Bug 1493222 - Expose InspectorUtils to fuzzers. r=bzbarsky

I can be more granular if we want, by adding more ChromeOnly annotations for the functions that we don't want to expose. Differential Revision: https://phabricator.services.mozilla.com/D6530 --HG-- extra : moz-landing-system : lando
2024-11-25 05:41:12 +00:00 · 2018-09-27 19:00:33 +00:00 · 2018-09-27 19:00:33 +00:00 · d8c0080a10
commit d8c0080a10
parent 4de01379de
8 changed files with 44 additions and 11 deletions
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@ -2211,6 +2211,14 @@ nsContentUtils::IsCallerChrome()
  return xpc::IsUniversalXPConnectEnabled(GetCurrentJSContext());
 }

+#ifdef FUZZING
+bool
+nsContentUtils::IsFuzzingEnabled()
+{
+  return StaticPrefs::fuzzing_enabled();
+}
+#endif
+
 /* static */
 bool
 nsContentUtils::ShouldResistFingerprinting()
--- a/dom/base/nsContentUtils.h
+++ b/dom/base/nsContentUtils.h
@ -219,6 +219,19 @@ public:
  static bool IsCallerChrome();
  static bool ThreadsafeIsCallerChrome();
  static bool IsCallerContentXBL();
+  static bool IsFuzzingEnabled()
+#ifndef FUZZING
+  {
+    return false;
+  }
+#else
+  ;
+#endif
+
+  static bool IsCallerChromeOrFuzzingEnabled(JSContext* aCx, JSObject*)
+  {
+    return ThreadsafeIsSystemCaller(aCx) || IsFuzzingEnabled();
+  }

  // The APIs for checking whether the caller is system (in the sense of system
  // principal) should only be used when the JSContext is known to accurately
--- a/dom/bindings/Configuration.py
+++ b/dom/bindings/Configuration.py
@ -105,6 +105,7 @@ class Configuration(DescriptorProvider):
                            (partialIface.location, iface.location))
                if not (iface.getExtendedAttribute("ChromeOnly") or
                        iface.getExtendedAttribute("Func") == ["IsChromeOrXBL"] or
+                        iface.getExtendedAttribute("Func") == ["nsContentUtils::IsCallerChromeOrFuzzingEnabled"] or
                        not (iface.hasInterfaceObject() or
                             iface.isNavigatorProperty()) or
                        isInWebIDLRoot(iface.filename())):
--- a/dom/bindings/parser/WebIDL.py
+++ b/dom/bindings/parser/WebIDL.py
@ -1809,7 +1809,7 @@ class IDLNamespace(IDLInterfaceOrNamespace):
                if not attr.noArguments():
                    raise WebIDLError("[%s] must not have arguments" % identifier,
                                      [attr.location])
-            elif identifier == "Pref":
+            elif identifier == "Pref" or identifier == "Func":
                # Known extended attributes that take a string value
                if not attr.hasValue():
                    raise WebIDLError("[%s] must have a value" % identifier,
--- a/dom/chrome-webidl/InspectorUtils.webidl
+++ b/dom/chrome-webidl/InspectorUtils.webidl
@ -9,7 +9,7 @@
 *
 * See InspectorUtils.h for documentation on these methods.
 */
-[ChromeOnly]
+[Func="nsContentUtils::IsCallerChromeOrFuzzingEnabled"]
 namespace InspectorUtils {
  // documentOnly tells whether user and UA sheets should get included.
  sequence<StyleSheet> getAllStyleSheets(Document document, optional boolean documentOnly = false);
@ -129,7 +129,7 @@ dictionary InspectorFontFeature {
  required DOMString languageSystem;
 };

-[ChromeOnly]
+[Func="nsContentUtils::IsCallerChromeOrFuzzingEnabled"]
 interface InspectorFontFace {
  // An indication of how we found this font during font-matching.
  // Note that the same physical font may have been found in multiple ways within a range.
--- a/js/xpconnect/src/XPCJSContext.cpp
+++ b/js/xpconnect/src/XPCJSContext.cpp
@ -30,6 +30,7 @@
 #include "mozilla/Preferences.h"
 #include "mozilla/Telemetry.h"
 #include "mozilla/Services.h"
+#include "mozilla/StaticPrefs.h"
 #include "mozilla/dom/ScriptSettings.h"

 #include "nsContentUtils.h"
@ -861,7 +862,7 @@ ReloadPrefsCallback(const char* pref, XPCJSContext* xpccx)
 #endif // JS_GC_ZEAL

 #ifdef FUZZING
-    bool fuzzingEnabled = Preferences::GetBool("fuzzing.enabled");
+    bool fuzzingEnabled = StaticPrefs::fuzzing_enabled();
 #endif

    JS::ContextOptionsRef(cx).setBaseline(useBaseline)
--- a/modules/libpref/init/StaticPrefList.h
+++ b/modules/libpref/init/StaticPrefList.h
@ -87,6 +87,20 @@ VARCACHE_PREF(
  RelaxedAtomicBool, false
 )

+//---------------------------------------------------------------------------
+// Fuzzing prefs. It's important that these can only be checked in fuzzing
+// builds (when FUZZING is defined), otherwise you could enable the fuzzing
+// stuff on your regular build which would be bad :)
+//---------------------------------------------------------------------------
+
+#ifdef FUZZING
+VARCACHE_PREF(
+  "fuzzing.enabled",
+   fuzzing_enabled,
+  bool, false
+)
+#endif
+
 //---------------------------------------------------------------------------
 // Clipboard prefs
 //---------------------------------------------------------------------------
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@ -5813,10 +5813,6 @@ pref("dom.payments.loglevel", "Warn");
 pref("dom.payments.defaults.saveCreditCard", false);
 pref("dom.payments.defaults.saveAddress", true);

-#ifdef FUZZING
-pref("fuzzing.enabled", false);
-#endif
-
 #ifdef MOZ_ASAN_REPORTER
 pref("asanreporter.apiurl", "https://anf1.fuzzing.mozilla.org/crashproxy/submit/");
 pref("asanreporter.clientid", "unknown");