diff options
Diffstat (limited to 'dom/security/sanitizer')
-rw-r--r-- | dom/security/sanitizer/Sanitizer.cpp | 173 | ||||
-rw-r--r-- | dom/security/sanitizer/Sanitizer.h | 104 | ||||
-rw-r--r-- | dom/security/sanitizer/moz.build | 37 | ||||
-rw-r--r-- | dom/security/sanitizer/tests/mochitest/mochitest.ini | 6 | ||||
-rw-r--r-- | dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html | 139 |
5 files changed, 459 insertions, 0 deletions
diff --git a/dom/security/sanitizer/Sanitizer.cpp b/dom/security/sanitizer/Sanitizer.cpp new file mode 100644 index 0000000000..b302a76b7a --- /dev/null +++ b/dom/security/sanitizer/Sanitizer.cpp @@ -0,0 +1,173 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "BindingDeclarations.h" +#include "mozilla/dom/BindingUtils.h" +#include "mozilla/dom/DocumentFragment.h" +#include "mozilla/dom/SanitizerBinding.h" +#include "nsContentUtils.h" +#include "nsGenericHTMLElement.h" +#include "nsTreeSanitizer.h" +#include "Sanitizer.h" + +namespace mozilla::dom { + +NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE(Sanitizer, mGlobal) + +NS_IMPL_CYCLE_COLLECTING_ADDREF(Sanitizer) +NS_IMPL_CYCLE_COLLECTING_RELEASE(Sanitizer) + +NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(Sanitizer) + NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY + NS_INTERFACE_MAP_ENTRY(nsISupports) +NS_INTERFACE_MAP_END + +JSObject* Sanitizer::WrapObject(JSContext* aCx, + JS::Handle<JSObject*> aGivenProto) { + return Sanitizer_Binding::Wrap(aCx, this, aGivenProto); +} + +/* static */ +already_AddRefed<Sanitizer> Sanitizer::Constructor( + const GlobalObject& aGlobal, const SanitizerConfig& aOptions, + ErrorResult& aRv) { + nsCOMPtr<nsIGlobalObject> global = do_QueryInterface(aGlobal.GetAsSupports()); + RefPtr<Sanitizer> sanitizer = new Sanitizer(global, aOptions); + return sanitizer.forget(); +} + +/* static */ +already_AddRefed<DocumentFragment> Sanitizer::InputToNewFragment( + const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv) { + // turns an DocumentFragmentOrDocument into a new DocumentFragment for + // internal use with nsTreeSanitizer + + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (!window || !window->GetDoc()) { + // FIXME: Should we throw another exception? + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + + // We need to create a new docfragment based on the input + // and can't use a live document (possibly with mutation observershandlers) + nsAutoString innerHTML; + if (aInput.IsDocumentFragment()) { + RefPtr<DocumentFragment> inFragment = &aInput.GetAsDocumentFragment(); + inFragment->GetInnerHTML(innerHTML); + } else if (aInput.IsDocument()) { + RefPtr<Document> doc = &aInput.GetAsDocument(); + nsCOMPtr<Element> docElement = doc->GetDocumentElement(); + if (docElement) { + docElement->GetInnerHTML(innerHTML, IgnoreErrors()); + } + } + if (innerHTML.IsEmpty()) { + AutoTArray<nsString, 1> params = {}; + LogLocalizedString("SanitizerRcvdNoInput", params, + nsIScriptError::warningFlag); + + RefPtr<DocumentFragment> emptyFragment = + window->GetDoc()->CreateDocumentFragment(); + return emptyFragment.forget(); + } + // Create an inert HTML document, loaded as data. + // this ensures we do not cause any requests. + RefPtr<Document> emptyDoc = + nsContentUtils::CreateInertHTMLDocument(window->GetDoc()); + if (!emptyDoc) { + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + // We don't have a context element yet. let's create a mock HTML body element + RefPtr<mozilla::dom::NodeInfo> info = + emptyDoc->NodeInfoManager()->GetNodeInfo( + nsGkAtoms::body, nullptr, kNameSpaceID_XHTML, nsINode::ELEMENT_NODE); + + nsCOMPtr<nsINode> context = NS_NewHTMLBodyElement( + info.forget(), mozilla::dom::FromParser::FROM_PARSER_FRAGMENT); + RefPtr<DocumentFragment> fragment = nsContentUtils::CreateContextualFragment( + context, innerHTML, true /* aPreventScriptExecution */, aRv); + if (aRv.Failed()) { + aRv.ThrowInvalidStateError("Could not parse input"); + return nullptr; + } + return fragment.forget(); +} + +already_AddRefed<DocumentFragment> Sanitizer::Sanitize( + const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv) { + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (!window || !window->GetDoc()) { + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + RefPtr<DocumentFragment> fragment = + Sanitizer::InputToNewFragment(aInput, aRv); + if (aRv.Failed()) { + return nullptr; + } + + mTreeSanitizer.Sanitize(fragment); + return fragment.forget(); +} + +RefPtr<DocumentFragment> Sanitizer::SanitizeFragment( + RefPtr<DocumentFragment> aFragment, ErrorResult& aRv) { + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (!window || !window->GetDoc()) { + aRv.Throw(NS_ERROR_FAILURE); + return nullptr; + } + // FIXME(freddyb) + // (how) can we assert that the supplied doc is indeed inert? + mTreeSanitizer.Sanitize(aFragment); + return aFragment.forget(); +} + +/* ------ Logging ------ */ + +void Sanitizer::LogLocalizedString(const char* aName, + const nsTArray<nsString>& aParams, + uint32_t aFlags) { + uint64_t innerWindowID = 0; + bool isPrivateBrowsing = true; + nsCOMPtr<nsPIDOMWindowInner> window = do_QueryInterface(mGlobal); + if (window && window->GetDoc()) { + auto* doc = window->GetDoc(); + innerWindowID = doc->InnerWindowID(); + isPrivateBrowsing = nsContentUtils::IsInPrivateBrowsing(doc); + } + nsAutoString logMsg; + nsContentUtils::FormatLocalizedString(nsContentUtils::eSECURITY_PROPERTIES, + aName, aParams, logMsg); + LogMessage(logMsg, aFlags, innerWindowID, isPrivateBrowsing); +} + +/* static */ +void Sanitizer::LogMessage(const nsAString& aMessage, uint32_t aFlags, + uint64_t aInnerWindowID, bool aFromPrivateWindow) { + // Prepending 'Sanitizer' to the outgoing console message + nsString message; + message.AppendLiteral(u"Sanitizer: "); + message.Append(aMessage); + + // Allow for easy distinction in devtools code. + constexpr auto category = "Sanitizer"_ns; + + if (aInnerWindowID > 0) { + // Send to content console + nsContentUtils::ReportToConsoleByWindowID(message, aFlags, category, + aInnerWindowID); + } else { + // Send to browser console + nsContentUtils::LogSimpleConsoleError(message, category, aFromPrivateWindow, + true /* from chrome context */, + aFlags); + } +} + +} // namespace mozilla::dom diff --git a/dom/security/sanitizer/Sanitizer.h b/dom/security/sanitizer/Sanitizer.h new file mode 100644 index 0000000000..41b59c2ae2 --- /dev/null +++ b/dom/security/sanitizer/Sanitizer.h @@ -0,0 +1,104 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#ifndef mozilla_dom_Sanitizer_h +#define mozilla_dom_Sanitizer_h + +#include "mozilla/dom/BindingDeclarations.h" +#include "mozilla/dom/DocumentFragment.h" +#include "mozilla/dom/SanitizerBinding.h" +#include "nsString.h" +#include "nsIGlobalObject.h" +#include "nsIParserUtils.h" +#include "nsTreeSanitizer.h" + +// XXX(Bug 1673929) This is not really needed here, but the generated +// SanitizerBinding.cpp needs it and does not include it. +#include "mozilla/dom/Document.h" + +class nsISupports; + +namespace mozilla { + +class ErrorResult; + +namespace dom { + +class GlobalObject; + +class Sanitizer final : public nsISupports, public nsWrapperCache { + public: + NS_DECL_CYCLE_COLLECTING_ISUPPORTS + NS_DECL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(Sanitizer); + + explicit Sanitizer(nsIGlobalObject* aGlobal, const SanitizerConfig& aOptions) + : mGlobal(aGlobal), mTreeSanitizer(nsIParserUtils::SanitizerAllowStyle) { + MOZ_ASSERT(aGlobal); + mTreeSanitizer.WithWebSanitizerOptions(aGlobal, aOptions); + } + + nsIGlobalObject* GetParentObject() const { return mGlobal; } + + JSObject* WrapObject(JSContext* aCx, + JS::Handle<JSObject*> aGivenProto) override; + + /** + * Sanitizer() WebIDL constructor + * @return a new Sanitizer object, with methods as below + */ + static already_AddRefed<Sanitizer> Constructor( + const GlobalObject& aGlobal, const SanitizerConfig& aOptions, + ErrorResult& aRv); + + /** + * sanitize WebIDL method. + * @param aInput "bad" HTML that needs to be sanitized + * @return DocumentFragment of the sanitized HTML + */ + already_AddRefed<DocumentFragment> Sanitize( + const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv); + + /** + * Sanitizes a fragment in place. This assumes that the fragment + * belongs but an inert document. + * + * @param aFragment Fragment to be sanitized in place + * @return DocumentFragment + */ + + RefPtr<DocumentFragment> SanitizeFragment(RefPtr<DocumentFragment> aFragment, + ErrorResult& aRv); + + /** + * Logs localized message to either content console or browser console + * @param aName Localization key + * @param aParams Localization parameters + * @param aFlags Logging Flag (see nsIScriptError) + */ + void LogLocalizedString(const char* aName, const nsTArray<nsString>& aParams, + uint32_t aFlags); + + private: + ~Sanitizer() = default; + already_AddRefed<DocumentFragment> InputToNewFragment( + const mozilla::dom::DocumentFragmentOrDocument& aInput, ErrorResult& aRv); + /** + * Logs localized message to either content console or browser console + * @param aMessage Message to log + * @param aFlags Logging Flag (see nsIScriptError) + * @param aInnerWindowID Inner Window ID (Logged on browser console if 0) + * @param aFromPrivateWindow If from private window + */ + static void LogMessage(const nsAString& aMessage, uint32_t aFlags, + uint64_t aInnerWindowID, bool aFromPrivateWindow); + + RefPtr<nsIGlobalObject> mGlobal; + nsTreeSanitizer mTreeSanitizer; +}; +} // namespace dom +} // namespace mozilla + +#endif // ifndef mozilla_dom_Sanitizer_h diff --git a/dom/security/sanitizer/moz.build b/dom/security/sanitizer/moz.build new file mode 100644 index 0000000000..4baec486c5 --- /dev/null +++ b/dom/security/sanitizer/moz.build @@ -0,0 +1,37 @@ +# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*- +# vim: set filetype=python: +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +with Files("**"): + BUG_COMPONENT = ("Core", "DOM: Security") + +# TEST_DIRS += [ 'tests' ] + +MOCHITEST_MANIFESTS += ["tests/mochitest/mochitest.ini"] + + +EXPORTS.mozilla.dom += [ + "Sanitizer.h", +] + +UNIFIED_SOURCES += [ + "Sanitizer.cpp", +] + +LOCAL_INCLUDES += [ + "/dom/base", + "/dom/bindings", + "/dom/html", +] + +# include('/ipc/chromium/chromium-config.mozbuild') +# include('/tools/fuzzing/libfuzzer-config.mozbuild') + +FINAL_LIBRARY = "xul" + +# if CONFIG['FUZZING_INTERFACES']: +# TEST_DIRS += [ +# 'fuzztest' +# ] diff --git a/dom/security/sanitizer/tests/mochitest/mochitest.ini b/dom/security/sanitizer/tests/mochitest/mochitest.ini new file mode 100644 index 0000000000..2388e0bd12 --- /dev/null +++ b/dom/security/sanitizer/tests/mochitest/mochitest.ini @@ -0,0 +1,6 @@ +[DEFAULT] +prefs = + dom.security.sanitizer.enabled=true + dom.security.setHTML.enabled=true +scheme=https +[test_sanitizer_api.html] diff --git a/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html new file mode 100644 index 0000000000..cfc24d0386 --- /dev/null +++ b/dom/security/sanitizer/tests/mochitest/test_sanitizer_api.html @@ -0,0 +1,139 @@ +<!DOCTYPE HTML> +<title>Test sanitizer api</title> +<script src="/tests/SimpleTest/SimpleTest.js"></script> +<link rel="stylesheet" href="/tests/SimpleTest/test.css" /> +<script type="text/javascript"> +"use strict"; +/* global Sanitizer */ +// we're not done after "onload" +SimpleTest.waitForExplicitFinish(); +(async function() { + // Ensure Sanitizer is not exposed when the pref is false + const isEnabled = SpecialPowers.getBoolPref("dom.security.sanitizer.enabled"); + if (!isEnabled) { + ok(false, "This test should only be run with dom.security.sanitizer.enabled set to true"); + SimpleTest.finish(); + } + + function* possibleInputTypes(inputStr) { + /* This generator function, given a string, yields all possible input objects + for our sanitizer API (string, docfragment, document). + */ + + // 1) as string + yield ({testInput: inputStr, testType: "String" }); + // 2) as DocumentFragment + let temp = document.createElement('template'); + // asking eslint to skip this: innerHTML is safe for template elements. + // eslint-disable-next-line no-unsanitized/property + temp.innerHTML = inputStr; + yield ({testInput: temp.content, testType: "DocumentFragment" }); + // 3) as HTMLDocument + const parser = new DOMParser; + yield ({testInput: parser.parseFromString(inputStr, "text/html"), testType: "Document" }); + } + // basic interface smoke test + ok(typeof Sanitizer === "function", "Sanitizer constructor exposed when preffed on"); + const mySanitizer = new Sanitizer(); + ok(mySanitizer, "Sanitizer constructor works"); + ok(mySanitizer.sanitize, "sanitize function exists"); + ok("setHTML" in Element.prototype, "Element.setHTML exists"); + + // testing sanitizer results + const testCases = [ + { + testString: "<p>hello</p>", + testExpected: "<p>hello</p>", + sanitizerOptions: {} + }, + { + // script element encoded to not confuse the HTML parser and end execution here + testString: "<p>second test</p><script>alert(1)\x3C/script>", + testExpected: "<p>second test</p>", + sanitizerOptions: {}, + }, + { + // test for the allowElements option + testString: "<p>hello <i>folks</i></p>", + testExpected: "<p>hello folks</p>", + sanitizerOptions: { allowElements: ["p"] }, + }, + { + // test for the blockElements option + testString: "<p>hello <i>folks</i></p>", + testExpected: "<p>hello folks</p>", + sanitizerOptions: { blockElements: ["i"] }, + }, + // TODO: Unknown attributes aren't supported yet. + // { + // // test for the allowAttributes option + // testString: `<p haha="lol">hello</p>`, + // testExpected: `<p haha="lol">hello</p>`, + // sanitizerOptions: { allowUnknownMarkup: true, allowAttributes: { 'haha': ['p'] } }, + // }, + { + // confirming the inverse + testString: `<p haha="lol">hello</p>`, + testExpected: `<p>hello</p>`, + sanitizerOptions: {}, + }, + { + // test for the dropAttributes option + testString: `<p title="dropme">hello</p>`, + testExpected: `<p>hello</p>`, + sanitizerOptions: { dropAttributes: { 'title': ['p'] } }, + }, + { + // confirming the inverse + testString: `<p title="dontdropme">hello</p>`, + testExpected: `<p title="dontdropme">hello</p>`, + sanitizerOptions: {}, + }, + { + // if an attribute is allowed and dropped, the drop will take preference + testString: `<p title="lol">hello</p>`, + testExpected: `<p>hello</p>`, + sanitizerOptions: { + allowAttributes: { 'title': ['p'] }, + dropAttributes: { 'title': ['p'] }, + }, + }, + ]; + + + const div = document.createElement("div"); + for (let test of testCases) { + const {testString, testExpected, sanitizerOptions} = test; + const testSanitizer = new Sanitizer(sanitizerOptions); + + for (let testInputAndType of possibleInputTypes(testString)) { + const {testInput, testType} = testInputAndType; + + if (testType != "String") { + // test sanitize(document/fragment) + try { + div.innerHTML = ""; + const docFragment = testSanitizer.sanitize(testInput); + div.append(docFragment); + is(div.innerHTML, testExpected, `Sanitizer.sanitize() should turn (${testType}) '${testInput}' into '${testExpected}'`); + } + catch (e) { + ok(false, 'Error in sanitize() test: ' + e) + } + } + else { + // test setHTML: + try { + div.setHTML(testString, { sanitizer: testSanitizer }); + is(div.innerHTML, testExpected, `div.setHTML() should turn(${testType}) '${testInput}' into '${testExpected}'`); + } + catch (e) { + ok(false, 'Error in setHTML() test: ' + e) + } + } + } + } + + SimpleTest.finish(); +})(); +</script> |