Bug 1490165 - Workers.setTimeout/setInterval must handle CSP rejections, r=ckerschb

2024-10-17 07:15:46 +00:00 · 2018-09-17 17:53:10 +02:00 · 2018-09-17 17:53:10 +02:00 · cfe495e70b
commit cfe495e70b
parent 0040934b67
10 changed files with 259 additions and 79 deletions
--- a/dom/base/nsJSTimeoutHandler.cpp
+++ b/dom/base/nsJSTimeoutHandler.cpp
@ -9,6 +9,7 @@
 #include "mozilla/Attributes.h"
 #include "mozilla/Likely.h"
 #include "mozilla/Maybe.h"
+#include "mozilla/dom/CSPEvalChecker.h"
 #include "mozilla/dom/FunctionBinding.h"
 #include "mozilla/dom/WorkerPrivate.h"
 #include "nsCOMPtr.h"
@ -45,7 +46,8 @@ public:
                           Function& aFunction,
                           nsTArray<JS::Heap<JS::Value>>&& aArguments);
  nsJSScriptTimeoutHandler(JSContext* aCx, WorkerPrivate* aWorkerPrivate,
-                           const nsAString& aExpression);
+                           const nsAString& aExpression, bool* aAllowEval,
+                           ErrorResult& aRv);

  virtual const nsAString& GetHandlerText() override;

@ -163,54 +165,6 @@ NS_INTERFACE_MAP_END
 NS_IMPL_CYCLE_COLLECTING_ADDREF(nsJSScriptTimeoutHandler)
 NS_IMPL_CYCLE_COLLECTING_RELEASE(nsJSScriptTimeoutHandler)

-static bool
-CheckCSPForEval(JSContext* aCx, nsGlobalWindowInner* aWindow,
-                const nsAString& aExpression, ErrorResult& aError)
-{
-  // if CSP is enabled, and setTimeout/setInterval was called with a string,
-  // disable the registration and log an error
-  nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
-  if (!doc) {
-    // if there's no document, we don't have to do anything.
-    return true;
-  }
-
-  nsCOMPtr<nsIContentSecurityPolicy> csp;
-  aError = doc->NodePrincipal()->GetCsp(getter_AddRefs(csp));
-  if (aError.Failed()) {
-    return false;
-  }
-
-  if (!csp) {
-    return true;
-  }
-
-  bool allowsEval = true;
-  bool reportViolation = false;
-  aError = csp->GetAllowsEval(&reportViolation, &allowsEval);
-  if (aError.Failed()) {
-    return false;
-  }
-
-  if (reportViolation) {
-    // Get the calling location.
-    uint32_t lineNum = 0;
-    uint32_t columnNum = 0;
-    nsAutoString fileNameString;
-    if (!nsJSUtils::GetCallingLocation(aCx, fileNameString, &lineNum,
-                                       &columnNum)) {
-      fileNameString.AssignLiteral("unknown");
-    }
-
-    csp->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
-                             nullptr, // triggering element
-                             fileNameString, aExpression, lineNum, columnNum,
-                             EmptyString(), EmptyString());
-  }
-
-  return allowsEval;
-}
-
 nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler()
  : mLineNo(0)
  , mColumn(0)
@ -252,8 +206,9 @@ nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler(JSContext* aCx,
    return;
  }

-  *aAllowEval = CheckCSPForEval(aCx, aWindow, aExpression, aError);
-  if (aError.Failed() || !*aAllowEval) {
+  aError = CSPEvalChecker::CheckForWindow(aCx, aWindow, aExpression,
+                                          aAllowEval);
+  if (NS_WARN_IF(aError.Failed()) || !*aAllowEval) {
    return;
  }

@ -276,7 +231,9 @@ nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler(JSContext* aCx,

 nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler(JSContext* aCx,
                                                   WorkerPrivate* aWorkerPrivate,
-                                                   const nsAString& aExpression)
+                                                   const nsAString& aExpression,
+                                                   bool* aAllowEval,
+                                                   ErrorResult& aError)
  : mLineNo(0)
  , mColumn(0)
  , mExpr(aExpression)
@ -284,6 +241,12 @@ nsJSScriptTimeoutHandler::nsJSScriptTimeoutHandler(JSContext* aCx,
  MOZ_ASSERT(aWorkerPrivate);
  aWorkerPrivate->AssertIsOnWorkerThread();

+  aError = CSPEvalChecker::CheckForWorker(aCx, aWorkerPrivate, aExpression,
+                                          aAllowEval);
+  if (NS_WARN_IF(aError.Failed()) || !*aAllowEval) {
+    return;
+  }
+
  Init(aCx);
 }

@ -376,9 +339,15 @@ NS_CreateJSTimeoutHandler(JSContext *aCx, WorkerPrivate* aWorkerPrivate,

 already_AddRefed<nsIScriptTimeoutHandler>
 NS_CreateJSTimeoutHandler(JSContext* aCx, WorkerPrivate* aWorkerPrivate,
-                          const nsAString& aExpression)
+                          const nsAString& aExpression, ErrorResult& aRv)
 {
+  bool allowEval = false;
  RefPtr<nsJSScriptTimeoutHandler> handler =
-    new nsJSScriptTimeoutHandler(aCx, aWorkerPrivate, aExpression);
+    new nsJSScriptTimeoutHandler(aCx, aWorkerPrivate, aExpression, &allowEval,
+                                 aRv);
+  if (aRv.Failed() || !allowEval) {
+    return nullptr;
+  }
+
  return handler.forget();
 }
--- a/dom/security/CSPEvalChecker.cpp
+++ b/dom/security/CSPEvalChecker.cpp
@ -0,0 +1,185 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "mozilla/dom/CSPEvalChecker.h"
+#include "mozilla/dom/WorkerPrivate.h"
+#include "mozilla/dom/WorkerRunnable.h"
+#include "mozilla/ErrorResult.h"
+#include "nsGlobalWindowInner.h"
+#include "nsIDocument.h"
+#include "nsCOMPtr.h"
+#include "nsJSUtils.h"
+
+using namespace mozilla;
+using namespace mozilla::dom;
+
+namespace {
+
+nsresult
+CheckInternal(nsIContentSecurityPolicy* aCSP,
+              const nsAString& aExpression,
+              const nsAString& aFileNameString,
+              uint32_t aLineNum,
+              uint32_t aColumnNum,
+              bool* aAllowed)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(aAllowed);
+
+  // The value is set at any "return", but better to have a default value here.
+  *aAllowed = false;
+
+  if (!aCSP) {
+    *aAllowed = true;
+    return NS_OK;
+  }
+
+  bool reportViolation = false;
+  nsresult rv = aCSP->GetAllowsEval(&reportViolation, aAllowed);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    *aAllowed = false;
+    return rv;
+  }
+
+  if (reportViolation) {
+    aCSP->LogViolationDetails(nsIContentSecurityPolicy::VIOLATION_TYPE_EVAL,
+                              nullptr, // triggering element
+                              aFileNameString, aExpression, aLineNum,
+                              aColumnNum, EmptyString(), EmptyString());
+  }
+
+  return NS_OK;
+}
+
+class WorkerCSPCheckRunnable final : public WorkerMainThreadRunnable
+{
+public:
+  WorkerCSPCheckRunnable(WorkerPrivate* aWorkerPrivate,
+                         const nsAString& aExpression,
+                         const nsAString& aFileNameString,
+                         uint32_t aLineNum,
+                         uint32_t aColumnNum)
+    : WorkerMainThreadRunnable(aWorkerPrivate,
+                               NS_LITERAL_CSTRING("CSP Eval Check"))
+    , mExpression(aExpression)
+    , mFileNameString(aFileNameString)
+    , mLineNum(aLineNum)
+    , mColumnNum(aColumnNum)
+    , mEvalAllowed(false)
+  {}
+
+  bool
+  MainThreadRun() override
+  {
+    mResult = CheckInternal(mWorkerPrivate->GetCSP(), mExpression,
+                            mFileNameString, mLineNum, mColumnNum,
+                            &mEvalAllowed);
+    return true;
+  }
+
+  nsresult
+  GetResult(bool* aAllowed)
+  {
+    MOZ_ASSERT(aAllowed);
+    *aAllowed = mEvalAllowed;
+    return mResult;
+  }
+
+private:
+  const nsString mExpression;
+  const nsString mFileNameString;
+  const uint32_t mLineNum;
+  const uint32_t mColumnNum;
+  bool mEvalAllowed;
+  nsresult mResult;
+};
+
+} // anonymous
+
+/* static */ nsresult
+CSPEvalChecker::CheckForWindow(JSContext* aCx, nsGlobalWindowInner* aWindow,
+                               const nsAString& aExpression, bool* aAllowEval)
+{
+  MOZ_ASSERT(NS_IsMainThread());
+  MOZ_ASSERT(aWindow);
+  MOZ_ASSERT(aAllowEval);
+
+  // The value is set at any "return", but better to have a default value here.
+  *aAllowEval = false;
+
+  // if CSP is enabled, and setTimeout/setInterval was called with a string,
+  // disable the registration and log an error
+  nsCOMPtr<nsIDocument> doc = aWindow->GetExtantDoc();
+  if (!doc) {
+    // if there's no document, we don't have to do anything.
+    *aAllowEval = true;
+    return NS_OK;
+  }
+
+  nsCOMPtr<nsIContentSecurityPolicy> csp;
+  nsresult rv = doc->NodePrincipal()->GetCsp(getter_AddRefs(csp));
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    *aAllowEval = false;
+    return rv;
+  }
+
+  // Get the calling location.
+  uint32_t lineNum = 0;
+  uint32_t columnNum = 0;
+  nsAutoString fileNameString;
+  if (!nsJSUtils::GetCallingLocation(aCx, fileNameString, &lineNum,
+                                     &columnNum)) {
+    fileNameString.AssignLiteral("unknown");
+  }
+
+  rv = CheckInternal(csp, aExpression, fileNameString, lineNum, columnNum,
+                     aAllowEval);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    *aAllowEval = false;
+    return rv;
+  }
+
+  return NS_OK;
+}
+
+/* static */ nsresult
+CSPEvalChecker::CheckForWorker(JSContext* aCx, WorkerPrivate* aWorkerPrivate,
+                               const nsAString& aExpression, bool* aAllowEval)
+{
+  MOZ_ASSERT(aWorkerPrivate);
+  aWorkerPrivate->AssertIsOnWorkerThread();
+  MOZ_ASSERT(aAllowEval);
+
+  // The value is set at any "return", but better to have a default value here.
+  *aAllowEval = false;
+
+  // Get the calling location.
+  uint32_t lineNum = 0;
+  uint32_t columnNum = 0;
+  nsAutoString fileNameString;
+  if (!nsJSUtils::GetCallingLocation(aCx, fileNameString, &lineNum,
+                                     &columnNum)) {
+    fileNameString.AssignLiteral("unknown");
+  }
+
+  RefPtr<WorkerCSPCheckRunnable> r =
+    new WorkerCSPCheckRunnable(aWorkerPrivate, aExpression, fileNameString,
+                               lineNum, columnNum);
+  ErrorResult error;
+  r->Dispatch(Canceling, error);
+  if (NS_WARN_IF(error.Failed())) {
+    *aAllowEval = false;
+    return error.StealNSResult();
+  }
+
+  nsresult rv = r->GetResult(aAllowEval);
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    *aAllowEval = false;
+    return rv;
+  }
+
+  return NS_OK;
+}
--- a/dom/security/CSPEvalChecker.h
+++ b/dom/security/CSPEvalChecker.h
@ -0,0 +1,35 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_CSPEvalChecker_h
+#define mozilla_dom_CSPEvalChecker_h
+
+#include "nsString.h"
+
+struct JSContext;
+class nsGlobalWindowInner;
+
+namespace mozilla {
+namespace dom {
+
+class WorkerPrivate;
+
+class CSPEvalChecker final
+{
+public:
+  static nsresult
+  CheckForWindow(JSContext* aCx, nsGlobalWindowInner* aWindow,
+                 const nsAString& aExpression, bool* aAllowEval);
+
+  static nsresult
+  CheckForWorker(JSContext* aCx, WorkerPrivate* aWorkerPrivate,
+                 const nsAString& aExpression, bool* aAllowEval);
+};
+
+} // dom namespace
+} // mozilla namespace
+
+#endif // mozilla_dom_CSPEvalChecker_h
--- a/dom/security/moz.build
+++ b/dom/security/moz.build
@ -11,6 +11,7 @@ TEST_DIRS += ['test']

 EXPORTS.mozilla.dom += [
    'ContentVerifier.h',
+    'CSPEvalChecker.h',
    'FramingChecker.h',
    'nsContentSecurityManager.h',
    'nsCSPContext.h',
@ -30,6 +31,7 @@ EXPORTS += [

 UNIFIED_SOURCES += [
    'ContentVerifier.cpp',
+    'CSPEvalChecker.cpp',
    'FramingChecker.cpp',
    'nsContentSecurityManager.cpp',
    'nsCSPContext.cpp',
--- a/dom/workers/ScriptLoader.cpp
+++ b/dom/workers/ScriptLoader.cpp
@ -1224,7 +1224,7 @@ private:
            ("Scriptloader::Load, SRI required but not supported in workers"));
      nsCOMPtr<nsIContentSecurityPolicy> wcsp;
      chanLoadInfo->LoadingPrincipal()->GetCsp(getter_AddRefs(wcsp));
-      MOZ_ASSERT(wcsp, "We sould have a CSP for the worker here");
+      MOZ_ASSERT(wcsp, "We should have a CSP for the worker here");
      if (wcsp) {
        wcsp->LogViolationDetails(
            nsIContentSecurityPolicy::VIOLATION_TYPE_REQUIRE_SRI_FOR_SCRIPT,
--- a/dom/workers/WorkerScope.cpp
+++ b/dom/workers/WorkerScope.cpp
@ -67,7 +67,8 @@ NS_CreateJSTimeoutHandler(JSContext* aCx,
 extern already_AddRefed<nsIScriptTimeoutHandler>
 NS_CreateJSTimeoutHandler(JSContext* aCx,
                          mozilla::dom::WorkerPrivate* aWorkerPrivate,
-                          const nsAString& aExpression);
+                          const nsAString& aExpression,
+                          mozilla::ErrorResult& aRv);

 namespace mozilla {
 namespace dom {
@ -276,7 +277,7 @@ WorkerGlobalScope::SetTimeout(JSContext* aCx,

  nsCOMPtr<nsIScriptTimeoutHandler> handler =
    NS_CreateJSTimeoutHandler(aCx, mWorkerPrivate, aHandler, aArguments, aRv);
-  if (NS_WARN_IF(aRv.Failed())) {
+  if (!handler) {
    return 0;
  }

@ -293,7 +294,11 @@ WorkerGlobalScope::SetTimeout(JSContext* aCx,
  mWorkerPrivate->AssertIsOnWorkerThread();

  nsCOMPtr<nsIScriptTimeoutHandler> handler =
-    NS_CreateJSTimeoutHandler(aCx, mWorkerPrivate, aHandler);
+    NS_CreateJSTimeoutHandler(aCx, mWorkerPrivate, aHandler, aRv);
+  if (!handler) {
+    return 0;
+  }
+
  return mWorkerPrivate->SetTimeout(aCx, handler, aTimeout, false, aRv);
 }

@ -334,7 +339,11 @@ WorkerGlobalScope::SetInterval(JSContext* aCx,
  Sequence<JS::Value> dummy;

  nsCOMPtr<nsIScriptTimeoutHandler> handler =
-    NS_CreateJSTimeoutHandler(aCx, mWorkerPrivate, aHandler);
+    NS_CreateJSTimeoutHandler(aCx, mWorkerPrivate, aHandler, aRv);
+  if (NS_WARN_IF(aRv.Failed())) {
+    return 0;
+  }
+
  return mWorkerPrivate->SetTimeout(aCx, handler, aTimeout, true, aRv);
 }

--- a/testing/web-platform/meta/content-security-policy/inside-worker/dedicated-script.html.ini
+++ b/testing/web-platform/meta/content-security-policy/inside-worker/dedicated-script.html.ini
@ -27,9 +27,3 @@
  [`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*)]
    expected: FAIL

-  [`setTimeout([string\])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20*)]
-    expected: FAIL
-
-  [`setTimeout([string\])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20*)]
-    expected: FAIL
-
--- a/testing/web-platform/meta/content-security-policy/inside-worker/shared-script.html.ini
+++ b/testing/web-platform/meta/content-security-policy/inside-worker/shared-script.html.ini
@ -2,12 +2,6 @@
  [`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27]
    expected: FAIL

-  [`setTimeout([string\])` blocked in http:?pipe=sub|header(Content-Security-Policy,script-src%20%27self%27]
-    expected: FAIL
-
  [`eval()` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27]
    expected: FAIL

-  [`setTimeout([string\])` blocked in http:?pipe=sub|header(Content-Security-Policy,default-src%20%27self%27]
-    expected: FAIL
-
--- a/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/script-src-1_4_2.html.ini
@ -1,4 +0,0 @@
-[script-src-1_4_2.html]
-  [Unsafe eval ran in Function() constructor.]
-    expected: FAIL
-
--- a/testing/web-platform/meta/content-security-policy/script-src/worker-set-timeout-blocked.sub.html.ini
+++ b/testing/web-platform/meta/content-security-policy/script-src/worker-set-timeout-blocked.sub.html.ini
@ -1,4 +0,0 @@
-[worker-set-timeout-blocked.sub.html]
-  [Expecting alerts: ["setTimeout blocked"\]]
-    expected: FAIL
-