Left: | ||
Right: |
OLD | NEW |
---|---|
1 /* | 1 /* |
2 * This file is part of Adblock Plus <https://adblockplus.org/>, | 2 * This file is part of Adblock Plus <https://adblockplus.org/>, |
3 * Copyright (C) 2006-present eyeo GmbH | 3 * Copyright (C) 2006-present eyeo GmbH |
4 * | 4 * |
5 * Adblock Plus is free software: you can redistribute it and/or modify | 5 * Adblock Plus is free software: you can redistribute it and/or modify |
6 * it under the terms of the GNU General Public License version 3 as | 6 * it under the terms of the GNU General Public License version 3 as |
7 * published by the Free Software Foundation. | 7 * published by the Free Software Foundation. |
8 * | 8 * |
9 * Adblock Plus is distributed in the hope that it will be useful, | 9 * Adblock Plus is distributed in the hope that it will be useful, |
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of | 10 * but WITHOUT ANY WARRANTY; without even the implied warranty of |
(...skipping 79 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
90 Filter.elemhideRegExp = /^([^/*|@"!]*?)#([@?])?#(.+)$/; | 90 Filter.elemhideRegExp = /^([^/*|@"!]*?)#([@?])?#(.+)$/; |
91 /** | 91 /** |
92 * Regular expression that RegExp filters specified as RegExps should match | 92 * Regular expression that RegExp filters specified as RegExps should match |
93 * @type {RegExp} | 93 * @type {RegExp} |
94 */ | 94 */ |
95 Filter.regexpRegExp = /^(@@)?\/.*\/(?:\$~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^, \s]+)?)*)?$/; | 95 Filter.regexpRegExp = /^(@@)?\/.*\/(?:\$~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^, \s]+)?)*)?$/; |
96 /** | 96 /** |
97 * Regular expression that options on a RegExp filter should match | 97 * Regular expression that options on a RegExp filter should match |
98 * @type {RegExp} | 98 * @type {RegExp} |
99 */ | 99 */ |
100 Filter.optionsRegExp = /\$(~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^,\s]+)?)*)$/; | 100 Filter.optionsRegExp = /\$(~?[\w-]+(?:=[^,]+)?(?:,~?[\w-]+(?:=[^,]+)?)*)$/; |
101 | |
102 /** | |
103 * Forbidden Content Security Policy directives | |
104 * @type {Set<string>} | |
105 */ | |
106 Filter.cspDirectiveBlacklist = new Set([ | |
107 "base-uri", "referrer", "report-to", "report-uri", "base-uri", | |
Manish Jethani
2018/03/19 18:03:39
base-uri is repeated here.
kzar
2018/03/19 18:16:22
Done.
| |
108 "upgrade-insecure-requests" | |
109 ]); | |
110 /** | |
111 * Regular expression that matches an invalid Content Security Policy | |
112 * @type {RegExp} | |
113 */ | |
114 Filter.invalidCSPRegExp = new RegExp( | |
115 "(;|^) ?(" + Array.from(Filter.cspDirectiveBlacklist).join("|") + ")\\b" | |
116 ); | |
101 | 117 |
102 /** | 118 /** |
103 * Creates a filter of correct type from its text representation - does the | 119 * Creates a filter of correct type from its text representation - does the |
104 * basic parsing and calls the right constructor then. | 120 * basic parsing and calls the right constructor then. |
105 * | 121 * |
106 * @param {string} text as in Filter() | 122 * @param {string} text as in Filter() |
107 * @return {Filter} | 123 * @return {Filter} |
108 */ | 124 */ |
109 Filter.fromText = function(text) | 125 Filter.fromText = function(text) |
110 { | 126 { |
(...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
165 * Removes unnecessary whitespaces from filter text, will only return null if | 181 * Removes unnecessary whitespaces from filter text, will only return null if |
166 * the input parameter is null. | 182 * the input parameter is null. |
167 * @param {string} text | 183 * @param {string} text |
168 * @return {string} | 184 * @return {string} |
169 */ | 185 */ |
170 Filter.normalize = function(text) | 186 Filter.normalize = function(text) |
171 { | 187 { |
172 if (!text) | 188 if (!text) |
173 return text; | 189 return text; |
174 | 190 |
175 // Remove line breaks and such | 191 // Remove line breaks, tabs etc |
176 text = text.replace(/[^\S ]/g, ""); | 192 text = text.replace(/[^\S ]+/g, ""); |
177 | 193 |
178 if (/^\s*!/.test(text)) | 194 // Don't remove spaces inside comments |
195 if (/^ *!/.test(text)) | |
196 return text.trim(); | |
197 | |
198 // Special treatment for element hiding filters, right side is allowed to | |
199 // contain spaces | |
200 if (Filter.elemhideRegExp.test(text)) | |
179 { | 201 { |
180 // Don't remove spaces inside comments | 202 let [, domain, separator, selector] = /^(.*?)(#@?#?)(.*)$/.exec(text); |
181 return text.trim(); | 203 return domain.replace(/ +/g, "") + separator + selector.trim(); |
182 } | 204 } |
183 else if (Filter.elemhideRegExp.test(text)) | 205 |
206 // For most regexp filters we strip all spaces, but $csp filter options | |
207 // are allowed to contain single (non trailing) spaces. | |
208 let strippedText = text.replace(/ +/g, ""); | |
209 if (!strippedText.includes("$") || !/\bcsp=/i.test(strippedText)) | |
210 return strippedText; | |
211 | |
212 let optionsMatch = Filter.optionsRegExp.exec(strippedText); | |
213 if (!optionsMatch) | |
214 return strippedText; | |
215 | |
216 // For $csp filters we must first separate out the options part of the | |
217 // text, being careful to preserve its spaces. | |
218 let beforeOptions = strippedText.substring(0, optionsMatch.index); | |
219 let strippedDollarIndex = -1; | |
220 let dollarIndex = -1; | |
221 do | |
184 { | 222 { |
185 // Special treatment for element hiding filters, right side is allowed to | 223 strippedDollarIndex = beforeOptions.indexOf("$", strippedDollarIndex + 1); |
186 // contain spaces | 224 dollarIndex = text.indexOf("$", dollarIndex + 1); |
187 let [, domain, separator, selector] = /^(.*?)(#@?#?)(.*)$/.exec(text); | |
188 return domain.replace(/\s/g, "") + separator + selector.trim(); | |
189 } | 225 } |
190 return text.replace(/\s/g, ""); | 226 while (strippedDollarIndex != -1); |
227 let optionsText = text.substr(dollarIndex + 1); | |
228 | |
229 // Then we can normalize spaces in the options part safely | |
230 let options = optionsText.split(","); | |
231 for (let i = 0; i < options.length; i++) | |
232 { | |
233 let option = options[i]; | |
234 let cspMatch = /^ *c *s *p *=/i.exec(option); | |
235 if (cspMatch) | |
236 { | |
237 options[i] = cspMatch[0].replace(/ +/g, "") + | |
238 option.substr(cspMatch[0].length).trim().replace(/ +/g, " "); | |
239 } | |
240 else | |
241 options[i] = option.replace(/ +/g, ""); | |
242 } | |
243 | |
244 return beforeOptions + "$" + options.join(); | |
191 }; | 245 }; |
192 | 246 |
193 /** | 247 /** |
194 * @see filterToRegExp | 248 * @see filterToRegExp |
195 */ | 249 */ |
196 Filter.toRegExp = filterToRegExp; | 250 Filter.toRegExp = filterToRegExp; |
197 | 251 |
198 /** | 252 /** |
199 * Class for invalid filters | 253 * Class for invalid filters |
200 * @param {string} text see Filter() | 254 * @param {string} text see Filter() |
(...skipping 519 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
720 blocking = false; | 774 blocking = false; |
721 text = text.substr(2); | 775 text = text.substr(2); |
722 } | 776 } |
723 | 777 |
724 let contentType = null; | 778 let contentType = null; |
725 let matchCase = null; | 779 let matchCase = null; |
726 let domains = null; | 780 let domains = null; |
727 let sitekeys = null; | 781 let sitekeys = null; |
728 let thirdParty = null; | 782 let thirdParty = null; |
729 let collapse = null; | 783 let collapse = null; |
784 let csp = null; | |
730 let options; | 785 let options; |
731 let match = (text.indexOf("$") >= 0 ? Filter.optionsRegExp.exec(text) : null); | 786 let match = (text.indexOf("$") >= 0 ? Filter.optionsRegExp.exec(text) : null); |
732 if (match) | 787 if (match) |
733 { | 788 { |
734 options = match[1].toUpperCase().split(","); | 789 options = match[1].split(","); |
735 text = match.input.substr(0, match.index); | 790 text = match.input.substr(0, match.index); |
736 for (let option of options) | 791 for (let option of options) |
737 { | 792 { |
738 let value = null; | 793 let value = null; |
739 let separatorIndex = option.indexOf("="); | 794 let separatorIndex = option.indexOf("="); |
740 if (separatorIndex >= 0) | 795 if (separatorIndex >= 0) |
741 { | 796 { |
742 value = option.substr(separatorIndex + 1); | 797 value = option.substr(separatorIndex + 1); |
743 option = option.substr(0, separatorIndex); | 798 option = option.substr(0, separatorIndex); |
744 } | 799 } |
745 option = option.replace(/-/, "_"); | 800 option = option.replace(/-/, "_").toUpperCase(); |
746 if (option in RegExpFilter.typeMap) | 801 if (option in RegExpFilter.typeMap) |
747 { | 802 { |
748 if (contentType == null) | 803 if (contentType == null) |
749 contentType = 0; | 804 contentType = 0; |
750 contentType |= RegExpFilter.typeMap[option]; | 805 contentType |= RegExpFilter.typeMap[option]; |
806 | |
807 if (option == "CSP" && typeof value != "undefined") | |
808 { | |
809 if (csp) | |
810 csp.push(value); | |
811 else | |
812 csp = [value]; | |
813 } | |
751 } | 814 } |
752 else if (option[0] == "~" && option.substr(1) in RegExpFilter.typeMap) | 815 else if (option[0] == "~" && option.substr(1) in RegExpFilter.typeMap) |
753 { | 816 { |
754 if (contentType == null) | 817 if (contentType == null) |
755 ({contentType} = RegExpFilter.prototype); | 818 ({contentType} = RegExpFilter.prototype); |
756 contentType &= ~RegExpFilter.typeMap[option.substr(1)]; | 819 contentType &= ~RegExpFilter.typeMap[option.substr(1)]; |
757 } | 820 } |
758 else if (option == "MATCH_CASE") | 821 else if (option == "MATCH_CASE") |
759 matchCase = true; | 822 matchCase = true; |
760 else if (option == "~MATCH_CASE") | 823 else if (option == "~MATCH_CASE") |
761 matchCase = false; | 824 matchCase = false; |
762 else if (option == "DOMAIN" && typeof value != "undefined") | 825 else if (option == "DOMAIN" && typeof value != "undefined") |
763 domains = value; | 826 domains = value.toUpperCase(); |
764 else if (option == "THIRD_PARTY") | 827 else if (option == "THIRD_PARTY") |
765 thirdParty = true; | 828 thirdParty = true; |
766 else if (option == "~THIRD_PARTY") | 829 else if (option == "~THIRD_PARTY") |
767 thirdParty = false; | 830 thirdParty = false; |
768 else if (option == "COLLAPSE") | 831 else if (option == "COLLAPSE") |
769 collapse = true; | 832 collapse = true; |
770 else if (option == "~COLLAPSE") | 833 else if (option == "~COLLAPSE") |
771 collapse = false; | 834 collapse = false; |
772 else if (option == "SITEKEY" && typeof value != "undefined") | 835 else if (option == "SITEKEY" && typeof value != "undefined") |
773 sitekeys = value; | 836 sitekeys = value.toUpperCase(); |
774 else | 837 else |
775 return new InvalidFilter(origText, "filter_unknown_option"); | 838 return new InvalidFilter(origText, "filter_unknown_option"); |
776 } | 839 } |
777 } | 840 } |
778 | 841 |
779 try | 842 try |
780 { | 843 { |
781 if (blocking) | 844 if (blocking) |
782 { | 845 { |
846 if (csp) | |
847 { | |
848 csp = csp.join("; ").toLowerCase(); | |
849 | |
850 if (Filter.invalidCSPRegExp.test(csp)) | |
851 return new InvalidFilter(origText, "filter_invalid_csp"); | |
852 } | |
853 | |
783 return new BlockingFilter(origText, text, contentType, matchCase, domains, | 854 return new BlockingFilter(origText, text, contentType, matchCase, domains, |
784 thirdParty, sitekeys, collapse); | 855 thirdParty, sitekeys, collapse, csp); |
785 } | 856 } |
786 return new WhitelistFilter(origText, text, contentType, matchCase, domains, | 857 return new WhitelistFilter(origText, text, contentType, matchCase, domains, |
787 thirdParty, sitekeys); | 858 thirdParty, sitekeys); |
788 } | 859 } |
789 catch (e) | 860 catch (e) |
790 { | 861 { |
791 return new InvalidFilter(origText, "filter_invalid_regexp"); | 862 return new InvalidFilter(origText, "filter_invalid_regexp"); |
792 } | 863 } |
793 }; | 864 }; |
794 | 865 |
795 /** | 866 /** |
796 * Maps type strings like "SCRIPT" or "OBJECT" to bit masks | 867 * Maps type strings like "SCRIPT" or "OBJECT" to bit masks |
797 */ | 868 */ |
798 RegExpFilter.typeMap = { | 869 RegExpFilter.typeMap = { |
799 OTHER: 1, | 870 OTHER: 1, |
800 SCRIPT: 2, | 871 SCRIPT: 2, |
801 IMAGE: 4, | 872 IMAGE: 4, |
802 STYLESHEET: 8, | 873 STYLESHEET: 8, |
803 OBJECT: 16, | 874 OBJECT: 16, |
804 SUBDOCUMENT: 32, | 875 SUBDOCUMENT: 32, |
805 DOCUMENT: 64, | 876 DOCUMENT: 64, |
806 WEBSOCKET: 128, | 877 WEBSOCKET: 128, |
807 WEBRTC: 256, | 878 WEBRTC: 256, |
879 CSP: 512, | |
808 XBL: 1, | 880 XBL: 1, |
809 PING: 1024, | 881 PING: 1024, |
810 XMLHTTPREQUEST: 2048, | 882 XMLHTTPREQUEST: 2048, |
811 OBJECT_SUBREQUEST: 4096, | 883 OBJECT_SUBREQUEST: 4096, |
812 DTD: 1, | 884 DTD: 1, |
813 MEDIA: 16384, | 885 MEDIA: 16384, |
814 FONT: 32768, | 886 FONT: 32768, |
815 | 887 |
816 BACKGROUND: 4, // Backwards compat, same as IMAGE | 888 BACKGROUND: 4, // Backwards compat, same as IMAGE |
817 | 889 |
818 POPUP: 0x10000000, | 890 POPUP: 0x10000000, |
819 GENERICBLOCK: 0x20000000, | 891 GENERICBLOCK: 0x20000000, |
820 ELEMHIDE: 0x40000000, | 892 ELEMHIDE: 0x40000000, |
821 GENERICHIDE: 0x80000000 | 893 GENERICHIDE: 0x80000000 |
822 }; | 894 }; |
823 | 895 |
824 // DOCUMENT, ELEMHIDE, POPUP, GENERICHIDE and GENERICBLOCK options shouldn't | 896 // CSP, DOCUMENT, ELEMHIDE, POPUP, GENERICHIDE and GENERICBLOCK options |
825 // be there by default | 897 // shouldn't be there by default |
826 RegExpFilter.prototype.contentType &= ~(RegExpFilter.typeMap.DOCUMENT | | 898 RegExpFilter.prototype.contentType &= ~(RegExpFilter.typeMap.CSP | |
899 RegExpFilter.typeMap.DOCUMENT | | |
827 RegExpFilter.typeMap.ELEMHIDE | | 900 RegExpFilter.typeMap.ELEMHIDE | |
828 RegExpFilter.typeMap.POPUP | | 901 RegExpFilter.typeMap.POPUP | |
829 RegExpFilter.typeMap.GENERICHIDE | | 902 RegExpFilter.typeMap.GENERICHIDE | |
830 RegExpFilter.typeMap.GENERICBLOCK); | 903 RegExpFilter.typeMap.GENERICBLOCK); |
831 | 904 |
832 /** | 905 /** |
833 * Class for blocking filters | 906 * Class for blocking filters |
834 * @param {string} text see Filter() | 907 * @param {string} text see Filter() |
835 * @param {string} regexpSource see RegExpFilter() | 908 * @param {string} regexpSource see RegExpFilter() |
836 * @param {number} contentType see RegExpFilter() | 909 * @param {number} contentType see RegExpFilter() |
837 * @param {boolean} matchCase see RegExpFilter() | 910 * @param {boolean} matchCase see RegExpFilter() |
838 * @param {string} domains see RegExpFilter() | 911 * @param {string} domains see RegExpFilter() |
839 * @param {boolean} thirdParty see RegExpFilter() | 912 * @param {boolean} thirdParty see RegExpFilter() |
840 * @param {string} sitekeys see RegExpFilter() | 913 * @param {string} sitekeys see RegExpFilter() |
841 * @param {boolean} collapse | 914 * @param {boolean} collapse |
842 * defines whether the filter should collapse blocked content, can be null | 915 * defines whether the filter should collapse blocked content, can be null |
916 * @param {string} [csp] | |
917 * Content Security Policy to inject when the filter matches | |
843 * @constructor | 918 * @constructor |
844 * @augments RegExpFilter | 919 * @augments RegExpFilter |
845 */ | 920 */ |
846 function BlockingFilter(text, regexpSource, contentType, matchCase, domains, | 921 function BlockingFilter(text, regexpSource, contentType, matchCase, domains, |
847 thirdParty, sitekeys, collapse) | 922 thirdParty, sitekeys, collapse, csp) |
848 { | 923 { |
849 RegExpFilter.call(this, text, regexpSource, contentType, matchCase, domains, | 924 RegExpFilter.call(this, text, regexpSource, contentType, matchCase, domains, |
850 thirdParty, sitekeys); | 925 thirdParty, sitekeys); |
851 | 926 |
852 this.collapse = collapse; | 927 this.collapse = collapse; |
928 this.csp = csp; | |
853 } | 929 } |
854 exports.BlockingFilter = BlockingFilter; | 930 exports.BlockingFilter = BlockingFilter; |
855 | 931 |
856 BlockingFilter.prototype = extend(RegExpFilter, { | 932 BlockingFilter.prototype = extend(RegExpFilter, { |
857 type: "blocking", | 933 type: "blocking", |
858 | 934 |
859 /** | 935 /** |
860 * Defines whether the filter should collapse blocked content. | 936 * Defines whether the filter should collapse blocked content. |
861 * Can be null (use the global preference). | 937 * Can be null (use the global preference). |
862 * @type {boolean} | 938 * @type {boolean} |
863 */ | 939 */ |
864 collapse: null | 940 collapse: null, |
941 | |
942 /** | |
943 * Content Security Policy to inject for matching requests. | |
944 * @type {string} | |
945 */ | |
946 csp: null | |
865 }); | 947 }); |
866 | 948 |
867 /** | 949 /** |
868 * Class for whitelist filters | 950 * Class for whitelist filters |
869 * @param {string} text see Filter() | 951 * @param {string} text see Filter() |
870 * @param {string} regexpSource see RegExpFilter() | 952 * @param {string} regexpSource see RegExpFilter() |
871 * @param {number} contentType see RegExpFilter() | 953 * @param {number} contentType see RegExpFilter() |
872 * @param {boolean} matchCase see RegExpFilter() | 954 * @param {boolean} matchCase see RegExpFilter() |
873 * @param {string} domains see RegExpFilter() | 955 * @param {string} domains see RegExpFilter() |
874 * @param {boolean} thirdParty see RegExpFilter() | 956 * @param {boolean} thirdParty see RegExpFilter() |
(...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
1019 */ | 1101 */ |
1020 function ElemHideEmulationFilter(text, domains, selector) | 1102 function ElemHideEmulationFilter(text, domains, selector) |
1021 { | 1103 { |
1022 ElemHideBase.call(this, text, domains, selector); | 1104 ElemHideBase.call(this, text, domains, selector); |
1023 } | 1105 } |
1024 exports.ElemHideEmulationFilter = ElemHideEmulationFilter; | 1106 exports.ElemHideEmulationFilter = ElemHideEmulationFilter; |
1025 | 1107 |
1026 ElemHideEmulationFilter.prototype = extend(ElemHideBase, { | 1108 ElemHideEmulationFilter.prototype = extend(ElemHideBase, { |
1027 type: "elemhideemulation" | 1109 type: "elemhideemulation" |
1028 }); | 1110 }); |
OLD | NEW |