summaryrefslogtreecommitdiffstats
path: root/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js
blob: 37f5ab922118765bde66eb16cb3bd6a5f765427e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
/* This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. */
"use strict";

// How to run this file:
// 1. [obtain firefox source code]
// 2. [build/obtain firefox binaries]
// 3. run `[path to]/run-mozilla.sh [path to]/xpcshell [path to]/getHSTSPreloadlist.js [absolute path to]/nsSTSPreloadlist.inc'
// Note: Running this file outputs a new nsSTSPreloadlist.inc in the current
//       working directory.

var gSSService = Cc["@mozilla.org/ssservice;1"].getService(
  Ci.nsISiteSecurityService
);

const { FileUtils } = ChromeUtils.importESModule(
  "resource://gre/modules/FileUtils.sys.mjs"
);

const SOURCE =
  "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/net/http/transport_security_state_static.json?format=TEXT";
const TOOL_SOURCE =
  "https://hg.mozilla.org/mozilla-central/file/default/taskcluster/docker/periodic-updates/scripts/getHSTSPreloadList.js";
const OUTPUT = "nsSTSPreloadList.inc";
const MINIMUM_REQUIRED_MAX_AGE = 60 * 60 * 24 * 7 * 18;
const MAX_CONCURRENT_REQUESTS = 500;
const MAX_RETRIES = 1;
const REQUEST_TIMEOUT = 30 * 1000;
const ERROR_NONE = "no error";
const ERROR_CONNECTING_TO_HOST = "could not connect to host";
const ERROR_NO_HSTS_HEADER = "did not receive HSTS header";
const ERROR_MAX_AGE_TOO_LOW = "max-age too low: ";
const HEADER = `/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/*****************************************************************************/
/* This is an automatically generated file. If you're not                    */
/* nsSiteSecurityService.cpp, you shouldn't be #including it.                */
/*****************************************************************************/

#include <stdint.h>
`;

const GPERF_DELIM = "%%\n";

function download() {
  let req = new XMLHttpRequest();
  req.open("GET", SOURCE, false); // doing the request synchronously
  try {
    req.send();
  } catch (e) {
    throw new Error(`ERROR: problem downloading '${SOURCE}': ${e}`);
  }

  if (req.status != 200) {
    throw new Error(
      "ERROR: problem downloading '" + SOURCE + "': status " + req.status
    );
  }

  let resultDecoded;
  try {
    resultDecoded = atob(req.responseText);
  } catch (e) {
    throw new Error(
      "ERROR: could not decode data as base64 from '" + SOURCE + "': " + e
    );
  }

  // we have to filter out '//' comments, while not mangling the json
  let result = resultDecoded.replace(/^(\s*)?\/\/[^\n]*\n/gm, "");
  let data = null;
  try {
    data = JSON.parse(result);
  } catch (e) {
    throw new Error(`ERROR: could not parse data from '${SOURCE}': ${e}`);
  }
  return data;
}

function getHosts(rawdata) {
  let hosts = [];

  if (!rawdata || !rawdata.entries) {
    throw new Error(
      "ERROR: source data not formatted correctly: 'entries' not found"
    );
  }

  for (let entry of rawdata.entries) {
    if (entry.mode && entry.mode == "force-https") {
      if (entry.name) {
        // We trim the entry name here to avoid malformed URI exceptions when we
        // later try to connect to the domain.
        entry.name = entry.name.trim();
        entry.retries = MAX_RETRIES;
        // We prefer the camelCase variable to the JSON's snake case version
        entry.includeSubdomains = entry.include_subdomains;
        hosts.push(entry);
      } else {
        throw new Error("ERROR: entry not formatted correctly: no name found");
      }
    }
  }

  return hosts;
}

function processStsHeader(host, header, status, securityInfo) {
  let maxAge = {
    value: 0,
  };
  let includeSubdomains = {
    value: false,
  };
  let error = ERROR_NONE;
  if (
    header != null &&
    securityInfo != null &&
    securityInfo.overridableErrorCategory ==
      Ci.nsITransportSecurityInfo.ERROR_UNSET
  ) {
    try {
      let uri = Services.io.newURI("https://" + host.name);
      gSSService.processHeader(uri, header, {}, maxAge, includeSubdomains);
    } catch (e) {
      dump(
        "ERROR: could not process header '" +
          header +
          "' from " +
          host.name +
          ": " +
          e +
          "\n"
      );
      error = e;
    }
  } else if (status == 0) {
    error = ERROR_CONNECTING_TO_HOST;
  } else {
    error = ERROR_NO_HSTS_HEADER;
  }

  if (error == ERROR_NONE && maxAge.value < MINIMUM_REQUIRED_MAX_AGE) {
    error = ERROR_MAX_AGE_TOO_LOW;
  }

  return {
    name: host.name,
    maxAge: maxAge.value,
    includeSubdomains: includeSubdomains.value,
    error,
    retries: host.retries - 1,
    forceInclude: host.forceInclude,
  };
}

// RedirectAndAuthStopper prevents redirects and HTTP authentication
function RedirectAndAuthStopper() {}

RedirectAndAuthStopper.prototype = {
  // nsIChannelEventSink
  asyncOnChannelRedirect(oldChannel, newChannel, flags, callback) {
    throw Components.Exception("", Cr.NS_ERROR_ENTITY_CHANGED);
  },

  // nsIAuthPrompt2
  promptAuth(channel, level, authInfo) {
    return false;
  },

  asyncPromptAuth(channel, callback, context, level, authInfo) {
    throw Components.Exception("", Cr.NS_ERROR_NOT_IMPLEMENTED);
  },

  getInterface(iid) {
    return this.QueryInterface(iid);
  },

  QueryInterface: ChromeUtils.generateQI([
    "nsIChannelEventSink",
    "nsIAuthPrompt2",
  ]),
};

function fetchstatus(host) {
  return new Promise((resolve, reject) => {
    let xhr = new XMLHttpRequest();
    let uri = "https://" + host.name + "/";

    xhr.open("head", uri, true);
    xhr.setRequestHeader("X-Automated-Tool", TOOL_SOURCE);
    xhr.timeout = REQUEST_TIMEOUT;

    let errorHandler = () => {
      dump("ERROR: exception making request to " + host.name + "\n");
      resolve(
        processStsHeader(
          host,
          null,
          xhr.status,
          xhr.channel && xhr.channel.securityInfo
        )
      );
    };

    xhr.onerror = errorHandler;
    xhr.ontimeout = errorHandler;
    xhr.onabort = errorHandler;

    xhr.onload = () => {
      let header = xhr.getResponseHeader("strict-transport-security");
      resolve(
        processStsHeader(host, header, xhr.status, xhr.channel.securityInfo)
      );
    };

    xhr.channel.notificationCallbacks = new RedirectAndAuthStopper();
    xhr.send();
  });
}

async function getHSTSStatus(host) {
  do {
    host = await fetchstatus(host);
  } while (shouldRetry(host));
  return host;
}

function compareHSTSStatus(a, b) {
  if (a.name > b.name) {
    return 1;
  }
  if (a.name < b.name) {
    return -1;
  }
  return 0;
}

function writeTo(string, fos) {
  fos.write(string, string.length);
}

// Determines and returns a string representing a declaration of when this
// preload list should no longer be used.
// This is the current time plus MINIMUM_REQUIRED_MAX_AGE.
function getExpirationTimeString() {
  let now = new Date();
  let nowMillis = now.getTime();
  // MINIMUM_REQUIRED_MAX_AGE is in seconds, so convert to milliseconds
  let expirationMillis = nowMillis + MINIMUM_REQUIRED_MAX_AGE * 1000;
  let expirationMicros = expirationMillis * 1000;
  return (
    "const PRTime gPreloadListExpirationTime = INT64_C(" +
    expirationMicros +
    ");\n"
  );
}

function shouldRetry(response) {
  return (
    response.error != ERROR_NO_HSTS_HEADER &&
    response.error != ERROR_MAX_AGE_TOO_LOW &&
    response.error != ERROR_NONE &&
    response.retries > 0
  );
}

// Copied from browser/components/migration/MigrationUtils.sys.mjs
function spinResolve(promise) {
  if (!(promise instanceof Promise)) {
    return promise;
  }
  let done = false;
  let result = null;
  let error = null;
  promise
    .catch(e => {
      error = e;
    })
    .then(r => {
      result = r;
      done = true;
    });

  Services.tm.spinEventLoopUntil(
    "getHSTSPreloadList.js:spinResolve",
    () => done
  );
  if (error) {
    throw error;
  } else {
    return result;
  }
}

async function probeHSTSStatuses(inHosts) {
  let totalLength = inHosts.length;
  dump("Examining " + totalLength + " hosts.\n");

  // Make requests in batches of MAX_CONCURRENT_REQUESTS. Otherwise, we have
  // too many in-flight requests and the time it takes to process them causes
  // them all to time out.
  let allResults = [];
  while (inHosts.length) {
    let promises = [];
    for (let i = 0; i < MAX_CONCURRENT_REQUESTS && inHosts.length; i++) {
      let host = inHosts.shift();
      promises.push(getHSTSStatus(host));
    }
    let results = await Promise.all(promises);
    let progress = (
      (100 * (totalLength - inHosts.length)) /
      totalLength
    ).toFixed(2);
    dump(progress + "% done\n");
    allResults = allResults.concat(results);
  }

  dump("HSTS Probe received " + allResults.length + " statuses.\n");
  return allResults;
}

function readCurrentList(filename) {
  var currentHosts = {};
  var file = Cc["@mozilla.org/file/local;1"].createInstance(Ci.nsIFile);
  file.initWithPath(filename);
  var fis = Cc["@mozilla.org/network/file-input-stream;1"].createInstance(
    Ci.nsILineInputStream
  );
  fis.init(file, -1, -1, Ci.nsIFileInputStream.CLOSE_ON_EOF);
  var line = {};

  // While we generate entries matching the latest version format,
  // we still need to be able to read entries in the previous version formats
  // for bootstrapping a latest version preload list from a previous version
  // preload list. Hence these regexes.
  const entryRegexes = [
    /([^,]+), (0|1)/, // v3
    / {2}\/\* "([^"]*)", (true|false) \*\//, // v2
    / {2}{ "([^"]*)", (true|false) },/, // v1
  ];

  while (fis.readLine(line)) {
    let match;
    entryRegexes.find(r => {
      match = r.exec(line.value);
      return match;
    });
    if (match) {
      currentHosts[match[1]] = match[2] == "1" || match[2] == "true";
    }
  }
  return currentHosts;
}

function combineLists(newHosts, currentHosts) {
  let newHostsSet = new Set();

  for (let newHost of newHosts) {
    newHostsSet.add(newHost.name);
  }

  for (let currentHost in currentHosts) {
    if (!newHostsSet.has(currentHost)) {
      newHosts.push({ name: currentHost, retries: MAX_RETRIES });
    }
  }
}

const TEST_ENTRIES = [
  {
    name: "includesubdomains.preloaded.test",
    includeSubdomains: true,
  },
  {
    name: "includesubdomains2.preloaded.test",
    includeSubdomains: true,
  },
  {
    name: "noincludesubdomains.preloaded.test",
    includeSubdomains: false,
  },
];

function deleteTestHosts(currentHosts) {
  for (let testEntry of TEST_ENTRIES) {
    delete currentHosts[testEntry.name];
  }
}

function getTestHosts() {
  let hosts = [];
  for (let testEntry of TEST_ENTRIES) {
    hosts.push({
      name: testEntry.name,
      maxAge: MINIMUM_REQUIRED_MAX_AGE,
      includeSubdomains: testEntry.includeSubdomains,
      error: ERROR_NONE,
      // This deliberately doesn't have a value for `retries` (because we should
      // never attempt to connect to this host).
      forceInclude: true,
    });
  }
  return hosts;
}

async function insertHosts(inoutHostList, inAddedHosts) {
  for (let host of inAddedHosts) {
    inoutHostList.push(host);
  }
}

function filterForcedInclusions(inHosts, outNotForced, outForced) {
  // Apply our filters (based on policy today) to determine which entries
  // will be included without being checked (forced); the others will be
  // checked using active probing.
  for (let host of inHosts) {
    if (
      host.policy == "google" ||
      host.policy == "public-suffix" ||
      host.policy == "public-suffix-requested"
    ) {
      host.forceInclude = true;
      host.error = ERROR_NONE;
      outForced.push(host);
    } else {
      outNotForced.push(host);
    }
  }
}

function output(statuses) {
  dump("INFO: Writing output to " + OUTPUT + "\n");
  try {
    let file = new FileUtils.File(
      PathUtils.join(Services.dirsvc.get("CurWorkD", Ci.nsIFile).path, OUTPUT)
    );
    let fos = FileUtils.openSafeFileOutputStream(file);
    writeTo(HEADER, fos);
    writeTo(getExpirationTimeString(), fos);

    writeTo(GPERF_DELIM, fos);

    for (let status of statuses) {
      let includeSubdomains = status.includeSubdomains ? 1 : 0;
      writeTo(status.name + ", " + includeSubdomains + "\n", fos);
    }

    writeTo(GPERF_DELIM, fos);
    FileUtils.closeSafeFileOutputStream(fos);
    dump("finished writing output file\n");
  } catch (e) {
    dump("ERROR: problem writing output to '" + OUTPUT + "': " + e + "\n");
    throw e;
  }
}

function errorToString(status) {
  return status.error == ERROR_MAX_AGE_TOO_LOW
    ? status.error + status.maxAge
    : status.error;
}

async function main(args) {
  if (args.length != 1) {
    throw new Error(
      "Usage: getHSTSPreloadList.js <absolute path to current nsSTSPreloadList.inc>"
    );
  }

  // get the current preload list
  let currentHosts = readCurrentList(args[0]);
  // delete any hosts we use in tests so we don't actually connect to them
  deleteTestHosts(currentHosts);
  // disable the current preload list so it won't interfere with requests we make
  Services.prefs.setBoolPref(
    "network.stricttransportsecurity.preloadlist",
    false
  );
  // download and parse the raw json file from the Chromium source
  let rawdata = download();
  // get just the hosts with mode: "force-https"
  let hosts = getHosts(rawdata);
  // add hosts in the current list to the new list (avoiding duplicates)
  combineLists(hosts, currentHosts);

  // Don't contact hosts that are forced to be included anyway
  let hostsToContact = [];
  let forcedHosts = [];
  filterForcedInclusions(hosts, hostsToContact, forcedHosts);

  // Initialize the final status list
  let hstsStatuses = [];
  // Add the hosts we use in tests
  dump("Adding test hosts\n");
  insertHosts(hstsStatuses, getTestHosts());
  // Add in the hosts that are forced
  dump("Adding forced hosts\n");
  insertHosts(hstsStatuses, forcedHosts);

  let total = await probeHSTSStatuses(hostsToContact)
    .then(function(probedStatuses) {
      return hstsStatuses.concat(probedStatuses);
    })
    .then(function(statuses) {
      return statuses.sort(compareHSTSStatus);
    })
    .then(function(statuses) {
      for (let status of statuses) {
        // If we've encountered an error for this entry (other than the site not
        // sending an HSTS header), be safe and don't remove it from the list
        // (given that it was already on the list).
        if (
          !status.forceInclude &&
          status.error != ERROR_NONE &&
          status.error != ERROR_NO_HSTS_HEADER &&
          status.error != ERROR_MAX_AGE_TOO_LOW &&
          status.name in currentHosts
        ) {
          // dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n");
          status.maxAge = MINIMUM_REQUIRED_MAX_AGE;
          status.includeSubdomains = currentHosts[status.name];
        }
      }
      return statuses;
    })
    .then(function(statuses) {
      // Filter out entries we aren't including.
      var includedStatuses = statuses.filter(function(status) {
        if (status.maxAge < MINIMUM_REQUIRED_MAX_AGE && !status.forceInclude) {
          // dump("INFO: " + status.name + " NOT ON the preload list\n");
          return false;
        }

        // dump("INFO: " + status.name + " ON the preload list (includeSubdomains: " + status.includeSubdomains + ")\n");
        if (status.forceInclude && status.error != ERROR_NONE) {
          dump(
            status.name +
              ": " +
              errorToString(status) +
              " (error ignored - included regardless)\n"
          );
        }
        return true;
      });
      return includedStatuses;
    });

  // Write the output file
  output(total);

  dump("HSTS probing all done\n");
}

// arguments is a global within xpcshell
spinResolve(main(arguments));