diff options
Diffstat (limited to '')
-rw-r--r-- | dom/security/sanitizer/Sanitizer.cpp | 203 | ||||
-rw-r--r-- | dom/security/sanitizer/Sanitizer.h | 105 | ||||
-rw-r--r-- | dom/security/sanitizer/moz.build | 37 | ||||
-rw-r--r-- | dom/security/sanitizer/tests/mochitest/mochitest.ini | 5 | ||||
-rw-r--r-- | dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html | 82 |
5 files changed, 432 insertions, 0 deletions
diff --git a/dom/security/sanitizer/Sanitizer.cpp b/dom/security/sanitizer/Sanitizer.cpp new file mode 100644 index 0000000000..7a3e2b0206 --- /dev/null +++ b/dom/security/sanitizer/Sanitizer.cpp @@ -0,0 +1,203 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "BindingDeclarations.h" +#include "mozilla/dom/BindingUtils.h" +#include "mozilla/dom/DocumentFragment.h" +#include "mozilla/dom/SanitizerBinding.h" +#include "nsContentUtils.h" +#include "nsGenericHTMLElement.h" +#include "nsTreeSanitizer.h" +#include "Sanitizer.h" + +namespace mozilla { +namespace dom { + +NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Sanitizer, mGlobal) + +NS_IMPL_CYCLE_COLLECTING_ADDREF(Sanitizer) +NS_IMPL_CYCLE_COLLECTING_RELEASE(Sanitizer) + +NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(Sanitizer) + NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY + NS_INTERFACE_MAP_ENTRY(nsISupports) +NS_INTERFACE_MAP_END + +JSObject* Sanitizer::WrapObject(JSContext* aCx, + JS::Handle<JSObject*> aGivenProto) { + return Sanitizer_Binding::Wrap(aCx, this, aGivenProto); +} + +/* static */ +already_AddRefed<Sanitizer> Sanitizer::Constructor( + const GlobalObject& aGlobal, const SanitizerOptions& aOptions, + ErrorResult& aRv) { + // Note: Later, aOptions will be interpreted and stored as a member. + // We'll just ignore it for now. + nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports()); + RefPtr<Sanitizer> sanitizer = new Sanitizer(global); + AutoTArray<nsString, 1> params = {}; + sanitizer->LogLocalizedString("SanitizerOptionsDiscarded", params, + nsIScriptError::infoFlag); + return sanitizer.forget(); +} + +/* static */ +already_AddRefed<DocumentFragment> Sanitizer::InputToNewFragment( + const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput, + ErrorResult& aRv) { + // turns an StringOrDocumentFragmentOrDocument into a DocumentFragment for + // internal use with nsTreeSanitizer + + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (!window || !window->GetDoc()) { + // FIXME: Should we throw another exception? + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + if (!aInput.WasPassed()) { + AutoTArray<nsString, 1> params = {}; + LogLocalizedString("SanitizerRcvdNoInput", params, + nsIScriptError::warningFlag); + + RefPtr<DocumentFragment> emptyFragment = + window->GetDoc()->CreateDocumentFragment(); + return emptyFragment.forget(); + } + // We need to create a new docfragment based on the input + // and can't use a live document (possibly with mutation observershandlers) + nsAutoString innerHTML; + if (aInput.Value().IsDocumentFragment()) { + RefPtr<DocumentFragment> inFragment = + &aInput.Value().GetAsDocumentFragment(); + inFragment->GetInnerHTML(innerHTML); + } else if (aInput.Value().IsString()) { + innerHTML.Assign(aInput.Value().GetAsString()); + } else if (aInput.Value().IsDocument()) { + RefPtr<Document> doc = &aInput.Value().GetAsDocument(); + nsCOMPtr<Element> docElement = doc->GetDocumentElement(); + + docElement->GetInnerHTML(innerHTML, IgnoreErrors()); + } + if (innerHTML.IsEmpty()) { + AutoTArray<nsString, 1> params = {}; + LogLocalizedString("SanitizerRcvdNoInput", params, + nsIScriptError::warningFlag); + + RefPtr<DocumentFragment> emptyFragment = + window->GetDoc()->CreateDocumentFragment(); + return emptyFragment.forget(); + } + // We don't have a context element yet. let's create a mock HTML body element + RefPtr<mozilla::dom::NodeInfo> info = + window->GetDoc()->NodeInfoManager()->GetNodeInfo( + nsGkAtoms::body, nullptr, kNameSpaceID_XHTML, nsINode::ELEMENT_NODE); + + nsCOMPtr<nsINode> context = NS_NewHTMLBodyElement( + info.forget(), mozilla::dom::FromParser::FROM_PARSER_FRAGMENT); + RefPtr<DocumentFragment> fragment = nsContentUtils::CreateContextualFragment( + context, innerHTML, true /* aPreventScriptExecution */, aRv); + if (aRv.Failed()) { + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + return fragment.forget(); +} + +already_AddRefed<DocumentFragment> Sanitizer::Sanitize( + const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput, + ErrorResult& aRv) { + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (!window || !window->GetDoc()) { + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + if (!aInput.WasPassed()) { + AutoTArray<nsString, 1> params = {}; + LogLocalizedString("SanitizerRcvdNoInput", params, + nsIScriptError::warningFlag); + RefPtr<DocumentFragment> fragment = + window->GetDoc()->CreateDocumentFragment(); + return fragment.forget(); + } + ErrorResult error; + RefPtr<DocumentFragment> fragment = + Sanitizer::InputToNewFragment(aInput, error); + if (error.Failed()) { + return fragment.forget(); + } + nsTreeSanitizer treeSanitizer(mSanitizationFlags); + + treeSanitizer.Sanitize(fragment); + return fragment.forget(); +} + +void Sanitizer::SanitizeToString( + const Optional<StringOrDocumentFragmentOrDocument>& aInput, + nsAString& outSanitized, ErrorResult& aRv) { + outSanitized.Truncate(); + if (!aInput.WasPassed()) { + AutoTArray<nsString, 1> params = {}; + LogLocalizedString("SanitizerRcvdNoInput", params, + nsIScriptError::warningFlag); + return; + } + ErrorResult error; + RefPtr<DocumentFragment> fragment = + Sanitizer::InputToNewFragment(aInput, error); + if (error.Failed()) { + return; + } + nsTreeSanitizer treeSanitizer(mSanitizationFlags); + + treeSanitizer.Sanitize(fragment); + fragment->GetInnerHTML(outSanitized); +} + +/* ------ Logging ------ */ + +void Sanitizer::LogLocalizedString(const char* aName, + const nsTArray<nsString>& aParams, + uint32_t aFlags) { + uint64_t innerWindowID = 0; + bool isPrivateBrowsing = true; + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (window && window->GetDoc()) { + auto* doc = window->GetDoc(); + innerWindowID = doc->InnerWindowID(); + isPrivateBrowsing = nsContentUtils::IsInPrivateBrowsing(doc); + } + nsAutoString logMsg; + nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES, + aName, aParams, logMsg); + LogMessage(logMsg, aFlags, innerWindowID, isPrivateBrowsing); +} + +/* static */ +void Sanitizer::LogMessage(const nsAString& aMessage, uint32_t aFlags, + uint64_t aInnerWindowID, bool aFromPrivateWindow) { + // Prepending 'Sanitizer' to the outgoing console message + nsString message; + message.AppendLiteral(u"Sanitizer: "); + message.Append(aMessage); + + // Allow for easy distinction in devtools code. + nsCString category("Sanitizer"); + + if (aInnerWindowID > 0) { + // Send to content console + nsContentUtils::ReportToConsoleByWindowID(message, aFlags, category, + aInnerWindowID); + } else { + // Send to browser console + nsContentUtils::LogSimpleConsoleError( + message, category.get(), aFromPrivateWindow, + true /* from chrome context */, aFlags); + } +} + +} // namespace dom +} // namespace mozilla diff --git a/dom/security/sanitizer/Sanitizer.h b/dom/security/sanitizer/Sanitizer.h new file mode 100644 index 0000000000..9e9407655c --- /dev/null +++ b/dom/security/sanitizer/Sanitizer.h @@ -0,0 +1,105 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_dom_Sanitizer_h +#define mozilla_dom_Sanitizer_h + +#include "mozilla/dom/BindingDeclarations.h" +#include "mozilla/dom/DocumentFragment.h" +#include "mozilla/dom/SanitizerBinding.h" +#include "nsString.h" +#include "nsIParserUtils.h" +#include "nsTreeSanitizer.h" + +// XXX(Bug 1673929) This is not really needed here, but the generated +// SanitizerBinding.cpp needs it and does not include it. +#include "mozilla/dom/Document.h" + +class nsISupports; + +namespace mozilla { + +class ErrorResult; + +namespace dom { + +class GlobalObject; + +class Sanitizer final : public nsISupports, public nsWrapperCache { + public: + NS_DECL_CYCLE_COLLECTING_ISUPPORTS + NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS(Sanitizer) + + explicit Sanitizer(nsIGlobalObject* aGlobal) : mGlobal(aGlobal) { + MOZ_ASSERT(aGlobal); + // FIXME(freddyb): Waiting for wicg-draft to evolve. Bug 1658564. + mSanitizationFlags = nsIParserUtils::SanitizerAllowStyle | + nsIParserUtils::SanitizerAllowComments; + } + + nsIGlobalObject* GetParentObject() const { return mGlobal; } + + JSObject* WrapObject(JSContext* aCx, + JS::Handle<JSObject*> aGivenProto) override; + + /** + * Sanitizer() WebIDL constructor + * @return a new Sanitizer object, with methods as below + */ + static already_AddRefed<Sanitizer> Constructor( + const GlobalObject& aGlobal, const SanitizerOptions& aOptions, + ErrorResult& aRv); + + /** + * sanitize WebIDL method. + * @param aInput "bad" HTML that needs to be sanitized + * @return DocumentFragment of the sanitized HTML + */ + already_AddRefed<DocumentFragment> Sanitize( + const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput, + ErrorResult& aRv); + + /** + * sanitizeToString WebIDL method. + * @param aInput "bad" HTML that needs to be sanitized + * @param outSanitized out-param for the string of sanitized HTML + */ + void SanitizeToString( + const Optional<StringOrDocumentFragmentOrDocument>& aInput, + nsAString& outSanitized, ErrorResult& aRv); + + /** + * Logs localized message to either content console or browser console + * @param aName Localization key + * @param aParams Localization parameters + * @param aFlags Logging Flag (see nsIScriptError) + */ + void LogLocalizedString(const char* aName, const nsTArray<nsString>& aParams, + uint32_t aFlags); + + private: + ~Sanitizer() = default; + already_AddRefed<DocumentFragment> InputToNewFragment( + const Optional<mozilla::dom::StringOrDocumentFragmentOrDocument>& aInput, + ErrorResult& aRv); + /** + * Logs localized message to either content console or browser console + * @param aMessage Message to log + * @param aFlags Logging Flag (see nsIScriptError) + * @param aInnerWindowID Inner Window ID (Logged on browser console if 0) + * @param aFromPrivateWindow If from private window + */ + static void LogMessage(const nsAString& aMessage, uint32_t aFlags, + uint64_t aInnerWindowID, bool aFromPrivateWindow); + + SanitizerOptions mOptions; + uint32_t mSanitizationFlags; + nsCOMPtr<nsIGlobalObject> mGlobal; +}; +} // namespace dom +} // namespace mozilla + +#endif // ifndef mozilla_dom_Sanitizer_h diff --git a/dom/security/sanitizer/moz.build b/dom/security/sanitizer/moz.build new file mode 100644 index 0000000000..4baec486c5 --- /dev/null +++ b/dom/security/sanitizer/moz.build @@ -0,0 +1,37 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Core", "DOM: Security") + +# TEST_DIRS += [ 'tests' ] + +MOCHITEST_MANIFESTS += ["tests/mochitest/mochitest.ini"] + + +EXPORTS.mozilla.dom += [ + "Sanitizer.h", +] + +UNIFIED_SOURCES += [ + "Sanitizer.cpp", +] + +LOCAL_INCLUDES += [ + "/dom/base", + "/dom/bindings", + "/dom/html", +] + +# include('/ipc/chromium/chromium-config.mozbuild') +# include('/tools/fuzzing/libfuzzer-config.mozbuild') + +FINAL_LIBRARY = "xul" + +# if CONFIG['FUZZING_INTERFACES']: +# TEST_DIRS += [ +# 'fuzztest' +# ] diff --git a/dom/security/sanitizer/tests/mochitest/mochitest.ini b/dom/security/sanitizer/tests/mochitest/mochitest.ini new file mode 100644 index 0000000000..ccc8440d87 --- /dev/null +++ b/dom/security/sanitizer/tests/mochitest/mochitest.ini @@ -0,0 +1,5 @@ +[DEFAULT] +prefs = + dom.security.sanitizer.enabled=true +scheme=https +[test_sanitizer_api.html] diff --git a/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html new file mode 100644 index 0000000000..6e0a827cd9 --- /dev/null +++ b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html @@ -0,0 +1,82 @@ +<!DOCTYPE HTML> +<title>Test sanitizer api</title> +<script src="/tests/SimpleTest/SimpleTest.js"></script> +<link rel="stylesheet" href="/tests/SimpleTest/test.css" /> +<div id="div"></div> +<script type="text/javascript"> +"use strict"; +/* global Sanitizer */ +// we're not done after "onload" +SimpleTest.waitForExplicitFinish(); +(async function() { + // Ensure Sanitizer is not exposed when the pref is false + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.sanitizer.enabled", false]], + }); + ok(typeof Sanitizer === "undefined", "Sanitizer undefined when preffed off"); + + // The rest of this test assumes the sanitizer is enabled + await SpecialPowers.pushPrefEnv({ + set: [["dom.security.sanitizer.enabled", true]], + }); + + + function* possibleInputTypes(inputStr) { + /* This generator function, given a string, yields all possible input objects + for our sanitizer API (string, docfragment, document). + */ + + // 1) as string + yield ({testInput: inputStr, testType: "String" }); + // 2) as DocumentFragment + let temp = document.createElement('template'); + // asking eslint to skip this: innerHTML is safe for template elements. + // eslint-disable-next-line no-unsanitized/property + temp.innerHTML = inputStr; + yield ({testInput: temp.content, testType: "DocumentFragment" }); + // 3) as HTMLDocument + const parser = new DOMParser; + yield ({testInput: parser.parseFromString(inputStr, "text/html"), testType: "Document" }); + } + // basic interface smoke test + ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on"); + const mySanitizer = new Sanitizer(); + ok(mySanitizer, "Sanitizer constructor works"); + ok(mySanitizer.sanitize, "sanitize function exists"); + + // testing sanitizer results + const testCases = [ + { + testString: "<p>hello</p>", + testExpected: "<p>hello</p>" + }, + { + // script element encoded to not confuse the HTML parser and end execution here + testString: "<p>second test</p><script>alert(1)\x3C/script>", + testExpected: "<p>second test</p>" + }, + ]; + + + const div = document.getElementById("div"); + for (let test of testCases) { + const {testString, testExpected} = test; + + for (let testInputAndType of possibleInputTypes(testString)) { + const {testInput, testType} = testInputAndType; + + // test documentfragment API + div.innerHTML = ""; + const docFragment = mySanitizer.sanitize(testInput); + div.append(docFragment); + is(div.innerHTML, testExpected, `Sanitizer.sanitize() should turn (${testType}) '${testInput}' into '${testExpected}'`); + + // test string api, doesnt work yet + /*is(mySanitizer.sanitizeToString(testInput), testExpected, + `Sanitizer.sanitizeToString() should turn (${testType}) '${testInput}' into '${testExpected}'`);*/ + } + } + + SimpleTest.finish(); +})(); +</script> |