Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

5 files changed, 476 insertions, 0 deletions

diff --git a/dom/security/sanitizer/Sanitizer.cpp b/dom/security/sanitizer/Sanitizer.cpp
new file mode 100644
index 0000000000..9d087523ff
--- /dev/null
+++ b/dom/security/sanitizer/Sanitizer.cpp
@@ -0,0 +1,187 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "BindingDeclarations.h"
+#include "mozilla/dom/BindingUtils.h"
+#include "mozilla/dom/DocumentFragment.h"
+#include "mozilla/dom/SanitizerBinding.h"
+#include "nsContentUtils.h"
+#include "nsGenericHTMLElement.h"
+#include "nsTreeSanitizer.h"
+#include "Sanitizer.h"
+
+namespace mozilla::dom {
+
+NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Sanitizer, mGlobal)
+
+NS_IMPL_CYCLE_COLLECTING_ADDREF(Sanitizer)
+NS_IMPL_CYCLE_COLLECTING_RELEASE(Sanitizer)
+
+NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(Sanitizer)
+  NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY
+  NS_INTERFACE_MAP_ENTRY(nsISupports)
+NS_INTERFACE_MAP_END
+
+JSObject* Sanitizer::WrapObject(JSContext* aCx,
+                                JS::Handle<JSObject*> aGivenProto) {
+  return Sanitizer_Binding::Wrap(aCx, this, aGivenProto);
+}
+
+/* static */
+already_AddRefed<Sanitizer> Sanitizer::New(nsIGlobalObject* aGlobal,
+                                           const SanitizerConfig& aOptions,
+                                           ErrorResult& aRv) {
+  nsTreeSanitizer treeSanitizer(nsIParserUtils::SanitizerAllowStyle);
+  treeSanitizer.WithWebSanitizerOptions(aGlobal, aOptions, aRv);
+  if (aRv.Failed()) {
+    return nullptr;
+  }
+
+  RefPtr<Sanitizer> sanitizer =
+      new Sanitizer(aGlobal, std::move(treeSanitizer));
+  return sanitizer.forget();
+}
+
+/* static */
+already_AddRefed<Sanitizer> Sanitizer::Constructor(
+    const GlobalObject& aGlobal, const SanitizerConfig& aOptions,
+    ErrorResult& aRv) {
+  nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports());
+  return New(global, aOptions, aRv);
+}
+
+/* static */
+already_AddRefed<DocumentFragment> Sanitizer::InputToNewFragment(
+    const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv) {
+  // turns an DocumentFragmentOrDocument into a new DocumentFragment for
+  // internal use with nsTreeSanitizer
+
+  nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+  if (!window || !window->GetDoc()) {
+    // FIXME: Should we throw another exception?
+    aRv.Throw(NS_ERROR_FAILURE);
+    return nullptr;
+  }
+
+  // We need to create a new docfragment based on the input
+  // and can't use a live document (possibly with mutation observershandlers)
+  nsAutoString innerHTML;
+  if (aInput.IsDocumentFragment()) {
+    RefPtr<DocumentFragment> inFragment = &aInput.GetAsDocumentFragment();
+    inFragment->GetInnerHTML(innerHTML);
+  } else if (aInput.IsDocument()) {
+    RefPtr<Document> doc = &aInput.GetAsDocument();
+    nsCOMPtr<Element> docElement = doc->GetDocumentElement();
+    if (docElement) {
+      docElement->GetInnerHTML(innerHTML, IgnoreErrors());
+    }
+  }
+  if (innerHTML.IsEmpty()) {
+    AutoTArray<nsString, 1> params = {};
+    LogLocalizedString("SanitizerRcvdNoInput", params,
+                       nsIScriptError::warningFlag);
+
+    RefPtr<DocumentFragment> emptyFragment =
+        window->GetDoc()->CreateDocumentFragment();
+    return emptyFragment.forget();
+  }
+  // Create an inert HTML document, loaded as data.
+  // this ensures we do not cause any requests.
+  RefPtr<Document> emptyDoc =
+      nsContentUtils::CreateInertHTMLDocument(window->GetDoc());
+  if (!emptyDoc) {
+    aRv.Throw(NS_ERROR_FAILURE);
+    return nullptr;
+  }
+  // We don't have a context element yet. let's create a mock HTML body element
+  RefPtr<mozilla::dom::NodeInfo> info =
+      emptyDoc->NodeInfoManager()->GetNodeInfo(
+          nsGkAtoms::body, nullptr, kNameSpaceID_XHTML, nsINode::ELEMENT_NODE);
+
+  nsCOMPtr<nsINode> context = NS_NewHTMLBodyElement(
+      info.forget(), mozilla::dom::FromParser::FROM_PARSER_FRAGMENT);
+  RefPtr<DocumentFragment> fragment = nsContentUtils::CreateContextualFragment(
+      context, innerHTML, true /* aPreventScriptExecution */, aRv);
+  if (aRv.Failed()) {
+    aRv.ThrowInvalidStateError("Could not parse input");
+    return nullptr;
+  }
+  return fragment.forget();
+}
+
+already_AddRefed<DocumentFragment> Sanitizer::Sanitize(
+    const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv) {
+  nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+  if (!window || !window->GetDoc()) {
+    aRv.Throw(NS_ERROR_FAILURE);
+    return nullptr;
+  }
+  RefPtr<DocumentFragment> fragment =
+      Sanitizer::InputToNewFragment(aInput, aRv);
+  if (aRv.Failed()) {
+    return nullptr;
+  }
+
+  mTreeSanitizer.Sanitize(fragment);
+  return fragment.forget();
+}
+
+RefPtr<DocumentFragment> Sanitizer::SanitizeFragment(
+    RefPtr<DocumentFragment> aFragment, ErrorResult& aRv) {
+  nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+  if (!window || !window->GetDoc()) {
+    aRv.Throw(NS_ERROR_FAILURE);
+    return nullptr;
+  }
+  // FIXME(freddyb)
+  // (how) can we assert that the supplied doc is indeed inert?
+  mTreeSanitizer.Sanitize(aFragment);
+  return aFragment.forget();
+}
+
+/* ------ Logging ------ */
+
+void Sanitizer::LogLocalizedString(const char* aName,
+                                   const nsTArray<nsString>& aParams,
+                                   uint32_t aFlags) {
+  uint64_t innerWindowID = 0;
+  bool isPrivateBrowsing = true;
+  nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal);
+  if (window && window->GetDoc()) {
+    auto* doc = window->GetDoc();
+    innerWindowID = doc->InnerWindowID();
+    isPrivateBrowsing = nsContentUtils::IsInPrivateBrowsing(doc);
+  }
+  nsAutoString logMsg;
+  nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES,
+                                        aName, aParams, logMsg);
+  LogMessage(logMsg, aFlags, innerWindowID, isPrivateBrowsing);
+}
+
+/* static */
+void Sanitizer::LogMessage(const nsAString& aMessage, uint32_t aFlags,
+                           uint64_t aInnerWindowID, bool aFromPrivateWindow) {
+  // Prepending 'Sanitizer' to the outgoing console message
+  nsString message;
+  message.AppendLiteral(u"Sanitizer: ");
+  message.Append(aMessage);
+
+  // Allow for easy distinction in devtools code.
+  constexpr auto category = "Sanitizer"_ns;
+
+  if (aInnerWindowID > 0) {
+    // Send to content console
+    nsContentUtils::ReportToConsoleByWindowID(message, aFlags, category,
+                                              aInnerWindowID);
+  } else {
+    // Send to browser console
+    nsContentUtils::LogSimpleConsoleError(message, category, aFromPrivateWindow,
+                                          true /* from chrome context */,
+                                          aFlags);
+  }
+}
+
+}  // namespace mozilla::dom
diff --git a/dom/security/sanitizer/Sanitizer.h b/dom/security/sanitizer/Sanitizer.h
new file mode 100644
index 0000000000..121545b1bf
--- /dev/null
+++ b/dom/security/sanitizer/Sanitizer.h
@@ -0,0 +1,107 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_Sanitizer_h
+#define mozilla_dom_Sanitizer_h
+
+#include "mozilla/dom/BindingDeclarations.h"
+#include "mozilla/dom/DocumentFragment.h"
+#include "mozilla/dom/SanitizerBinding.h"
+#include "nsString.h"
+#include "nsIGlobalObject.h"
+#include "nsIParserUtils.h"
+#include "nsTreeSanitizer.h"
+
+// XXX(Bug 1673929) This is not really needed here, but the generated
+// SanitizerBinding.cpp needs it and does not include it.
+#include "mozilla/dom/Document.h"
+
+class nsISupports;
+
+namespace mozilla {
+
+class ErrorResult;
+
+namespace dom {
+
+class GlobalObject;
+
+class Sanitizer final : public nsISupports, public nsWrapperCache {
+  explicit Sanitizer(nsIGlobalObject* aGlobal, nsTreeSanitizer&& aTreeSanitizer)
+      : mGlobal(aGlobal), mTreeSanitizer(std::move(aTreeSanitizer)) {
+    MOZ_ASSERT(aGlobal);
+  }
+
+ public:
+  NS_DECL_CYCLE_COLLECTING_ISUPPORTS
+  NS_DECL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(Sanitizer);
+
+  nsIGlobalObject* GetParentObject() const { return mGlobal; }
+
+  JSObject* WrapObject(JSContext* aCx,
+                       JS::Handle<JSObject*> aGivenProto) override;
+
+  static already_AddRefed<Sanitizer> New(nsIGlobalObject* aGlobal,
+                                         const SanitizerConfig& aOptions,
+                                         ErrorResult& aRv);
+
+  /**
+   * Sanitizer() WebIDL constructor
+   * @return a new Sanitizer object, with methods as below
+   */
+  static already_AddRefed<Sanitizer> Constructor(
+      const GlobalObject& aGlobal, const SanitizerConfig& aOptions,
+      ErrorResult& aRv);
+
+  /**
+   * sanitize WebIDL method.
+   * @param aInput       "bad" HTML that needs to be sanitized
+   * @return DocumentFragment of the sanitized HTML
+   */
+  already_AddRefed<DocumentFragment> Sanitize(
+      const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv);
+
+  /**
+   * Sanitizes a fragment in place. This assumes that the fragment
+   * belongs but an inert document.
+   *
+   * @param aFragment Fragment to be sanitized in place
+   * @return DocumentFragment
+   */
+
+  RefPtr<DocumentFragment> SanitizeFragment(RefPtr<DocumentFragment> aFragment,
+                                            ErrorResult& aRv);
+
+  /**
+   * Logs localized message to either content console or browser console
+   * @param aName              Localization key
+   * @param aParams            Localization parameters
+   * @param aFlags             Logging Flag (see nsIScriptError)
+   */
+  void LogLocalizedString(const char* aName, const nsTArray<nsString>& aParams,
+                          uint32_t aFlags);
+
+ private:
+  ~Sanitizer() = default;
+  already_AddRefed<DocumentFragment> InputToNewFragment(
+      const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv);
+  /**
+   * Logs localized message to either content console or browser console
+   * @param aMessage           Message to log
+   * @param aFlags             Logging Flag (see nsIScriptError)
+   * @param aInnerWindowID     Inner Window ID (Logged on browser console if 0)
+   * @param aFromPrivateWindow If from private window
+   */
+  static void LogMessage(const nsAString& aMessage, uint32_t aFlags,
+                         uint64_t aInnerWindowID, bool aFromPrivateWindow);
+
+  RefPtr<nsIGlobalObject> mGlobal;
+  nsTreeSanitizer mTreeSanitizer;
+};
+}  // namespace dom
+}  // namespace mozilla
+
+#endif  // ifndef mozilla_dom_Sanitizer_h
diff --git a/dom/security/sanitizer/moz.build b/dom/security/sanitizer/moz.build
new file mode 100644
index 0000000000..4baec486c5
--- /dev/null
+++ b/dom/security/sanitizer/moz.build
@@ -0,0 +1,37 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+with Files("**"):
+    BUG_COMPONENT = ("Core", "DOM: Security")
+
+# TEST_DIRS += [ 'tests' ]
+
+MOCHITEST_MANIFESTS += ["tests/mochitest/mochitest.ini"]
+
+
+EXPORTS.mozilla.dom += [
+    "Sanitizer.h",
+]
+
+UNIFIED_SOURCES += [
+    "Sanitizer.cpp",
+]
+
+LOCAL_INCLUDES += [
+    "/dom/base",
+    "/dom/bindings",
+    "/dom/html",
+]
+
+# include('/ipc/chromium/chromium-config.mozbuild')
+# include('/tools/fuzzing/libfuzzer-config.mozbuild')
+
+FINAL_LIBRARY = "xul"
+
+# if CONFIG['FUZZING_INTERFACES']:
+#    TEST_DIRS += [
+#            'fuzztest'
+#    ]
diff --git a/dom/security/sanitizer/tests/mochitest/mochitest.ini b/dom/security/sanitizer/tests/mochitest/mochitest.ini
new file mode 100644
index 0000000000..2388e0bd12
--- /dev/null
+++ b/dom/security/sanitizer/tests/mochitest/mochitest.ini
@@ -0,0 +1,6 @@
+[DEFAULT]
+prefs =
+  dom.security.sanitizer.enabled=true
+  dom.security.setHTML.enabled=true
+scheme=https
+[test_sanitizer_api.html]
diff --git a/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html
new file mode 100644
index 0000000000..efe8ae73bf
--- /dev/null
+++ b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html
@@ -0,0 +1,139 @@
+<!DOCTYPE HTML>
+<title>Test sanitizer api</title>
+<script src="/tests/SimpleTest/SimpleTest.js"></script>
+<link rel="stylesheet" href="/tests/SimpleTest/test.css" />
+<script type="text/javascript">
+"use strict";
+/* global Sanitizer */
+// we're not done after "onload"
+SimpleTest.waitForExplicitFinish();
+(async function() {
+  // Ensure Sanitizer is not exposed when the pref is false
+  const isEnabled = SpecialPowers.getBoolPref("dom.security.sanitizer.enabled");
+  if (!isEnabled) {
+    ok(false, "This test should only be run with dom.security.sanitizer.enabled set to true");
+    SimpleTest.finish();
+  }
+
+  function* possibleInputTypes(inputStr) {
+    /* This generator function, given a string, yields all possible input objects
+    for our sanitizer API (string, docfragment, document).
+    */
+
+    // 1) as string
+    yield ({testInput: inputStr, testType: "String" });
+    // 2) as DocumentFragment
+    let temp = document.createElement('template');
+    // asking eslint to skip this: innerHTML is safe for template elements.
+    // eslint-disable-next-line no-unsanitized/property
+    temp.innerHTML = inputStr;
+    yield ({testInput: temp.content, testType: "DocumentFragment" });
+    // 3) as HTMLDocument
+    const parser = new DOMParser;
+    yield ({testInput: parser.parseFromString(inputStr, "text/html"), testType: "Document" });
+  }
+  // basic interface smoke test
+  ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on");
+  const mySanitizer = new Sanitizer();
+  ok(mySanitizer, "Sanitizer constructor works");
+  ok(mySanitizer.sanitize, "sanitize function exists");
+  ok("setHTML" in Element.prototype, "Element.setHTML exists");
+
+  // testing sanitizer results
+  const testCases = [
+    {
+      testString: "<p>hello</p>",
+      testExpected: "<p>hello</p>",
+      sanitizerOptions: {}
+    },
+    {
+      // script element encoded to not confuse the HTML parser and end execution here
+      testString: "<p>second test</p><script>alert(1)\x3C/script>",
+      testExpected: "<p>second test</p>",
+      sanitizerOptions: {},
+    },
+    {
+      // test for the allowElements option
+      testString: "<p>hello <i>folks</i></p>",
+      testExpected: "<p>hello folks</p>",
+      sanitizerOptions: { allowElements: ["p"] },
+    },
+    {
+      // test for the blockElements option
+      testString: "<p>hello <i>folks</i></p>",
+      testExpected: "<p>hello folks</p>",
+      sanitizerOptions: { blockElements: ["i"] },
+    },
+    // TODO: Unknown attributes aren't supported yet.
+    // {
+    //   // test for the allowAttributes option
+    //   testString: `<p haha="lol">hello</p>`,
+    //   testExpected: `<p haha="lol">hello</p>`,
+    //   sanitizerOptions: { allowUnknownMarkup: true, allowAttributes: { 'haha': ['p'] } },
+    // },
+    {
+      // confirming the inverse
+      testString: `<p haha="lol">hello</p>`,
+      testExpected: `<p>hello</p>`,
+      sanitizerOptions: {},
+    },
+    {
+      // test for the dropAttributes option
+      testString: `<p title="dropme">hello</p>`,
+      testExpected: `<p>hello</p>`,
+      sanitizerOptions: { dropAttributes: [{name: 'title', elements: ['p']}] },
+    },
+    {
+      // confirming the inverse
+      testString: `<p title="dontdropme">hello</p>`,
+      testExpected: `<p title="dontdropme">hello</p>`,
+      sanitizerOptions: {},
+    },
+    {
+      // if an attribute is allowed and dropped, the drop will take preference
+      testString: `<p title="lol">hello</p>`,
+      testExpected: `<p>hello</p>`,
+      sanitizerOptions: {
+        allowAttributes: [{ name: 'title', elements: ['p'] }],
+        dropAttributes: [{ name: 'title', elements: ['p'] }]
+      },
+    },
+  ];
+
+
+  const div = document.createElement("div");
+  for (let test of testCases) {
+    const {testString, testExpected, sanitizerOptions} = test;
+    const testSanitizer = new Sanitizer(sanitizerOptions);
+
+    for (let testInputAndType of possibleInputTypes(testString)) {
+      const {testInput, testType} = testInputAndType;
+
+      if (testType != "String") {
+        // test sanitize(document/fragment)
+        try {
+          div.innerHTML = "";
+          const docFragment = testSanitizer.sanitize(testInput);
+          div.append(docFragment);
+          is(div.innerHTML, testExpected, `Sanitizer.sanitize() should turn (${testType}) '${testInput}' into '${testExpected}'`);
+        }
+        catch (e) {
+          ok(false, 'Error in sanitize() test: ' + e)
+        }
+      }
+      else {
+        // test setHTML:
+        try {
+          div.setHTML(testString, { sanitizer: testSanitizer });
+          is(div.innerHTML, testExpected, `div.setHTML() should turn(${testType}) '${testInput}' into '${testExpected}'`);
+        }
+        catch (e) {
+          ok(false, 'Error in setHTML() test: ' + e)
+        }
+      }
+    }
+  }
+
+  SimpleTest.finish();
+})();
+</script>