Replacing Non-Secure Expressions in a Mashup
In Mashup Builder, expressions are supported within functions and widgets. An expression is a snippet of JavaScript code that evaluate to a single value. Typically, expressions are used to create custom business logic in a mashup application. You can write custom expressions to validate, calculate, convert, and compare data for widgets, functions, and data services in a mashup. In addition to functions, expressions are also used to enable input validation in Grid widgets.
A security issue was discovered in mashup expressions that allows an authenticated ThingWorx user with edit permissions for a mashup to modify the DOM, in addition to widget and mashup functions and objects at run time. This issue is limited to the mashup run-time environment and does not allow users to execute code remotely on the platform server. As part of the security fix, replacements for current functions have been introduced in versions 9.3.2, 9.2.7, 9.1.11, and 9.0.16 or later of the ThingWorx platform. The following widgets and functions that support custom expressions and are affected by this issue:
• Expression function–Evaluates an expression and returns a value.
• Validator function–Evaluates an expression and returns a Boolean true or false value.
• Grid (Legacy) widget–Supports expressions for input validation.
In addition, the following legacy widgets on unsupported versions of ThingWorx (8.4 or earlier) are also affected:
• Expression widget
• Validator widget
|
The Expression and Validator widgets were replaced by functions in ThingWorx 8.4. For more information, see ThingWorx 8.4 Release Notes.
|
To improve security, the following enhancements have been introduced in versions 9.3.2, 9.2.7, 9.1.11, and 9.0.16 or later of the ThingWorx platform:
• Added new standard, and more secure, replacements for existing non-secure functions. To minimize the impact on your mashup applications, you can replace non-secure functions in a mashup manually using the Functions panel.
We strongly recommend that you use the latest standard version. However, the existing non-secure functions will continue to work until they are removed in a future release.
• Removed the ability to create non-secure functions in a new mashup entity. However, you can add or update non-secure functions in existing mashups.
• Added a Boolean property to the Grid widgets that enables you to switch to the latest secure validators.
• Grouped existing non-secure Expression and Validator functions are under a Not Secure label on the Functions panel.
• Restricted access to global
TW.Runtime functions and objects,
jQuery and DOM elements within expressions used by Expression and Validator functions, in addition to the Grid validator. If you are using ThingWorx run-time objects and functions in your mashup expressions, then you may have to manually update and verify your expressions when replacing a non-secure function. For more information about the supported functions and objects, see
Supported Runtime Functions and Objects.
|
We strongly recommend that you upgrade to the latest versions of ThingWorx that include the latest security updates as soon as they are available.
|
Affected Versions of ThingWorx
Any mashup using expressions within functions and widgets on the following supported versions of ThingWorx is affected by this change:
• ThingWorx 9.0.0 to 9.0.15
• ThingWorx 9.1.0 to 9.1.10
• ThingWorx 9.2.0 to 9.2.6
• ThingWorx 9.3.0 and 9.3.1
Starting in ThingWorx version 9.3.2, 9.2.7, 9.1.11, and 9.0.16 or later, access to mashup run-time objects and functions within JavaScript expressions is more restricted. These restrictions were added to improve the application security and to reduce potential vulnerabilities.
|
Unsupported versions of the ThingWorx that support custom expressions, such as ThingWorx 8.4.x and 8.5.x are also affected. If you are currently using an unsupported version of ThingWorx, we strongly recommend that you migrate to the latest version. Using unsupported versions of the product can expose you to security risks.
|