rumremix

A gadget I constructed was recently rejected by the gallery with only this explanation:

"Your gadget wasn't accepted because it looks like it could be vulnerable to malicious attacks. Go to the developer center for ideas about how to make your gadget more secure"

I read in the recent thread titled "Something wrong with submission process" that some gadgets may be being arbitrarily rejected with this explanation. However, I'm not certain that is the case with my gadget and I'd like to at least follow all of the available security recommendations before I resubmit.

This page:

http://msdn2.microsoft.com/en-us/security/bb498012.aspx

suggests validating and sanitizing any "untrusted data" using javascript functions which it provides. My gadget reads an rss feed from a trusted source but I guess any remote source is considered untrusted.

My gadget creates an ActiveXObject and uses it to poulate an rss xml array. The javascript functions suggested in the above link clean and/or validate strings. My question: from a gallery approval standpoint, should I validate each string as it is parsed from the array, or must the array be somehow sanitized sooner than this And if so, how would that be done I'm not sure what the approvers are looking for but i want to cover the bases before I resubmit.

If anyone else has experience with this issue, i would appreciate hearing thoughts on this.

Here is the relavent (unsanitized) code from my gadget:

Code Block

function getRSS() {
loading.innerText = "Connecting...";
rssObj = new ActiveXObject("Msxml2.XMLHTTP");
rssObj.open("GET", rssSource + " f=" + Math.random(), true); //random number added to dummy querystring to prevent reading file from cache
rssObj.onreadystatechange = function() {
if (rssObj.readyState === 4) {
if (rssObj.status === 200) {
loading.innerText = "";
rssXML = rssObj.responseXML;
parseRSS();
if (chkConn) { clearInterval(chkConn); }
} else {
var chkConn;
loading.innerText = "No connection";
chkConn = setInterval(getRSS, 30000);
}
} else {
loading.innerText = "Connecting...";
}

}
rssObj.send(null);
}


function parseRSS() {

start = 0;
end = 5;
rssItems = rssXML.getElementsByTagName("item");
rssTitle = null; rssDate = null;

for (i=start; i<end; i++) {
rssTitle = rssItems[i].firstChild.text;
rssDate = rssItems[i].getElementsByTagName("pubDate"); rssDate = rssDate[0].text.split(" ");
rssDate = rssDate[0] + " " + rssDate[1] + " " + rssDate[2] + " " + rssDate[3];
document.getElementById("cell" + (i)).innerHTML = '<div onClick=\"showFlyout(' + i + ');\">' + rssDate + '<div class="title">' + rssTitle + '</div></div>';

}
}

Thanks for any suggestions on how I can get this puppy approved.


Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

Jonathan Abbott

Your code doesn't need sanitizing, as you're not injecting anything into an innerHTML that needs to be checked.

Just resubmit it until it gets approved. If it keeps getting failed for the same reason - then you need to look at it further.




Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

RalphLear

I also had problems submitting.

I'm not sure but I believe it was because:

  • I was injecting HTML through the method innerHTML
  • or I had some input fields where the inputed data was not properly validated

After cleaning up my code, the submission was accepted.





Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

Jonathan Abbott

As far as I'm aware, there is no definate guidelines for Sidebar Gadget developers from MS as to what is a valid or invalid Gadget. MS have never published their approval guidelines outside of their own team.

MS's legal guide, does contain some rejection reasons however:

"Your Submission does not violate or facilitate the violation of any rights of Microsoft or any third party arising under contract law or otherwise. You will not contribute a Submission for any purpose that is unlawful, offensive, defamatory, libelous, racist or of an obscene, threatening or menacing character, or prohibited by this addendum or the terms of use."

"Your Submission does not contain any Prohibited Code. í░Prohibited Codeí▒ means software code of any kind that (i) is potentially harmful to or could compromise a userí»s system, software data, security or privacy; (ii) without the userí»s express knowledge and consent, interferes with the operation of applications; (iii) launches or causes other similar code or applications similar to the foregoing to launch; (iv) is obscured or resistant to removal; (v) without the userí»s express knowledge and consent, removes or disables security, anti-spyware or anti-virus technology; (vi) without the userí»s express knowledge and consent, displays advertisements, unless they are promoting an alternative version of the software (e.g., an update or upsell); or (vii) without the userí»s express knowledge and consent, collects or shares personal information, changes file associations, adds browser toolbars or changes browser settings such as the userí»s favorites, default home page or search provider."

There are clearly reasons beyond these that cause rejection, the only ones we've seen so far are:

1. "There was a problem and we need to ask you to resubmit it"
2. "Could be vulnerable to malicious attacks"
3. "Didn't comply with the Windows Live Gallery policy"
4. "There was a problem when we tried to uninstall your submission"

If you've seen others, please post them.


"There was a problem and we need to ask you to resubmit it" is generally regarded to be bugs in the code.

"Could be vulnerable to malicious attacks" needs clearly defining by MS, as a Gadget that embeds HTML from a trusted source may well still be rejected for this reason. It still gives me a laugh to think that several Gadgets that shipped with Vista would fail submission to Live for this reason.

"Didn't comply with the Windows Live Gallery policy" I'm guessing is the legal policy I've quoted above.

"There was a problem when we tried to uninstall your submission" is due to the use of .NET DLL's in Gadgets. .NET will not free a DLL until Sidebar is unloaded because .NET requires the parent process to close. The only way around this one is to recode your DLL into unmanaged code, or keep submitting until it's approved.

We can but hope, that one day Microsoft will publish a list of rejection reasons along with descriptions.




Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

rumremix

Thanks for the reply Jonathan!

Are you sure nothing here needs sanitizing this part of the code--

Code Block
document.getElementById("cell" + (i)).innerHTML = '<div onClick=\"showFlyout(' + i + ');\">' + rssDate + '<div class="title">' + rssTitle + '</div></div>';

--inserts html from the rss feed into div elements on the html page using the innerHTML property. Shouldn't this require cleansing

Thanks.





Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

Chris Butler - MSFT

Hi rumremix.

Even innerHTML can be problematic because there is no OM function to scrub the data without writing your own. It is better if you use innerText, etc.

Take a look at the article that Michael Howard and David Ross wrote:

http://msdn2.microsoft.com/en-us/library/bb498012.aspx

If you continue to have problems please feel free to send me mail directly (chrisbu at microsoft.com).

Thanks.






Re: Sidebar Gadget Development submission rejection: "vulnerable to malicious attacks"

rumremix

Thanks very much for your response and your email, Chris. Yes, I will contact you if the gadget fails a second submission attempt.

But before I try to resubmit, I will first validate/sanitize the input as best as I know how. I cannot use innerText in lieu of innerHTML because the string that needs to be embedded contains html tags in addition to text.

The sanitizing function provided on the page by Michael Howard and David Ross (linked by you above) seems to work great.

However, I'm a little wary of creating a validating function. It loooks as though this is done by explicitly allowing safe characters using regular expressions. I am concerned that I may leave out an acceptable character that may be safe and used in the future rss feed, resulting in an inappropriate null return. Has anyone else had much experience validating html strings I have limited familiarity with regular expressions and want to make sure I get it right.

Also, is the validation step necessary for getting the gadget approved or will simply sanitizing the input suffice

Thanks!