Adds proxy binding for AjaxProxy component. wocommunity#768

When the proxy binding is not set, AjaxProxy uses its containing component (so, in this case, the AjaxFlexibleFileUpload component) as its server-side proxy object. This exposes all public methods of that component to the client-side Javascript object. At that point, a malicious user can fairly easily call some significant methods, such as Application.terminate() to shut down the application instance. Here we add a single-purpose Proxy object as an inner class of AjaxFlexibleFileUpload which simply wraps the methods that we need to call from the client.
paulhoadley · Jun 19, 2016 · 9813d1e · 9813d1e
1 parent be7b7ca
commit 9813d1e
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 1 deletion.
diff --git a/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod b/Frameworks/Ajax/Ajax/Components/AjaxFlexibleFileUpload.wo/AjaxFlexibleFileUpload.wod
@@ -1,6 +1,7 @@
 AjaxProxy : AjaxProxy {
   name = ajaxProxyName;
   proxyName = "wopage";
+  proxy = proxy;
 }
 
 SelectFileButtonWrapper : WOGenericContainer {

diff --git a/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java b/Frameworks/Ajax/Ajax/Sources/er/ajax/AjaxFlexibleFileUpload.java
@@ -100,7 +100,46 @@ public static interface Keys {
 		public static final String clearUploadProgressOnSuccess = "clearUploadProgressOnSuccess";
 		public static final String onClickBefore = "onClickBefore";
 	}
-
+
+	/**
+	 * Wrapper class to expose only the methods we need to {@link AjaxProxy}.
+	 * 
+	 * @author paulh
+	 * @see <a href="https://github.com/wocommunity/wonder/issues/768">#768</a>
+	 */
+	public class Proxy {
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#uploadState()}.
+		 * 
+		 * @return see {@link AjaxFlexibleFileUpload#uploadState()}
+		 */
+		public NSDictionary<String, ?> uploadState() {
+			return AjaxFlexibleFileUpload.this.uploadState();
+		}
+
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#cancelUpload()}.
+		 */
+		public void cancelUpload() {
+			AjaxFlexibleFileUpload.this.cancelUpload();
+			return;
+		}
+
+		/**
+		 * Wrapper for {@link AjaxFlexibleFileUpload#uploadState()}.
+		 * 
+		 * @return see {@link AjaxFlexibleFileUpload#uploadState()}
+		 */
+		public WOActionResults clearFileResults() {
+			return AjaxFlexibleFileUpload.this.clearFileResults();
+		}
+	}
+
+	/**
+	 * Proxy used for method access by {@link AjaxProxy}
+	 */
+	public Proxy proxy = new Proxy();
+
 	private String _refreshTime;
 	private String _clearLabel;
 	private String _cancelLabel;