Issue 5382 - Wrap DOM mutation APIs to protect frames

inject.preload.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-present eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 63 matching lines @@
 
   function injectIntoAllFrames()
   {
     for (let i = 0; i < window.length; i++)
       injectIntoContentWindow(window[i]);
   }
 
   function wrapAPIForInjection(object, api, callback)
   {
     let func = object[api];
-    object[api] = function(...args)
-    {
-      let returnValue = func.apply(this, args);

[kzar, 2017/12/11 08:48:13]

I think func.apply could have been messed with at this point. I recommend
reading through all Tartpvule's comments[1] on the similar codereviews to get an
idea about some of the things we have to watch out for. There's likely some
other similar problems.

[1] -
https://codereview.adblockplus.org/search?closed=1&owner=&reviewer=chinrtgm1%...

[Manish Jethani, 2018/02/21 16:37:39]

Thanks, for this one in particular now I've bound the function to
Function.prototype.apply similar to what we're doing in other places.

-      callback(returnValue);
-      return returnValue;
-    };
+    if (!func || typeof func != "function")
+      return;
+    let applyFunc = Function.prototype.apply.bind(func);
+    Object.defineProperty(object, api, {
+      value(...args)
+      {
+        let returnValue = applyFunc(this, args);
+        callback(returnValue);
+        return returnValue;
+      }
+    });
   }
 
   function wrapPropertyAPIForInjection(object, api, method, callback)
   {
     let descriptor = Object.getOwnPropertyDescriptor(object, api);
+    // Apparently HTMLObjectElement.prototype.contentWindow does not exist in
+    // older versions of Chrome such as 42.
+    if (!descriptor)
+      return;
     wrapAPIForInjection(descriptor, method, callback);
     Object.defineProperty(object, api, descriptor);
   }
 
   wrapAPIForInjection(Node.prototype, "appendChild", injectIntoAllFrames);
   wrapAPIForInjection(Node.prototype, "insertBefore", injectIntoAllFrames);
   wrapAPIForInjection(Node.prototype, "replaceChild", injectIntoAllFrames);
 
   wrapPropertyAPIForInjection(Element.prototype,
                               "innerHTML", "set", injectIntoAllFrames);
 
   wrapPropertyAPIForInjection(HTMLObjectElement.prototype,

[Manish Jethani, 2017/10/24 01:43:28]

HTMLFrameElement and HTMLIFrameElement don't need wrappers now because we're
injecting the code preemptively.

For HTMLObjectElement we don't have to worry about Chrome 42, it's too old now.

[kzar, 2017/12/11 08:48:13]

Fair enough but did you check that it's OK with Chrome 49?

[Manish Jethani, 2018/02/21 16:37:39]

I've added a check now so if the descriptor is not found it'll just return.

                               "contentWindow", "get", injectIntoContentWindow);
-  wrapPropertyAPIForInjection(HTMLObjectElement.prototype,
-                              "contentDocument", "get",
-                              doc => injectIntoContentWindow(doc.defaultView));
+  wrapPropertyAPIForInjection(
+    HTMLObjectElement.prototype,
+    "contentDocument", "get",
+    contentDocument =>
+    {
+      if (contentDocument)
+        injectIntoContentWindow(contentDocument.defaultView);
+    }
+  );
 
   /*
    * Shadow root getter wrapper
    *
    * After creating our shadowRoot we must wrap the getter to prevent the
    * website from accessing it (#4191, #4298). This is required as a
    * workaround for the lack of user style support in Chrome.
    * See https://bugs.chromium.org/p/chromium/issues/detail?id=632009&desc=2
    */
   if ("shadowRoot" in Element.prototype)
@@ skipping 96 matching lines @@
 
   /*
    * RTCPeerConnection wrapper
    *
    * The webRequest API in Chrome does not yet allow the blocking of
    * WebRTC connections.
    * See https://bugs.chromium.org/p/chromium/issues/detail?id=707683
    */
   let RealRTCPeerConnection = window.RTCPeerConnection ||
                                 window.webkitRTCPeerConnection;
-  let closeRTCPeerConnection = Function.prototype.call.bind(
-    RealRTCPeerConnection.prototype.close
-  );
-  let RealArray = Array;
-  let RealString = String;
-  let {create: createObject, defineProperty} = Object;
-
-  function normalizeUrl(url)
-  {
-    if (typeof url != "undefined")
-      return RealString(url);
-  }
-
-  function safeCopyArray(originalArray, transform)
-  {
-    if (originalArray == null || typeof originalArray != "object")
-      return originalArray;
-
-    let safeArray = RealArray(originalArray.length);
-    for (let i = 0; i < safeArray.length; i++)
-    {
-      defineProperty(safeArray, i, {
+
+  // Firefox has the option (media.peerconnection.enabled) to disable WebRTC
+  // in which case RealRTCPeerConnection is undefined.
+  if (typeof RealRTCPeerConnection != "undefined")
+  {
+    let closeRTCPeerConnection = Function.prototype.call.bind(
+      RealRTCPeerConnection.prototype.close
+    );
+    let RealArray = Array;
+    let RealString = String;
+    let {create: createObject, defineProperty} = Object;
+
+    let normalizeUrl = url =>
+    {
+      if (typeof url != "undefined")
+        return RealString(url);
+    };
+
+    let safeCopyArray = (originalArray, transform) =>
+    {
+      if (originalArray == null || typeof originalArray != "object")
+        return originalArray;
+
+      let safeArray = RealArray(originalArray.length);
+      for (let i = 0; i < safeArray.length; i++)
+      {
+        defineProperty(safeArray, i, {
+          configurable: false, enumerable: false, writable: false,
+          value: transform(originalArray[i])
+        });
+      }
+      defineProperty(safeArray, "length", {
         configurable: false, enumerable: false, writable: false,
-        value: transform(originalArray[i])
+        value: safeArray.length
       });
-    }
-    defineProperty(safeArray, "length", {
-      configurable: false, enumerable: false, writable: false,
-      value: safeArray.length
-    });
-    return safeArray;
-  }
-
-  // It would be much easier to use the .getConfiguration method to obtain
-  // the normalized and safe configuration from the RTCPeerConnection
-  // instance. Unfortunately its not implemented as of Chrome unstable 59.
-  // See https://www.chromestatus.com/feature/5271355306016768
-  function protectConfiguration(configuration)
-  {
-    if (configuration == null || typeof configuration != "object")
-      return configuration;
-
-    let iceServers = safeCopyArray(
-      configuration.iceServers,
-      iceServer =>
-      {
-        let {url, urls} = iceServer;
-
-        // RTCPeerConnection doesn't iterate through pseudo Arrays of urls.
-        if (typeof urls != "undefined" && !(urls instanceof RealArray))
-          urls = [urls];
-
-        return createObject(iceServer, {
-          url: {
-            configurable: false, enumerable: false, writable: false,
-            value: normalizeUrl(url)
-          },
-          urls: {
-            configurable: false, enumerable: false, writable: false,
-            value: safeCopyArray(urls, normalizeUrl)
+      return safeArray;
+    };
+
+    // It would be much easier to use the .getConfiguration method to obtain
+    // the normalized and safe configuration from the RTCPeerConnection
+    // instance. Unfortunately its not implemented as of Chrome unstable 59.
+    // See https://www.chromestatus.com/feature/5271355306016768
+    let protectConfiguration = configuration =>
+    {
+      if (configuration == null || typeof configuration != "object")
+        return configuration;
+
+      let iceServers = safeCopyArray(
+        configuration.iceServers,
+        iceServer =>
+        {
+          let {url, urls} = iceServer;
+
+          // RTCPeerConnection doesn't iterate through pseudo Arrays of urls.
+          if (typeof urls != "undefined" && !(urls instanceof RealArray))
+            urls = [urls];
+
+          return createObject(iceServer, {
+            url: {
+              configurable: false, enumerable: false, writable: false,
+              value: normalizeUrl(url)
+            },
+            urls: {
+              configurable: false, enumerable: false, writable: false,
+              value: safeCopyArray(urls, normalizeUrl)
+            }
+          });
+        }
+      );
+
+      return createObject(configuration, {
+        iceServers: {
+          configurable: false, enumerable: false, writable: false,
+          value: iceServers
+        }
+      });
+    };
+
+    let checkUrl = (peerconnection, url) =>
+    {
+      checkRequest("webrtc", url, blocked =>
+      {
+        if (blocked)
+        {
+          // Calling .close() throws if already closed.
+          try
+          {
+            closeRTCPeerConnection(peerconnection);
           }
-        });
-      }
-    );
-
-    return createObject(configuration, {
-      iceServers: {
-        configurable: false, enumerable: false, writable: false,
-        value: iceServers
-      }
-    });
-  }
-
-  function checkUrl(peerconnection, url)
-  {
-    checkRequest("webrtc", url, blocked =>
-    {
-      if (blocked)
-      {
-        // Calling .close() throws if already closed.
-        try
+          catch (e) {}
+        }
+      });
+    };
+
+    let checkConfiguration = (peerconnection, configuration) =>
+    {
+      if (configuration && configuration.iceServers)
+      {
+        for (let i = 0; i < configuration.iceServers.length; i++)
         {
-          closeRTCPeerConnection(peerconnection);
-        }
-        catch (e) {}
-      }
-    });
-  }
-
-  function checkConfiguration(peerconnection, configuration)
-  {
-    if (configuration && configuration.iceServers)
-    {
-      for (let i = 0; i < configuration.iceServers.length; i++)
-      {
-        let iceServer = configuration.iceServers[i];
-        if (iceServer)
-        {
-          if (iceServer.url)
-            checkUrl(peerconnection, iceServer.url);
-
-          if (iceServer.urls)
+          let iceServer = configuration.iceServers[i];
+          if (iceServer)
           {
-            for (let j = 0; j < iceServer.urls.length; j++)
-              checkUrl(peerconnection, iceServer.urls[j]);
+            if (iceServer.url)
+              checkUrl(peerconnection, iceServer.url);
+
+            if (iceServer.urls)
+            {
+              for (let j = 0; j < iceServer.urls.length; j++)
+                checkUrl(peerconnection, iceServer.urls[j]);
+            }
           }
         }
       }
+    };
+
+    // Chrome unstable (tested with 59) has already implemented
+    // setConfiguration, so we need to wrap that if it exists too.
+    // https://www.chromestatus.com/feature/5596193748942848
+    if (RealRTCPeerConnection.prototype.setConfiguration)
+    {
+      let realSetConfiguration = Function.prototype.call.bind(
+        RealRTCPeerConnection.prototype.setConfiguration
+      );
+
+      RealRTCPeerConnection.prototype.setConfiguration = function(configuration)
+      {
+        configuration = protectConfiguration(configuration);
+
+        // Call the real method first, so that validates the configuration for
+        // us. Also we might as well since checkRequest is asynchronous anyway.
+        realSetConfiguration(this, configuration);
+        checkConfiguration(this, configuration);
+      };
     }
-  }
-
-  // Chrome unstable (tested with 59) has already implemented
-  // setConfiguration, so we need to wrap that if it exists too.
-  // https://www.chromestatus.com/feature/5596193748942848
-  if (RealRTCPeerConnection.prototype.setConfiguration)
-  {
-    let realSetConfiguration = Function.prototype.call.bind(
-      RealRTCPeerConnection.prototype.setConfiguration
-    );
-
-    RealRTCPeerConnection.prototype.setConfiguration = function(configuration)
-    {
-      configuration = protectConfiguration(configuration);
-
-      // Call the real method first, so that validates the configuration for
-      // us. Also we might as well since checkRequest is asynchronous anyway.
-      realSetConfiguration(this, configuration);
-      checkConfiguration(this, configuration);
-    };
-  }
-
-  function WrappedRTCPeerConnection(...args)
-  {
-    if (!(this instanceof WrappedRTCPeerConnection))
-      return RealRTCPeerConnection();
-
-    let configuration = protectConfiguration(args[0]);
-
-    // Since the old webkitRTCPeerConnection constructor takes an optional
-    // second argument we need to take care to pass that through. Necessary
-    // for older versions of Chrome such as 49.
-    let constraints = undefined;
-    if (args.length > 1)
-      constraints = args[1];
-
-    let peerconnection = new RealRTCPeerConnection(configuration, constraints);
-    checkConfiguration(peerconnection, configuration);
-    return peerconnection;
-  }
-
-  WrappedRTCPeerConnection.prototype = RealRTCPeerConnection.prototype;
-
-  let boundWrappedRTCPeerConnection = WrappedRTCPeerConnection.bind();
-  copyProperties(RealRTCPeerConnection, boundWrappedRTCPeerConnection,
-                 ["generateCertificate", "name", "prototype"]);
-  RealRTCPeerConnection.prototype.constructor = boundWrappedRTCPeerConnection;
-
-  if ("RTCPeerConnection" in window)
-    window.RTCPeerConnection = boundWrappedRTCPeerConnection;
-  if ("webkitRTCPeerConnection" in window)
-    window.webkitRTCPeerConnection = boundWrappedRTCPeerConnection;
+
+    let WrappedRTCPeerConnection = function(...args)
+    {
+      if (!(this instanceof WrappedRTCPeerConnection))
+        return RealRTCPeerConnection();
+
+      let configuration = protectConfiguration(args[0]);
+
+      // Since the old webkitRTCPeerConnection constructor takes an optional
+      // second argument we need to take care to pass that through. Necessary
+      // for older versions of Chrome such as 49.
+      let constraints = undefined;
+      if (args.length > 1)
+        constraints = args[1];
+
+      let peerconnection = new RealRTCPeerConnection(configuration,
+                                                     constraints);
+      checkConfiguration(peerconnection, configuration);
+      return peerconnection;
+    };
+
+    WrappedRTCPeerConnection.prototype = RealRTCPeerConnection.prototype;
+
+    let boundWrappedRTCPeerConnection = WrappedRTCPeerConnection.bind();
+    copyProperties(RealRTCPeerConnection, boundWrappedRTCPeerConnection,
+                   ["generateCertificate", "name", "prototype"]);
+    RealRTCPeerConnection.prototype.constructor = boundWrappedRTCPeerConnection;
+
+    if ("RTCPeerConnection" in window)
+      window.RTCPeerConnection = boundWrappedRTCPeerConnection;
+    if ("webkitRTCPeerConnection" in window)
+      window.webkitRTCPeerConnection = boundWrappedRTCPeerConnection;
+  }
 }
 
 if (document instanceof HTMLDocument)
 {
   let sandbox = window.frameElement &&
                 window.frameElement.getAttribute("sandbox");
 
   if (typeof sandbox != "string" || /(^|\s)allow-scripts(\s|$)/i.test(sandbox))
   {
     let script = document.createElement("script");
     script.type = "application/javascript";
     script.async = false;
-    script.textContent = "(" + injected + ")('" + randomEventName + "');";
+    // Firefox 58 only bypasses site CSPs when assigning to 'src'.
+    let url = URL.createObjectURL(new Blob([
+      "(" + injected + ")('" + randomEventName + "');"
+    ]));
+    script.src = url;
     document.documentElement.appendChild(script);
     document.documentElement.removeChild(script);
+    URL.revokeObjectURL(url);
   }
 }