern from KNS if applicable in KRAD: Here's the thread on security issues with question framework. -------- Original Message -------- Subject: RE: FW: security question Date: Fri, 13 Jan 2012 13:36:02 -0500 From: Stapleton, Heather J <hstaplet@indiana.edu> To: Smith, James K. <smith750@indiana.edu>, Warren Liang <wliang@uci.edu> CC: Jonathan Keller <keller.jonathan@gmail.com>, "Westfall, Eric Curtis" <ewestfal@indiana.edu>, "Bennett III, James William" <jawbenne@indiana.edu> If everyone is ok with Warren’s suggestion, then I’ll create an IU Rice jira to get this fixed which will eventually get contributed back to the foundation. Unless there is a strong desire to wait until after KRAD to look into lightboxes? We’d like this fixed for our IU release, so I’m inclined to proceed with Warren’s suggestion. Thoughts? hjs *From:*Smith, James K. Sent: Monday, December 19, 2011 9:36 AM To: Warren Liang Cc: Jonathan Keller; Westfall, Eric Curtis; Bennett III, James William; Stapleton, Heather J Subject: Re: FW: security question That makes sense to me. Thanks Warren! On 12/18/2011 7:42 PM, Warren Liang wrote: Hey James, You are probably right about concurrency issues w/ the automatic removal. Here's another idea, add the String with the UserSession.addObject() object, which will return a unique "object key" every time something's added. Then you won't have to bother making the SHA hash. W On Fri, Dec 16, 2011 at 7:20 AM, James Smith <smith750@indiana.edu < smith750@indiana.edu >> wrote: Would this raise concurrency issues? Let's say a user is doing similar documents in two different tabs of their browser, hitting the same question screen - first in one tab, then in the next. In that case...well, the String would have to be held in either a ThreadLocal Map (in which case, I begin to wonder if we need a map at all); or the hash could have a timestamp as part of what it hashed so every key is basically guaranteed to be unique; or...well, that's why I was suggesting that question texts get evicted if it isn't used for a "reasonable" period of time... Even if the question text was put in a session with a hash as a key, this would be a problem; you'd need to generate a unique guid I'm guessing. Anyway: guess my idea still has problems! On 12/15/2011 4:48 PM, Warren Liang wrote: I like the solution. If fixes a second (and I think more important than XSS) issue: that of text injection. If you're worried about the map becoming too large, you can just remove the map entry once it's been used. Warren On Thu, Dec 15, 2011 at 1:00 PM, Smith, James K. <smith750@indiana.edu < smith750@indiana.edu >> wrote: Hi all. Ailish, Heather, and I just had a meeting where we were discussing the question text security issue. UA had run into an issue with this earlier while I was consulting so I had thought of a solution (but they didn’t have time to implement); Ailish liked it though and she wanted me to share. First, Jonathan is correct in that at some point, questions may just be lightboxes and this whole stupid problem would just go away. Yay! For the time being though, we looked at some pre rules and Jonathan’s solution won’t work: we can’t pass property names because some question texts come from properties, some from parameters, and in my (and UA’s!) favorite: from the VendorType BO. So we can’t pass around a property name and have that work. My solution was that the pre rules would interpolate the text and pass that to, say, askOrAnalyzeYesNoQuestion. askOrAnalyzeYesNoQuestion would NOT simply pass the text on as a parameter. Instead, it would find, say, the SHA hash of the message and then go to a special map in GlobalVariables where it would put the question text as the value with the hash as the key. Then it would pass the hash as a parameter. When the question displayed, it would take the hash, go back to GlobalVariables, retrieve the actual question text and then display it. I had concerns about growth of that question text Map over time but certainly it could be a special map which evicted entries after a certain reasonable period of time. Does this seem like an amenable solution?

              People

              • Assignee:
                dsiebert Daniel Seibert (Inactive)
                Reporter:
                csoders Candace Soderston (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 4 weeks, 3 days, 5 minutes
                  4w 3d 5m
                  Remaining:
                  Remaining Estimate - 4 weeks, 2 hours, 5 minutes
                  4w 2h 5m
                  Logged:
                  Time Spent - Not Specified Time Not Required
                  Not Specified