Bug 1772378: Move Eval checks higher to encompass JSMs r=bholley

This no longer permits wasm modules to being instatiated;
and will perform an eval check even when no csp exists,
such as for JSMs.

Differential Revision: https://phabricator.services.mozilla.com/D148141
This commit is contained in:
Tom Ritter 2022-06-29 13:45:57 +00:00
parent 89aec958ac
commit be3d5275d4

View File

@ -451,13 +451,34 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
JSContext* cx, JS::RuntimeCode aKind, JS::Handle<JSString*> aCode) {
MOZ_ASSERT(cx == nsContentUtils::GetCurrentJSContext());
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
// Check if Eval is allowed per firefox hardening policy
bool contextForbidsEval =
(subjectPrincipal->IsSystemPrincipal() || XRE_IsE10sParentProcess());
#if defined(ANDROID)
contextForbidsEval = false;
#endif
if (contextForbidsEval) {
nsAutoJSString scriptSample;
if (aKind == JS::RuntimeCode::JS &&
NS_WARN_IF(!scriptSample.init(cx, aCode))) {
return false;
}
if (!nsContentSecurityUtils::IsEvalAllowed(
cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
return false;
}
}
// Get the window, if any, corresponding to the current global
nsCOMPtr<nsIContentSecurityPolicy> csp;
if (nsGlobalWindowInner* win = xpc::CurrentWindowOrNull(cx)) {
csp = win->GetCsp();
}
nsCOMPtr<nsIPrincipal> subjectPrincipal = nsContentUtils::SubjectPrincipal();
if (!csp) {
// Get the CSP for addon sandboxes. If the principal is expanded and has a
// csp, we're probably in luck.
@ -484,29 +505,8 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
bool evalOK = true;
bool reportViolation = false;
nsAutoJSString scriptSample;
if (aKind == JS::RuntimeCode::JS) {
nsresult rv = csp->GetAllowsEval(&reportViolation, &evalOK);
// A little convoluted. We want the scriptSample for a) reporting a
// violation or b) passing it to AssertEvalNotUsingSystemPrincipal or c)
// we're in the parent process. So do the work to get it if either of those
// cases is true.
if (reportViolation || subjectPrincipal->IsSystemPrincipal() ||
XRE_IsE10sParentProcess()) {
if (NS_WARN_IF(!scriptSample.init(cx, aCode))) {
JS_ClearPendingException(cx);
return false;
}
}
#if !defined(ANDROID)
if (!nsContentSecurityUtils::IsEvalAllowed(
cx, subjectPrincipal->IsSystemPrincipal(), scriptSample)) {
return false;
}
#endif
if (NS_FAILED(rv)) {
NS_WARNING("CSP: failed to get allowsEval");
return true; // fail open to not break sites.
@ -541,6 +541,12 @@ bool nsScriptSecurityManager::ContentSecurityPolicyPermitsJSAction(
MOZ_ASSERT(!JS_IsExceptionPending(cx));
}
nsAutoJSString scriptSample;
if (aKind == JS::RuntimeCode::JS &&
NS_WARN_IF(!scriptSample.init(cx, aCode))) {
JS_ClearPendingException(cx);
return false;
}
uint16_t violationType =
aKind == JS::RuntimeCode::JS
? nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL