XSS Vulnerability Patch 1

To implement this patch, create a custom module to override the appropriate file for your release within the SspLibraries module. The following table lists the appropriate files for each release.

The location of the file that you need to override depends on the SCA release that you need to patch:

Release	File Location
2019.2	.../SC_19.2_Live/Commons/SspLibraries/SuiteScript/ServiceController.js
2019.1	.../Modules/suitecommerce/SspLibraries@sc-2019.1.0/SuiteScript/ServiceController.js
2018.2	.../Modules/suitecommerce/SspLibraries@sc-2018.2.0/SuiteScript/ServiceController.js
Aconcagua	.../Modules/suitecommerce/SspLibraries@aconcaguaR2/SuiteScript/ServiceController.js
Kilimanjaro	.../Modules/suitecommerce/SspLibraries@4.2.0/SuiteScript/ServiceController.js
Elbrus	.../Modules/suitecommerce/SspLibraries@4.0.0/SuiteScript/ServiceController.js
Vinson	.../Modules/suitecommerce/SspLibraries@3.0.0/SuiteScript/ServiceController.js
Montblanc	.../Modules/suitecommerce/SspLibraries@2.2.0/SuiteScript/Application.js
Denali	.../Modules/suitecommerce/SspLibraries@2.1.1/SuiteScript/Application.js

If you are not familiar with implementing patches for SCA, refer to the following:

• Before you get started, familiarize yourself with Best Practices for Customizing SCA.

• For step by step instructions, refer to Patch Using Override Mode.

Step 1: Create the Override Files

Following the instructions and recommendations in the Patch Using Override Mode procedure, copy and paste the following code samples in the new directory and file you create. Where you create the new directory and file depends on the SCA release that you need to patch:

Release	Location of New Directory and File
2019.2	.../SC_19.2_Live/Commons/extensions/SspLibrariesExtension@1.00/SuiteScript/ServiceController.js Note: If you are patching 2019.2, you also need to complete the steps in Additional Edits for the 2019.2 Release.
Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	.../Modules/extensions/SspLibrariesExtension@1.00/SuiteScript/ServiceController.js
Denali and Montblanc	.../Modules/extensions/SspLibrariesExtension@1.00/SuiteScript/Application.js

• In the ServiceController.js file in the 2019.2 release, find the following lines of code in the processError method:

                  const content = {
     errorStatusCode: parseInt(status,10).toString(),
     errorCode: code,
     errorMessage: message
  }; 
  
                

  And replace them with the following code:

                  const content = {
     errorStatusCode: parseInt(status, 10).toString(),
     errorCode: code,
     errorMessage: _.escape(message)
  }; 
  
                

• In the Application.js file in the Denali and Montblanc releases and the ServiceController.js file in the Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1 releases, find the following lines of code in the processError method:

                  var content = {
  errorStatusCode: parseInt(status,10).toString()
  , errorCode: code
  , errorMessage: message
  } 
  
                

  And replace them with the following code:

                  var content = {
     errorStatusCode: parseInt(status, 10).toString(),
     errorCode: code,
     errorMessage: _.escape(message)
  }; 
  
                

Additional Edits for the 2019.2 Release

For the 2019.2 release, you also need to directly edit the ServiceController.ts file in the following directory: .../SC_19.2_Live/Backend/Libraries/SspLibraries

1. Find the following lines of code in the ServiceController.ts file:

                   const content = {
       errorStatusCode: status.toString(),
       errorCode: code,
       errorMessage: message,
       errorDetails: null,
       errorMessageParams: null
   }; 
   
                 

2. And replace them with the following code:

                   const content = {
       errorStatusCode: status.toString(),
       errorCode: code,
       errorMessage: _.escape(message),
       errorDetails: null,
       errorMessageParams: null
   }; 
   
                 

3. Save the ServiceController.ts file and then continue with Step 2: Prepare the Developer Tools For Your Patch.

Step 2: Prepare the Developer Tools For Your Patch

When preparing the Developer Tools for your patch as described in the Patch Using Override Mode procedure, you should:

1. Paste the code appropriate for the SCA release you are patching into a new ns.package.json file that you create. Where you create the ns.package.json file depends upon the release you are working with.

   Release	Location of New nspackage.json File
   2019.2	.../Commons/extensions/SspLibrariesExtension@1.00/ns.package.json
   Denaili, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	.../Modules/extensions/SspLibrariesExtension@1.00/ns.package.json

   • Use the following code if you are patching the 2019.2 release:

                         {
        "gulp": {
           "ssp-libraries": [
              "SuiteScript/*.js"
           ]
        },
        "overrides": {
           "Commons/SspLibraries/SuiteScript/ServiceController.js" : "SuiteScript/ServiceController.js"
        }
     } 
     
                       

   • Use the following code if you are patching the Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:

                         {
        "gulp": {
           "ssp-libraries": [
              "SuiteScript/*.js"
           ]
        },
        "overrides": {
           "suitecommerce/SspLibraries@X.Y.Z/SuiteScript/ServiceController.js" : "SuiteScript/ServiceController.js"
        }
     } 
     
                       

     Important:

     In the preceding code sample, you must replace the string X.Y.Z with the version of the module in your implementation of SuiteCommerce Advanced.

   • Use the following code if you are patching the Denali or Montblanc release:

                         {
        "gulp": {
           "ssp-libraries": [
              "SuiteScript/*.js"
           ]
        },
        "overrides": {
           "suitecommerce/SspLibraries@2.2.0/SuiteScript/Application.js" : "SuiteScript/Application.js"
        }
     } 
     
                       

2. Open the distro.json file and then add your custom module to the modules object as described in the Patch Using Override Mode procedure. The location of the distro.json file depends on the version of SCA you are patching.

   Release	Location of the distro.json File
   2019.2	For the 2019.2 release, the distro.json file resides in the Advanced directory. For example, if you accepted the default name for the top-level directory for 2019.2, the complete path is: SuiteCommerce Advanced 2019.2/SC_19.2_Live/Advanced/distro.json.
   Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, and 2019.1	For these releases, the distro.json file resides in the top-level directory. For example, for the 2018.2 release, if you accepted the default directory name for your release, the top-level directory would be SuiteCommerce Advanced 2018.2.

   The following sample shows the value to add to the list of existing values that follow the "modules" key. Refer to the appropriate sample for the version of SCA you are working with.

   • Use the following sample if you are patching the 2019.2 release:

                         "modules": {
         "../Commons/extensions/SspLibrariesExtension@1.00",
         . . . 
     
                       

   • Use the following sample if you are patching the Denali, Montblanc, Vinson, Elbrus, Kilimanjaro, Aconcagua, 2018.2, or 2019.1 release:

                         "modules": {
         "extensions/SspLibrariesExtension": "1.0.0",
         . . . 
     
                       

Step 3: Test and Deploy Your Patch

Follow the instructions provided in the Patch Using Override Mode procedure to test and deploy your patch.

Important:

If you are patching the 2019.2 release, you need to complete the steps in the Deploy to NetSuite Fails with Errors patch instructions to insure that your patch deploys without errors.

Related Topics

SCA Patches

General Notices