summaryrefslogtreecommitdiffstats
path: root/toolkit/mozapps/extensions/internal/ProductAddonChecker.sys.mjs
blob: 1615a551c88133f453d10012efffda1af9d32f0c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import { Log } from "resource://gre/modules/Log.sys.mjs";
import { CertUtils } from "resource://gre/modules/CertUtils.sys.mjs";

const lazy = {};

ChromeUtils.defineESModuleGetters(lazy, {
  ServiceRequest: "resource://gre/modules/ServiceRequest.sys.mjs",
});

// This will inherit settings from the "addons" logger.
var logger = Log.repository.getLogger("addons.productaddons");
// We want to set the level of this logger independent from its parent to help
// debug things like GMP updates. Link this to its own level pref.
logger.manageLevelFromPref("extensions.logging.productaddons.level");

/**
 * Number of milliseconds after which we need to cancel `downloadXMLWithRequest`
 * and `conservativeFetch`.
 *
 * Bug 1087674 suggests that the XHR/ServiceRequest we use in
 * `downloadXMLWithRequest` may never terminate in presence of network nuisances
 * (e.g. strange antivirus behavior). This timeout is a defensive measure to
 * ensure that we fail cleanly in such case.
 */
const TIMEOUT_DELAY_MS = 20000;

/**
 * Gets the status of an XMLHttpRequest either directly or from its underlying
 * channel.
 *
 * @param  request
 *         The XMLHttpRequest.
 * @returns {Object} result - An object containing the results.
 * @returns {integer} result.status - Request status code, if available, else the channel nsresult.
 * @returns {integer} result.channelStatus - Channel nsresult.
 * @returns {integer} result.errorCode - Request error code.
 */
function getRequestStatus(request) {
  let status = null;
  let errorCode = null;
  let channelStatus = null;

  try {
    status = request.status;
  } catch (e) {}
  try {
    errorCode = request.errorCode;
  } catch (e) {}
  try {
    channelStatus = request.channel.QueryInterface(Ci.nsIRequest).status;
  } catch (e) {}

  if (status == null) {
    status = channelStatus;
  }

  return { status, channelStatus, errorCode };
}

/**
 * A wrapper around `ServiceRequest` that behaves like a limited `fetch()`.
 * This doesn't handle headers like fetch, but can be expanded as callers need.
 *
 * Use this in order to leverage the `beConservative` flag, for
 * example to avoid using HTTP3 to fetch critical data.
 *
 * @param input a resource
 * @returns a Response object
 */
async function conservativeFetch(input) {
  return new Promise(function (resolve, reject) {
    const request = new lazy.ServiceRequest({ mozAnon: true });
    request.timeout = TIMEOUT_DELAY_MS;

    request.onerror = () => {
      let err = new TypeError("NetworkError: Network request failed");
      err.addonCheckerErr = ProductAddonChecker.NETWORK_REQUEST_ERR;
      reject(err);
    };
    request.ontimeout = () => {
      let err = new TypeError("Timeout: Network request failed");
      err.addonCheckerErr = ProductAddonChecker.NETWORK_TIMEOUT_ERR;
      reject(err);
    };
    request.onabort = () => {
      let err = new DOMException("Aborted", "AbortError");
      err.addonCheckerErr = ProductAddonChecker.ABORT_ERR;
      reject(err);
    };
    request.onload = () => {
      const responseAttributes = {
        status: request.status,
        statusText: request.statusText,
        url: request.responseURL,
      };
      resolve(new Response(request.response, responseAttributes));
    };

    const method = "GET";

    request.open(method, input, true);

    request.send();
  });
}

/**
 * Verifies the content signature on GMP's update.xml. When we fetch update.xml
 * balrog should send back content signature headers, which this function
 * is used to verify.
 *
 * @param  data
 *         The data received from balrog. I.e. the xml contents of update.xml.
 * @param  contentSignatureHeader
 *         The contents of the 'content-signature' header received along with
 *         `data`.
 * @return A promise that will resolve to nothing if the signature verification
 *         succeeds, or rejects on failure, with an Error that sets its
 *         addonCheckerErr property disambiguate failure cases and a message
 *         explaining the error.
 */
async function verifyGmpContentSignature(data, contentSignatureHeader) {
  if (!contentSignatureHeader) {
    logger.warn(
      "Unexpected missing content signature header during content signature validation"
    );
    let err = new Error(
      "Content signature validation failed: missing content signature header"
    );
    err.addonCheckerErr = ProductAddonChecker.VERIFICATION_MISSING_DATA_ERR;
    throw err;
  }
  // Split out the header. It should contain a the following fields, separated by a semicolon
  // - x5u - a URI to the cert chain. See also https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.5
  // - p384ecdsa - the signature to verify. See also https://github.com/mozilla-services/autograph/blob/main/signer/contentsignaturepki/README.md
  const headerFields = contentSignatureHeader
    .split(";") // Split fields...
    .map(s => s.trim()) // Remove whitespace...
    .map(s => [
      // Break each field into it's name and value. This more verbose version is
      // used instead of `split()` to handle values that contain = characters. This
      // shouldn't happen for the signature because it's base64_url (no = padding),
      // but it's not clear if it's possible for the x5u URL (as part of a query).
      // Guard anyway, better safe than sorry.
      s.substring(0, s.indexOf("=")), // Get field name...
      s.substring(s.indexOf("=") + 1), // and field value.
    ]);

  let x5u;
  let signature;
  for (const [fieldName, fieldValue] of headerFields) {
    if (fieldName == "x5u") {
      x5u = fieldValue;
    } else if (fieldName == "p384ecdsa") {
      // The signature needs to contain 'p384ecdsa', so stich it back together.
      signature = `p384ecdsa=${fieldValue}`;
    }
  }

  if (!x5u) {
    logger.warn("Unexpected missing x5u during content signature validation");
    let err = Error("Content signature validation failed: missing x5u");
    err.addonCheckerErr = ProductAddonChecker.VERIFICATION_MISSING_DATA_ERR;
    throw err;
  }

  if (!signature) {
    logger.warn(
      "Unexpected missing signature during content signature validation"
    );
    let err = Error("Content signature validation failed: missing signature");
    err.addonCheckerErr = ProductAddonChecker.VERIFICATION_MISSING_DATA_ERR;
    throw err;
  }

  // The x5u field should contain the location of the cert chain, fetch it.
  // Use `conservativeFetch` so we get conservative behaviour and ensure (more)
  // reliable fetching.
  const certChain = await (await conservativeFetch(x5u)).text();

  const verifier = Cc[
    "@mozilla.org/security/contentsignatureverifier;1"
  ].createInstance(Ci.nsIContentSignatureVerifier);

  // See bug 1771992. In the future, this may need to handle staging and dev
  // environments in addition to just production and testing.
  let root = Ci.nsIContentSignatureVerifier.ContentSignatureProdRoot;
  if (Services.env.exists("XPCSHELL_TEST_PROFILE_DIR")) {
    root = Ci.nsIX509CertDB.AppXPCShellRoot;
  }

  let valid;
  try {
    valid = await verifier.asyncVerifyContentSignature(
      data,
      signature,
      certChain,
      "aus.content-signature.mozilla.org",
      root
    );
  } catch (err) {
    logger.warn(`Unexpected error while validating content signature: ${err}`);
    let newErr = new Error(`Content signature validation failed: ${err}`);
    newErr.addonCheckerErr = ProductAddonChecker.VERIFICATION_FAILED_ERR;
    throw newErr;
  }

  if (!valid) {
    logger.warn("Unexpected invalid content signature found during validation");
    let err = new Error("Content signature is not valid");
    err.addonCheckerErr = ProductAddonChecker.VERIFICATION_INVALID_ERR;
    throw err;
  }
}

/**
 * Downloads an XML document from a URL optionally testing the SSL certificate
 * for certain attributes.
 *
 * @param  url
 *         The url to download from.
 * @param  allowNonBuiltIn
 *         Whether to trust SSL certificates without a built-in CA issuer.
 * @param  allowedCerts
 *         The list of certificate attributes to match the SSL certificate
 *         against or null to skip checks.
 * @return a promise that resolves to the ServiceRequest request on success or
 *         rejects with a JS exception in case of error.
 */
function downloadXMLWithRequest(
  url,
  allowNonBuiltIn = false,
  allowedCerts = null
) {
  return new Promise((resolve, reject) => {
    let request = new lazy.ServiceRequest();
    // This is here to let unit test code override the ServiceRequest.
    if (request.wrappedJSObject) {
      request = request.wrappedJSObject;
    }
    request.open("GET", url, true);
    request.channel.notificationCallbacks = new CertUtils.BadCertHandler(
      allowNonBuiltIn
    );
    // Prevent the request from reading from the cache.
    request.channel.loadFlags |= Ci.nsIRequest.LOAD_BYPASS_CACHE;
    // Prevent the request from writing to the cache.
    request.channel.loadFlags |= Ci.nsIRequest.INHIBIT_CACHING;
    // Don't send any cookies
    request.channel.loadFlags |= Ci.nsIRequest.LOAD_ANONYMOUS;
    request.timeout = TIMEOUT_DELAY_MS;

    request.overrideMimeType("text/xml");
    // The Cache-Control header is only interpreted by proxies and the
    // final destination. It does not help if a resource is already
    // cached locally.
    request.setRequestHeader("Cache-Control", "no-cache");
    // HTTP/1.0 servers might not implement Cache-Control and
    // might only implement Pragma: no-cache
    request.setRequestHeader("Pragma", "no-cache");

    let fail = event => {
      let request = event.target;
      let status = getRequestStatus(request);
      let message =
        "Failed downloading XML, status: " +
        status.status +
        ", channelStatus: " +
        status.channelStatus +
        ", errorCode: " +
        status.errorCode +
        ", reason: " +
        event.type;
      logger.warn(message);
      let ex = new Error(message);
      ex.status = status.status;
      if (event.type == "error") {
        ex.addonCheckerErr = ProductAddonChecker.NETWORK_REQUEST_ERR;
      } else if (event.type == "abort") {
        ex.addonCheckerErr = ProductAddonChecker.ABORT_ERR;
      } else if (event.type == "timeout") {
        ex.addonCheckerErr = ProductAddonChecker.NETWORK_TIMEOUT_ERR;
      }
      reject(ex);
    };

    let success = event => {
      logger.info("Completed downloading document");
      let request = event.target;

      try {
        CertUtils.checkCert(request.channel, allowNonBuiltIn, allowedCerts);
      } catch (ex) {
        logger.error("Request failed certificate checks: " + ex);
        ex.status = getRequestStatus(request).requestStatus;
        ex.addonCheckerErr = ProductAddonChecker.VERIFICATION_FAILED_ERR;
        reject(ex);
        return;
      }

      resolve(request);
    };

    request.addEventListener("error", fail);
    request.addEventListener("abort", fail);
    request.addEventListener("timeout", fail);
    request.addEventListener("load", success);

    logger.info("sending request to: " + url);
    request.send(null);
  });
}

/**
 * Downloads an XML document from a URL optionally testing the SSL certificate
 * for certain attributes, and/or testing the content signature.
 *
 * @param  url
 *         The url to download from.
 * @param  allowNonBuiltIn
 *         Whether to trust SSL certificates without a built-in CA issuer.
 * @param  allowedCerts
 *         The list of certificate attributes to match the SSL certificate
 *         against or null to skip checks.
 * @param  verifyContentSignature
 *         When true, will verify the content signature information from the
 *         response header. Failure to verify will result in an error.
 * @return a promise that resolves to the DOM document downloaded or rejects
 *         with a JS exception in case of error.
 */
async function downloadXML(
  url,
  allowNonBuiltIn = false,
  allowedCerts = null,
  verifyContentSignature = false
) {
  let request = await downloadXMLWithRequest(
    url,
    allowNonBuiltIn,
    allowedCerts
  );
  if (verifyContentSignature) {
    await verifyGmpContentSignature(
      request.response,
      request.getResponseHeader("content-signature")
    );
  }
  return request.responseXML;
}

/**
 * Parses a list of add-ons from a DOM document.
 *
 * @param  document
 *         The DOM document to parse.
 * @return null if there is no <addons> element otherwise an object containing
 *         an array of the addons listed and a field notifying whether the
 *         fallback was used.
 */
function parseXML(document) {
  // Check that the root element is correct
  if (document.documentElement.localName != "updates") {
    let err = new Error(
      "got node name: " +
        document.documentElement.localName +
        ", expected: updates"
    );
    err.addonCheckerErr = ProductAddonChecker.XML_PARSE_ERR;
    throw err;
  }

  // Check if there are any addons elements in the updates element
  let addons = document.querySelector("updates:root > addons");
  if (!addons) {
    return null;
  }

  let results = [];
  let addonList = document.querySelectorAll("updates:root > addons > addon");
  for (let addonElement of addonList) {
    let addon = {};

    for (let name of [
      "id",
      "URL",
      "hashFunction",
      "hashValue",
      "version",
      "size",
    ]) {
      if (addonElement.hasAttribute(name)) {
        addon[name] = addonElement.getAttribute(name);
      }
    }
    addon.size = Number(addon.size) || undefined;

    results.push(addon);
  }

  return {
    usedFallback: false,
    addons: results,
  };
}

/**
 * Downloads file from a URL using ServiceRequest.
 *
 * @param  url
 *         The url to download from.
 * @param  options (optional)
 * @param  options.httpsOnlyNoUpgrade
 *         Prevents upgrade to https:// when HTTPS-Only Mode is enabled.
 * @return a promise that resolves to the path of a temporary file or rejects
 *         with a JS exception in case of error.
 */
function downloadFile(url, options = { httpsOnlyNoUpgrade: false }) {
  return new Promise((resolve, reject) => {
    let sr = new lazy.ServiceRequest();

    sr.onload = function (response) {
      logger.info("downloadFile File download. status=" + sr.status);
      if (sr.status != 200 && sr.status != 206) {
        reject(Components.Exception("File download failed", sr.status));
        return;
      }
      (async function () {
        const path = await IOUtils.createUniqueFile(
          PathUtils.tempDir,
          "tmpaddon"
        );
        logger.info(`Downloaded file will be saved to ${path}`);
        await IOUtils.write(path, new Uint8Array(sr.response));

        return path;
      })().then(resolve, reject);
    };

    let fail = event => {
      let request = event.target;
      let status = getRequestStatus(request);
      let message =
        "Failed downloading via ServiceRequest, status: " +
        status.status +
        ", channelStatus: " +
        status.channelStatus +
        ", errorCode: " +
        status.errorCode +
        ", reason: " +
        event.type;
      logger.warn(message);
      let ex = new Error(message);
      ex.status = status.status;
      reject(ex);
    };
    sr.addEventListener("error", fail);
    sr.addEventListener("abort", fail);

    sr.responseType = "arraybuffer";
    try {
      sr.open("GET", url);
      if (options.httpsOnlyNoUpgrade) {
        sr.channel.loadInfo.httpsOnlyStatus |= Ci.nsILoadInfo.HTTPS_ONLY_EXEMPT;
      }
      // Allow deprecated HTTP request from SystemPrincipal
      sr.channel.loadInfo.allowDeprecatedSystemRequests = true;
      sr.send(null);
    } catch (ex) {
      reject(ex);
    }
  });
}

/**
 * Verifies that a downloaded file matches what was expected.
 *
 * @param  properties
 *         The properties to check, `hashFunction` with `hashValue`
 *         are supported. Any properties missing won't be checked.
 * @param  path
 *         The path of the file to check.
 * @return a promise that resolves if the file matched or rejects with a JS
 *         exception in case of error.
 */
var verifyFile = async function (properties, path) {
  if (properties.size !== undefined) {
    let stat = await IOUtils.stat(path);
    if (stat.size != properties.size) {
      throw new Error(
        "Downloaded file was " +
          stat.size +
          " bytes but expected " +
          properties.size +
          " bytes."
      );
    }
  }

  if (properties.hashFunction !== undefined) {
    let expectedDigest = properties.hashValue.toLowerCase();
    let digest = await IOUtils.computeHexDigest(path, properties.hashFunction);
    if (digest != expectedDigest) {
      throw new Error(
        "Hash was `" + digest + "` but expected `" + expectedDigest + "`."
      );
    }
  }
};

export const ProductAddonChecker = {
  // More specific error names to help debug and report failures.
  NETWORK_REQUEST_ERR: "NetworkRequestError",
  NETWORK_TIMEOUT_ERR: "NetworkTimeoutError",
  ABORT_ERR: "AbortError", // Doesn't have network prefix to work with existing convention.
  VERIFICATION_MISSING_DATA_ERR: "VerificationMissingDataError",
  VERIFICATION_FAILED_ERR: "VerificationFailedError",
  VERIFICATION_INVALID_ERR: "VerificationInvalidError",
  XML_PARSE_ERR: "XMLParseError",

  /**
   * Downloads a list of add-ons from a URL optionally testing the SSL
   * certificate for certain attributes, and/or testing the content signature.
   *
   * @param  url
   *         The url to download from.
   * @param  allowNonBuiltIn
   *         Whether to trust SSL certificates without a built-in CA issuer.
   * @param  allowedCerts
   *         The list of certificate attributes to match the SSL certificate
   *         against or null to skip checks.
   * @param  verifyContentSignature
   *         When true, will verify the content signature information from the
   *         response header. Failure to verify will result in an error.
   * @return a promise that resolves to an object containing the list of add-ons
   *         and whether the local fallback was used, or rejects with a JS
   *         exception in case of error. In the case of an error, a best effort
   *         is made to set the error addonCheckerErr property to one of the
   *         more specific names used by the product addon checker.
   */
  getProductAddonList(
    url,
    allowNonBuiltIn = false,
    allowedCerts = null,
    verifyContentSignature = false
  ) {
    return downloadXML(
      url,
      allowNonBuiltIn,
      allowedCerts,
      verifyContentSignature
    ).then(parseXML);
  },

  /**
   * Downloads an add-on to a local file and checks that it matches the expected
   * file. The caller is responsible for deleting the temporary file returned.
   *
   * @param  addon
   *         The addon to download.
   * @param  options (optional)
   * @param  options.httpsOnlyNoUpgrade
   *         Prevents upgrade to https:// when HTTPS-Only Mode is enabled.
   * @return a promise that resolves to the temporary file downloaded or rejects
   *         with a JS exception in case of error.
   */
  async downloadAddon(addon, options = { httpsOnlyNoUpgrade: false }) {
    let path = await downloadFile(addon.URL, options);
    try {
      await verifyFile(addon, path);
      return path;
    } catch (e) {
      await IOUtils.remove(path);
      throw e;
    }
  },
};

// For test use only.
export const ProductAddonCheckerTestUtils = {
  /**
   * Used to override ServiceRequest calls with a mock request.
   * @param mockRequest The mocked ServiceRequest object.
   * @param callback Method called with the overridden ServiceRequest. The override
   *        is undone after the callback returns.
   */
  async overrideServiceRequest(mockRequest, callback) {
    let originalServiceRequest = lazy.ServiceRequest;
    lazy.ServiceRequest = function () {
      return mockRequest;
    };
    try {
      return await callback();
    } finally {
      lazy.ServiceRequest = originalServiceRequest;
    }
  },
};