Merging upstream version 126.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 254 insertions, 0 deletions

diff --git a/testing/web-platform/tests/payment-request/payment-request-constructor-thcrash.https.html b/testing/web-platform/tests/payment-request/payment-request-constructor-thcrash.https.html
new file mode 100644
index 0000000000..b600307085
--- /dev/null
+++ b/testing/web-platform/tests/payment-request/payment-request-constructor-thcrash.https.html
@@ -0,0 +1,254 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<meta name="timeout" content="long">
+<title>Crash tests PaymentRequest Constructor</title>
+<link rel="help" href="https://w3c.github.io/browser-payment-api/#constructor">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+"use strict";
+const ABUSIVE_AMOUNT = 100000;
+
+const applePay = {
+  supportedMethods: "https://apple.com/apple-pay",
+  data: {
+    version: 3,
+    merchantIdentifier: "merchant.com.example",
+    countryCode: "US",
+    merchantCapabilities: ["supports3DS"],
+    supportedNetworks: ["visa"],
+  }
+};
+
+const basicCard = Object.freeze({
+  supportedMethods: "basic-card",
+});
+
+const defaultAmount = Object.freeze({
+  currency: "USD",
+  value: "1.00",
+});
+
+const evilAmount = Object.freeze({
+  currency: "USD",
+  value: "1".repeat(ABUSIVE_AMOUNT),
+});
+
+const defaultMethods = Object.freeze([basicCard, applePay]);
+
+const defaultTotal = Object.freeze({
+  label: "label",
+  amount: defaultAmount,
+});
+
+const evilTotal = Object.freeze({
+  label: "a".repeat(ABUSIVE_AMOUNT),
+  amount: evilAmount,
+});
+
+const defaultDetails = Object.freeze({
+  total: defaultTotal,
+  get id() {
+    return Math.random();
+  },
+});
+
+const defaultPaymentItem = Object.freeze({
+  label: "label",
+  amount: defaultAmount,
+});
+
+const defaultShippingOption = {
+  get id() {
+    return "shipping option " + Math.random();
+  },
+  amount: defaultAmount,
+  label: "shipping option label",
+};
+
+// First argument is sequence<PaymentMethodData> methodData
+test(() => {
+  let evilMethods = [Object.assign({}, basicCard)];
+  // smoke test
+  try {
+    new PaymentRequest(evilMethods, defaultDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, let's add an abusive amount of methods.
+  while (evilMethods.length < ABUSIVE_AMOUNT) {
+    evilMethods.push({supportedMethods: "evil-method" + evilMethods.length});
+  }
+  try {
+    new PaymentRequest(evilMethods, defaultDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if there is an abusive number of payment methods in the methodData sequence");
+
+// PaymentMethodData.supportedMethods
+test(() => {
+  const supportedMethods = "basic-card";
+  // Smoke test
+  try {
+    new PaymentRequest([{ supportedMethods }], defaultDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make supportedMethods super large
+  const evilMethodData = [
+    {
+      supportedMethods: supportedMethods.repeat(ABUSIVE_AMOUNT),
+    },
+  ];
+  try {
+    new PaymentRequest(evilMethodData, defaultDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if PaymentMethodData.supportedMethods is an abusive length");
+
+// PaymentDetailsInit.id
+test(() => {
+  const id = "abc";
+  // Smoke Test
+  try {
+    new PaymentRequest(
+      defaultMethods,
+      Object.assign({}, defaultDetails, { id })
+    );
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make the id super large;
+  const evilDetails = Object.assign({}, defaultDetails, {
+    id: id.repeat(ABUSIVE_AMOUNT),
+  });
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if the request id has an abusive length");
+
+// PaymentDetailsInit.total.label
+test(() => {
+  const evilDetails = Object.assign({}, defaultDetails);
+  // Smoke Test
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make the label super large;
+  evilDetails.total = {
+    label: "l".repeat(ABUSIVE_AMOUNT),
+    amount: defaultAmount,
+  };
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if PaymentDetailsInit.total.label is an abusive length");
+
+test(() => {
+  const evilDetails = Object.assign({}, defaultDetails);
+  // Smoke Test
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we can use evilAmount
+  evilDetails.total = evilAmount;
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if total.amount.value is an abusive length");
+
+for (const [prop, defaultValue] of [
+  ["displayItems", defaultPaymentItem],
+  ["shippingOptions", defaultShippingOption],
+]) {
+  test(() => {
+    const evilDetails = Object.assign({}, defaultDetails);
+    evilDetails[prop] = [defaultValue];
+    // Smoke Test
+    try {
+      new PaymentRequest(defaultMethods, evilDetails);
+    } catch (err) {
+      assert_unreached("failed smoke test: " + err.stack);
+    }
+    while (evilDetails[prop].length < ABUSIVE_AMOUNT) {
+      evilDetails[prop] = evilDetails[prop].concat(evilDetails[prop]);
+    }
+    // Now, construct with evil items!
+    try {
+      new PaymentRequest(defaultMethods, evilDetails);
+    } catch (err) {
+      assert_equals(err.name, "TypeError", "must be a TypeError");
+    }
+  }, `Don't crash if details.${prop} has an abusive number of items`);
+}
+
+test(() => {
+  const evilDetails = Object.assign({}, defaultDetails);
+  const evilShippingOption = Object.assign({}, defaultShippingOption);
+  evilDetails.shippingOptions = [evilShippingOption];
+  // Smoke Test
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make the label super large;
+  evilShippingOption.label = "l".repeat(ABUSIVE_AMOUNT);
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if PaymentShippingOptions.label is an abusive length");
+
+test(() => {
+  const evilDetails = Object.assign({}, defaultDetails);
+  const evilShippingOption = Object.assign({}, defaultShippingOption);
+  evilDetails.shippingOptions = [evilShippingOption];
+  // Smoke Test
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make use of evilAmount;
+  evilShippingOption.amount = evilAmount;
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if the PaymentShippingOptions.amount.value is an abusive length");
+
+test(() => {
+  const evilDetails = Object.assign({}, defaultDetails);
+  const evilDisplayItem = Object.assign({}, defaultPaymentItem);
+  evilDetails.displayItems = [evilDisplayItem];
+  // Smoke Test
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_unreached("failed smoke test: " + err.stack);
+  }
+  // Now, we make the label super large;
+  evilDisplayItem.label = "l".repeat(ABUSIVE_AMOUNT);
+  try {
+    new PaymentRequest(defaultMethods, evilDetails);
+  } catch (err) {
+    assert_equals(err.name, "TypeError", "must be a TypeError");
+  }
+}, "Don't crash if PaymentItem.label is an abusive length");
+</script>