From 913f4b367c6970bbe6ce5afacfc65efc71226a8f Mon Sep 17 00:00:00 2001 From: Michael Schwarz Date: Thu, 10 Oct 2024 08:40:39 +0200 Subject: [PATCH] changed to set DES encryption obsolte added configuration ExceptionDetailsEnabled to hide exception detials --- .../AjaxSettingsSectionHandler.cs | 6 + AjaxPro/JSON/Converters/ExceptionConverter.cs | 39 +- AjaxPro/Security/DecryptTransformer.cs | 14 +- AjaxPro/Security/EncryptTransformer.cs | 343 ++++++++++-------- AjaxPro/Utilities/AjaxSettings.cs | 8 + AjaxPro/core.js | 2 +- AjaxPro/web.config | 6 + 7 files changed, 243 insertions(+), 175 deletions(-) diff --git a/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs b/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs index ff79764..f8b7d26 100644 --- a/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs +++ b/AjaxPro/Configuration/AjaxSettingsSectionHandler.cs @@ -37,6 +37,7 @@ * MS 21-10-27 added allowed customized types for JSON deserialization * MS 21-10-30 added contentSecurityPolicy to specify a nonce for all scripts * MS 23-05-25 added a configuration to not throw an exception when a property is not supported to read from + * MS 24-10-10 added configuration ExceptionDetailsEnabled to hide exception detials * * * @@ -162,6 +163,11 @@ public object Create(object parent, object configContext, System.Xml.XmlNode sec if (n.SelectSingleNode("@enabled") != null && n.SelectSingleNode("@enabled").InnerText == "true") settings.IgnoreNotSupportedProperties = true; } + else if (n.Name == "exceptionDetails") + { + if (n.SelectSingleNode("@enabled") != null && n.SelectSingleNode("@enabled").InnerText == "true") + settings.ExceptionDetailsEnabled = true; + } else if (n.Name == "contentSecurityPolicy") { var a = n.SelectSingleNode("@nonce"); diff --git a/AjaxPro/JSON/Converters/ExceptionConverter.cs b/AjaxPro/JSON/Converters/ExceptionConverter.cs index d468248..fdcef4a 100644 --- a/AjaxPro/JSON/Converters/ExceptionConverter.cs +++ b/AjaxPro/JSON/Converters/ExceptionConverter.cs @@ -27,6 +27,7 @@ * MS 06-05-24 initial version * MS 06-09-24 use QuoteString instead of Serialize * MS 06-09-26 improved performance using StringBuilder + * MS 24-10-10 added configuration ExceptionDetailsEnabled to hide exception detials * * */ @@ -83,25 +84,33 @@ public override void Serialize(object o, StringBuilder sb) // in the object the callback JavaScript method will get. sb.Append("{\"Message\":"); - JavaScriptUtil.QuoteString(ex.Message, sb); - sb.Append(",\"Type\":"); - JavaScriptUtil.QuoteString(o.GetType().FullName, sb); -#if (!JSONLIB) - if (AjaxPro.Utility.Settings.DebugEnabled) - { - sb.Append(",\"Stack\":"); - JavaScriptUtil.QuoteString(ex.StackTrace, sb); - if (ex.TargetSite != null) + if (!AjaxPro.Utility.Settings.ExceptionDetailsEnabled) + { + JavaScriptUtil.QuoteString("An error occurred.", sb); + } + else + { + JavaScriptUtil.QuoteString(ex.Message, sb); + sb.Append(",\"Type\":"); + JavaScriptUtil.QuoteString(o.GetType().FullName, sb); +#if (!JSONLIB) + if (AjaxPro.Utility.Settings.DebugEnabled) { - sb.Append(",\"TargetSite\":"); - JavaScriptUtil.QuoteString(ex.TargetSite.ToString(), sb); - } + sb.Append(",\"Stack\":"); + JavaScriptUtil.QuoteString(ex.StackTrace, sb); - sb.Append(",\"Source\":"); - JavaScriptUtil.QuoteString(ex.Source, sb); - } + if (ex.TargetSite != null) + { + sb.Append(",\"TargetSite\":"); + JavaScriptUtil.QuoteString(ex.TargetSite.ToString(), sb); + } + + sb.Append(",\"Source\":"); + JavaScriptUtil.QuoteString(ex.Source, sb); + } #endif + } sb.Append("}"); } diff --git a/AjaxPro/Security/DecryptTransformer.cs b/AjaxPro/Security/DecryptTransformer.cs index f35757c..a4ea7bc 100644 --- a/AjaxPro/Security/DecryptTransformer.cs +++ b/AjaxPro/Security/DecryptTransformer.cs @@ -23,6 +23,11 @@ * CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ +/* + * MS 24-10-10 changed to set DES encryption obsolete + * + * + */ using System; using System.Security.Cryptography; @@ -76,7 +81,14 @@ internal ICryptoTransform GetCryptoServiceProvider(byte[] bytesKey) rijndael.Mode = CipherMode.CBC; return rijndael.CreateDecryptor(bytesKey, initVec); - default: + case EncryptionAlgorithm.Aes: + AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); + aes.Mode = CipherMode.CBC; + aes.Key = bytesKey; + aes.IV = initVec; + return aes.CreateDecryptor(); + + default: throw new CryptographicException("Algorithm ID '" + algorithmID + "' not supported!"); } } diff --git a/AjaxPro/Security/EncryptTransformer.cs b/AjaxPro/Security/EncryptTransformer.cs index df27d43..f4cdc45 100644 --- a/AjaxPro/Security/EncryptTransformer.cs +++ b/AjaxPro/Security/EncryptTransformer.cs @@ -25,6 +25,7 @@ */ /* * MS 06-04-25 enums should have a zero value + * MS 24-10-10 changed to set DES encryption obsolete * * */ @@ -33,49 +34,51 @@ namespace AjaxPro.Cryptography { - /// - /// - /// - public enum EncryptionAlgorithm - { - /// - /// - /// - Des = 0, - - /// - /// - /// - Rc2, - - /// - /// - /// - Rijndael, - - /// - /// - /// - TripleDes - }; - - /// - /// - /// - internal class EncryptTransformer - { - private EncryptionAlgorithm algorithmID; - private byte[] initVec; - private byte[] encKey; + /// + /// + /// + public enum EncryptionAlgorithm + { + [Obsolete("Use EncryptionAlgorithm.Aes instead.")] + /// + /// + /// + Des = 0, + + /// + /// + /// + Rc2, + + /// + /// + /// + Rijndael, + + /// + /// + /// + TripleDes, + Aes + }; + + /// + /// + /// + internal class EncryptTransformer + { + private EncryptionAlgorithm algorithmID; + private byte[] initVec; + private byte[] encKey; /// /// Initializes a new instance of the class. /// /// The alg id. public EncryptTransformer(EncryptionAlgorithm algId) - { - algorithmID = algId; - } + { + algorithmID = algId; + } /// /// Gets the crypto service provider. @@ -83,137 +86,161 @@ public EncryptTransformer(EncryptionAlgorithm algId) /// The bytes key. /// internal ICryptoTransform GetCryptoServiceProvider(byte[] bytesKey) - { - switch(algorithmID) - { - case EncryptionAlgorithm.Des: - DES des = new DESCryptoServiceProvider(); - des.Mode = CipherMode.CBC; - - if(null == bytesKey) - { - encKey = des.Key; - } - else - { - des.Key = bytesKey; - encKey = des.Key; - } - - if(null == initVec) - { - initVec = des.IV; - } - else - { - des.IV = initVec; - } - return des.CreateEncryptor(); - - case EncryptionAlgorithm.TripleDes: - TripleDES des3 = new TripleDESCryptoServiceProvider(); - des3.Mode = CipherMode.CBC; - - if(null == bytesKey) - { - encKey = des3.Key; - } - else - { - des3.Key = bytesKey; - encKey = des3.Key; - } - - if(null == initVec) - { - initVec = des3.IV; - } - else - { - des3.IV = initVec; - } - return des3.CreateEncryptor(); - - case EncryptionAlgorithm.Rc2: - RC2 rc2 = new RC2CryptoServiceProvider(); - rc2.Mode = CipherMode.CBC; - - if(null == bytesKey) - { - encKey = rc2.Key; - } - else - { - rc2.Key = bytesKey; - encKey = rc2.Key; - } - - if(null == initVec) - { - initVec = rc2.IV; - } - else - { - rc2.IV = initVec; - } - return rc2.CreateEncryptor(); - - case EncryptionAlgorithm.Rijndael: - Rijndael rijndael = new RijndaelManaged(); - rijndael.Mode = CipherMode.CBC; - - if(null == bytesKey) - { - encKey = rijndael.Key; - } - else - { - rijndael.Key = bytesKey; - encKey = rijndael.Key; - } - - if(null == initVec) - { - initVec = rijndael.IV; - } - else - { - rijndael.IV = initVec; - } - return rijndael.CreateEncryptor(); - - default: - throw new CryptographicException("Algorithm ID '" + algorithmID + "' not supported!"); - } - } + { + switch (algorithmID) + { + case EncryptionAlgorithm.Des: + DES des = new DESCryptoServiceProvider(); + des.Mode = CipherMode.CBC; + + if (null == bytesKey) + { + encKey = des.Key; + } + else + { + des.Key = bytesKey; + encKey = des.Key; + } + + if (null == initVec) + { + initVec = des.IV; + } + else + { + des.IV = initVec; + } + return des.CreateEncryptor(); + + case EncryptionAlgorithm.TripleDes: + TripleDES des3 = new TripleDESCryptoServiceProvider(); + des3.Mode = CipherMode.CBC; + + if (null == bytesKey) + { + encKey = des3.Key; + } + else + { + des3.Key = bytesKey; + encKey = des3.Key; + } + + if (null == initVec) + { + initVec = des3.IV; + } + else + { + des3.IV = initVec; + } + return des3.CreateEncryptor(); + + case EncryptionAlgorithm.Rc2: + RC2 rc2 = new RC2CryptoServiceProvider(); + rc2.Mode = CipherMode.CBC; + + if (null == bytesKey) + { + encKey = rc2.Key; + } + else + { + rc2.Key = bytesKey; + encKey = rc2.Key; + } + + if (null == initVec) + { + initVec = rc2.IV; + } + else + { + rc2.IV = initVec; + } + return rc2.CreateEncryptor(); + + case EncryptionAlgorithm.Rijndael: + Rijndael rijndael = new RijndaelManaged(); + rijndael.Mode = CipherMode.CBC; + + if (null == bytesKey) + { + encKey = rijndael.Key; + } + else + { + rijndael.Key = bytesKey; + encKey = rijndael.Key; + } + + if (null == initVec) + { + initVec = rijndael.IV; + } + else + { + rijndael.IV = initVec; + } + return rijndael.CreateEncryptor(); + + case EncryptionAlgorithm.Aes: + AesCryptoServiceProvider aes = new AesCryptoServiceProvider(); + aes.Mode = CipherMode.CBC; + + if (null == bytesKey) if (null == bytesKey) + { + encKey = aes.Key; encKey = aes.Key; + } + else + { + aes.Key = bytesKey; + encKey = aes.Key; + } + + if (null == initVec) if (null == initVec) + { + initVec = aes.IV; + } + else + { + aes.IV = initVec; + } + return aes.CreateEncryptor(); + + default: + throw new CryptographicException("Algorithm ID '" + algorithmID + "' not supported!"); + } + } /// /// Gets or sets the IV. /// /// The IV. internal byte[] IV - { - get - { - return initVec; - } - set - { - initVec = value; - } - } + { + get + { + return initVec; + } + set + { + initVec = value; + } + } /// /// Gets the key. /// /// The key. internal byte[] Key - { - get - { - return encKey; - } - } - - } + { + get + { + return encKey; + } + } + + } } diff --git a/AjaxPro/Utilities/AjaxSettings.cs b/AjaxPro/Utilities/AjaxSettings.cs index 2100926..6d74c42 100644 --- a/AjaxPro/Utilities/AjaxSettings.cs +++ b/AjaxPro/Utilities/AjaxSettings.cs @@ -38,6 +38,7 @@ * MS 21-10-30 added contentSecurityPolicy to specify a nonce for all scripts * MS 21-11-22 changed to set the default behavior to not allow custom types * MS 23-05-25 added a configuration to not throw an exception when a property is not supported to read from + * MS 24-10-10 added configuration ExceptionDetailsEnabled to hide exception detials * * */ @@ -101,6 +102,7 @@ internal class AjaxSettings private bool m_IsUseSimpleObjectNaming = false; private bool m_IsOnlyAllowTypesInList = false; private bool m_IsIgnoreNotSupportedProperties = false; + private bool m_ExceptionDetailsEnabled = false; private System.Collections.Specialized.StringCollection m_OldStyle = new System.Collections.Specialized.StringCollection(); @@ -209,6 +211,12 @@ internal bool IgnoreNotSupportedProperties set { m_IsIgnoreNotSupportedProperties = value; } } + internal bool ExceptionDetailsEnabled + { + get { return m_ExceptionDetailsEnabled; } + set { m_ExceptionDetailsEnabled = value; } + } + /// /// Gets or sets several settings that will be used for old styled web applications. /// diff --git a/AjaxPro/core.js b/AjaxPro/core.js index 5917e27..a785742 100644 --- a/AjaxPro/core.js +++ b/AjaxPro/core.js @@ -174,7 +174,7 @@ Object.extend(AjaxPro, { queue: null, noUtcTime: false, regExDate: function (str, p1, p2, offset, s) { - var date = str.substring(1).replace('"', ''); + var date = str.substring(1).replace(/"/g, ''); if (date.substring(0, 7) == "\\\/Date(") { var d = date.match(/Date\((.*?)\)/)[1]; return "new Date(" + parseInt(d) + ")"; diff --git a/AjaxPro/web.config b/AjaxPro/web.config index 00c3cb1..f269d05 100644 --- a/AjaxPro/web.config +++ b/AjaxPro/web.config @@ -61,6 +61,12 @@ --> +