michaelschwarz / ajax.net-professional Goto Github PK

We've recently updated the library from 6.7.20.1 to 21.12.22.1 due to the security vulnerabilities and have found the library to run considerably slower after the upgrade. We've narrowed down the change to this commit: cded013#diff-11180be976ef7ec%5B%E2%80%A6%5Ddf0a3ac2ffef214b9R344
and this line specifically:

It looks like adding the option System.Text.RegularExpressions.RegexOptions.Compiled has made it slower as the regex needs to be initialized everytime the function is called. As the function is recursive for each xml node, manual testing has shown our ajax calls go considerably slower, with the size of the data increasing the time for the ajax requests to load

Loading a dataset of ~100 goes from from <100ms to ~500ms
Loading a dataset of ~1000 goes from <200ms to ~7seconds

As a fix, making the regex a private static variable with the compiled option seems to reduce the time back to normal or it could be reverted back to what it was before without the compiled option.

Had a quick look elsewhere in the library where regexes are referenced too and it looks like its generally declared as a private variable in the class instead of within a function (https://github.com/michaelschwarz/Ajax.NET-Professional/blob/f845e338904de7db69086[…]7a2d33840b1dd8b62b/AjaxPro/JSON/Converters/DateTimeConverter.cs) so creating a private static variable for it would be consistent with other places where regexes are used

Google Chrome cannot be depended upon to send a xhr.statusText of "OK" when xhr.status == 200.

This results in intermittent false fails in Chrome browser.

I suggest removing the check for "OK" in the line if(this.xmlHttp.status == 200 && this.xmlHttp.statusText == "OK") { and instead just use the xhr.status.

Info:

• axios/axios#1501
• https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/statusText

Ajaxpro is used in my project, which will eventually generate some JavaScript code on the web page. Now I need to handle the inline JavaScript code with "content security policy header"

My purpose is as follows:

Before:

After:

I added the following configuration in the web.config file

<httpProtocol>

<customHeaders>

<add name ="Content-Security-Policy" value ="frame-ancestors myhost.com; script-src 'self' https://myhost.com 'unsafe-eval' 'unsafe-hashes' 'nonce-abcdefghijklmnopqrstuvwxyz';" />

</customHeaders>

</httpProtocol>

My question is: how can I add 'nonce' to the < script > tag generated by ajaxpro?

If you need more information, you can email me: [email protected]

I am trying async call [AjaxMethod(HttpSessionStateRequirement.ReadWrite, true)]

But Javascript still call this: return r.invoke(method, args);
Instead of declared with callback: invoke: function(method, args, callback, context) {

core.ashx:395 Uncaught TypeError: this.onTimeout is not a function
at AjaxPro.Request.timeout (core.ashx:395)

var r = this.onTimeout(this.duration, this);

this line code return error in core.js in chrom browser.

Hello

We discovered a potential security issue within this framework. Can you please provide me a contact that I can use to send details to?

Kind regards

As title said, I think md5 is not a safe way to encrypt.
Then we use sha256 instead.

return BitConverter.ToString(new SHA256Managed().ComputeHash(data)).Replace("-", String.Empty);

can supply a compressed version for all the js file?

Hi, we believe we've discovered a vulnerability within the ajax.net professional code that is exploitable.
As per the security.md, we would like to work together with the maintainers of this repository to draft a security advisory and to request a CVE for this vulnerability.

Let me know how you would like to proceed, thanks

Fix the AjaxPro.version JavaScript variable to latest release version.