[$csp2 adblockpluscore] Issue 6329 - Add the CSP filter type

lib/filterClasses.js

 /*
  * This file is part of Adblock Plus <https://adblockplus.org/>,
  * Copyright (C) 2006-present eyeo GmbH
  *
  * Adblock Plus is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 3 as
  * published by the Free Software Foundation.
  *
  * Adblock Plus is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ skipping 79 matching lines @@
 Filter.elemhideRegExp = /^([^/*|@"!]*?)#([@?])?#(.+)$/;
 /**
  * Regular expression that RegExp filters specified as RegExps should match
  * @type {RegExp}
  */
 Filter.regexpRegExp = /^(@@)?\/.*\/(?:\$~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^,\s]+)?)*)?$/;
 /**
  * Regular expression that options on a RegExp filter should match
  * @type {RegExp}
  */
-Filter.optionsRegExp = /\$(~?[\w-]+(?:=[^,\s]+)?(?:,~?[\w-]+(?:=[^,\s]+)?)*)$/;
+Filter.optionsRegExp = /\$(~?[\w-]+(?:=[^,]+)?(?:,~?[\w-]+(?:=[^,]+)?)*)$/;
+
+/**
+ * Forbidden Content Security Policy directives
+ * @type {Set<string>}
+ */
+Filter.cspDirectiveBlacklist = new Set([
+  "base-uri", "referrer", "report-to", "report-uri", "upgrade-insecure-requests"
+]);

[Sebastian Noack, 2018/03/21 16:23:13]

I don't get why we create this Set here, just to turn it into an array, to turn
it into a string to insert into regular expression, below.

IMO, better: Just use an array here, reducing the boilerplate.

IMO, even better: Just use a regular expression literal below. Note that ESLint
won't complain about long lines due to regular expression literals.

[kzar, 2018/03/21 16:58:11]

I created the Set since I figured being about to do
`cspBlacklist.has(directive)` might be useful sometime, but you're right it's
better to keep things simple. Done.

+/**
+ * Regular expression that matches an invalid Content Security Policy
+ * @type {RegExp}
+ */
+Filter.invalidCSPRegExp = new RegExp(
+  "(;|^) ?(" + Array.from(Filter.cspDirectiveBlacklist).join("|") + ")\\b"
+);
 
 /**
  * Creates a filter of correct type from its text representation - does the
  * basic parsing and calls the right constructor then.
  *
  * @param {string} text   as in Filter()
  * @return {Filter}
  */
 Filter.fromText = function(text)
 {
@@ skipping 54 matching lines @@
  * Removes unnecessary whitespaces from filter text, will only return null if
  * the input parameter is null.
  * @param {string} text
  * @return {string}
  */
 Filter.normalize = function(text)
 {
   if (!text)
     return text;
 
-  // Remove line breaks and such
-  text = text.replace(/[^\S ]/g, "");
+  // Remove line breaks, tabs etc
+  text = text.replace(/[^\S ]+/g, "");
 
-  if (/^\s*!/.test(text))
+  // Don't remove spaces inside comments
+  if (/^ *!/.test(text))
+    return text.trim();
+
+  // Special treatment for element hiding filters, right side is allowed to
+  // contain spaces
+  if (Filter.elemhideRegExp.test(text))
   {
-    // Don't remove spaces inside comments
-    return text.trim();
+    let [, domain, separator, selector] = /^(.*?)(#@?#?)(.*)$/.exec(text);
+    return domain.replace(/ +/g, "") + separator + selector.trim();
   }
-  else if (Filter.elemhideRegExp.test(text))
+
+  // For most regexp filters we strip all spaces, but $csp filter options
+  // are allowed to contain single (non trailing) spaces.
+  let strippedText = text.replace(/ +/g, "");
+  if (!strippedText.includes("$") || !/\bcsp=/i.test(strippedText))
+    return strippedText;
+
+  let optionsMatch = Filter.optionsRegExp.exec(strippedText);
+  if (!optionsMatch)
+    return strippedText;
+
+  // For $csp filters we must first separate out the options part of the
+  // text, being careful to preserve its spaces.
+  let beforeOptions = strippedText.substring(0, optionsMatch.index);
+  let strippedDollarIndex = -1;
+  let dollarIndex = -1;
+  do
   {
-    // Special treatment for element hiding filters, right side is allowed to
-    // contain spaces
-    let [, domain, separator, selector] = /^(.*?)(#@?#?)(.*)$/.exec(text);
-    return domain.replace(/\s/g, "") + separator + selector.trim();
+    strippedDollarIndex = beforeOptions.indexOf("$", strippedDollarIndex + 1);
+    dollarIndex = text.indexOf("$", dollarIndex + 1);
   }
-  return text.replace(/\s/g, "");
+  while (strippedDollarIndex != -1);
+  let optionsText = text.substr(dollarIndex + 1);
+
+  // Then we can normalize spaces in the options part safely
+  let options = optionsText.split(",");
+  for (let i = 0; i < options.length; i++)
+  {
+    let option = options[i];
+    let cspMatch = /^ *c *s *p *=/i.exec(option);
+    if (cspMatch)
+    {
+      options[i] = cspMatch[0].replace(/ +/g, "") +
+                   option.substr(cspMatch[0].length).trim().replace(/ +/g, " ");
+    }
+    else
+      options[i] = option.replace(/ +/g, "");
+  }
+
+  return beforeOptions + "$" + options.join();
 };
 
 /**
  * @see filterToRegExp
  */
 Filter.toRegExp = filterToRegExp;
 
 /**
  * Class for invalid filters
  * @param {string} text see Filter()
@@ skipping 519 matching lines @@
     blocking = false;
     text = text.substr(2);
   }
 
   let contentType = null;
   let matchCase = null;
   let domains = null;
   let sitekeys = null;
   let thirdParty = null;
   let collapse = null;
+  let csp = null;
   let options;
   let match = (text.indexOf("$") >= 0 ? Filter.optionsRegExp.exec(text) : null);
   if (match)
   {
-    options = match[1].toUpperCase().split(",");
+    options = match[1].split(",");
     text = match.input.substr(0, match.index);
     for (let option of options)
     {
       let value = null;
       let separatorIndex = option.indexOf("=");
       if (separatorIndex >= 0)
       {
         value = option.substr(separatorIndex + 1);
         option = option.substr(0, separatorIndex);
       }
-      option = option.replace(/-/, "_");
+      option = option.replace(/-/, "_").toUpperCase();
       if (option in RegExpFilter.typeMap)
       {
         if (contentType == null)
           contentType = 0;
         contentType |= RegExpFilter.typeMap[option];
+
+        if (option == "CSP" && typeof value != "undefined")
+        {
+          if (csp)
+            csp.push(value);

[Sebastian Noack, 2018/03/21 16:23:13]

Does that mean that if multiple $csp options are given in the same filter that
they are merged? Any reason for these semantics (assuming my assumption is
correct)? This seems inconsistent with the $domain option (or not?). If you want
to insert multiple policies, you can just separate them by semicolon within the
same option value (or not?).

[kzar, 2018/03/21 16:58:11]

Right.
Well I listed the inability of specifying multiple $csp values for a filter and
the inability to have two $csp filters both apply at the same time in the issue
as known limitations. Manish asked me why we have those limitations, and while
the latter was kind of a pain the former seemed easy enough and so I did it. But
your comment here made me reconsider, I've removed this logic again now.

+          else
+            csp = [value];
+        }
       }
       else if (option[0] == "~" && option.substr(1) in RegExpFilter.typeMap)
       {
         if (contentType == null)
           ({contentType} = RegExpFilter.prototype);
         contentType &= ~RegExpFilter.typeMap[option.substr(1)];
       }
       else if (option == "MATCH_CASE")
         matchCase = true;
       else if (option == "~MATCH_CASE")
         matchCase = false;
       else if (option == "DOMAIN" && typeof value != "undefined")
-        domains = value;
+        domains = value.toUpperCase();
       else if (option == "THIRD_PARTY")
         thirdParty = true;
       else if (option == "~THIRD_PARTY")
         thirdParty = false;
       else if (option == "COLLAPSE")
         collapse = true;
       else if (option == "~COLLAPSE")
         collapse = false;
       else if (option == "SITEKEY" && typeof value != "undefined")
-        sitekeys = value;
+        sitekeys = value.toUpperCase();
       else
         return new InvalidFilter(origText, "filter_unknown_option");
     }
   }
 
   try
   {
     if (blocking)
     {
+      if (csp)
+      {
+        csp = csp.join("; ").toLowerCase();

[Sebastian Noack, 2018/03/21 16:23:13]

If we convert the CSP to lower case, shouldn't this rather happen during
normalization? But why do we convert it to lower case in the first place? Is it
guaranteed that all parts of a CSP are case-insensitive?

[kzar, 2018/03/21 16:58:11]

Hmm good point, initially I converted the value to lower case here since we
previously converted it to upper case which broke everything. But since I
adjusted that logic we could instead leave the case alone I suppose. Done.

[kzar, 2018/03/21 16:58:11]

Yes and no.

While I see your logic of course we currently do not normalise the case of the
filter text at normalisation time at all. So if I was to normalise the case of
the $csp option there I would argue we should otherwise normalise the case of
filters there too.

(Yes, it's true that Filter.normalize does not fully normalise filters, that was
part of my argument[1] for not worrying as much about how we normalise
whitespace.)

[1] - https://codereview.adblockplus.org/29680684/#msg7

+
+        if (Filter.invalidCSPRegExp.test(csp))
+          return new InvalidFilter(origText, "filter_invalid_csp");
+      }
+
       return new BlockingFilter(origText, text, contentType, matchCase, domains,
-                                thirdParty, sitekeys, collapse);
+                                thirdParty, sitekeys, collapse, csp);
     }
     return new WhitelistFilter(origText, text, contentType, matchCase, domains,
                                thirdParty, sitekeys);
   }
   catch (e)
   {
     return new InvalidFilter(origText, "filter_invalid_regexp");
   }
 };
 
 /**
  * Maps type strings like "SCRIPT" or "OBJECT" to bit masks
  */
 RegExpFilter.typeMap = {
   OTHER: 1,
   SCRIPT: 2,
   IMAGE: 4,
   STYLESHEET: 8,
   OBJECT: 16,
   SUBDOCUMENT: 32,
   DOCUMENT: 64,
   WEBSOCKET: 128,
   WEBRTC: 256,
+  CSP: 512,
   XBL: 1,
   PING: 1024,
   XMLHTTPREQUEST: 2048,
   OBJECT_SUBREQUEST: 4096,
   DTD: 1,
   MEDIA: 16384,
   FONT: 32768,
 
   BACKGROUND: 4,    // Backwards compat, same as IMAGE
 
   POPUP: 0x10000000,
   GENERICBLOCK: 0x20000000,
   ELEMHIDE: 0x40000000,
   GENERICHIDE: 0x80000000
 };
 
-// DOCUMENT, ELEMHIDE, POPUP, GENERICHIDE and GENERICBLOCK options shouldn't
-// be there by default
-RegExpFilter.prototype.contentType &= ~(RegExpFilter.typeMap.DOCUMENT |
+// CSP, DOCUMENT, ELEMHIDE, POPUP, GENERICHIDE and GENERICBLOCK options
+// shouldn't be there by default
+RegExpFilter.prototype.contentType &= ~(RegExpFilter.typeMap.CSP |
+                                        RegExpFilter.typeMap.DOCUMENT |
                                         RegExpFilter.typeMap.ELEMHIDE |
                                         RegExpFilter.typeMap.POPUP |
                                         RegExpFilter.typeMap.GENERICHIDE |
                                         RegExpFilter.typeMap.GENERICBLOCK);
 
 /**
  * Class for blocking filters
  * @param {string} text see Filter()
  * @param {string} regexpSource see RegExpFilter()
  * @param {number} contentType see RegExpFilter()
  * @param {boolean} matchCase see RegExpFilter()
  * @param {string} domains see RegExpFilter()
  * @param {boolean} thirdParty see RegExpFilter()
  * @param {string} sitekeys see RegExpFilter()
  * @param {boolean} collapse
  *   defines whether the filter should collapse blocked content, can be null
+ * @param {string} [csp]
+ *   Content Security Policy to inject when the filter matches
  * @constructor
  * @augments RegExpFilter
  */
 function BlockingFilter(text, regexpSource, contentType, matchCase, domains,
-                        thirdParty, sitekeys, collapse)
+                        thirdParty, sitekeys, collapse, csp)
 {
   RegExpFilter.call(this, text, regexpSource, contentType, matchCase, domains,
                     thirdParty, sitekeys);
 
   this.collapse = collapse;
+  this.csp = csp;
 }
 exports.BlockingFilter = BlockingFilter;
 
 BlockingFilter.prototype = extend(RegExpFilter, {
   type: "blocking",
 
   /**
    * Defines whether the filter should collapse blocked content.
    * Can be null (use the global preference).
    * @type {boolean}
    */
-  collapse: null
+  collapse: null,
+
+  /**
+   * Content Security Policy to inject for matching requests.
+   * @type {string}
+   */
+  csp: null
 });
 
 /**
  * Class for whitelist filters
  * @param {string} text see Filter()
  * @param {string} regexpSource see RegExpFilter()
  * @param {number} contentType see RegExpFilter()
  * @param {boolean} matchCase see RegExpFilter()
  * @param {string} domains see RegExpFilter()
  * @param {boolean} thirdParty see RegExpFilter()
@@ skipping 144 matching lines @@
  */
 function ElemHideEmulationFilter(text, domains, selector)
 {
   ElemHideBase.call(this, text, domains, selector);
 }
 exports.ElemHideEmulationFilter = ElemHideEmulationFilter;
 
 ElemHideEmulationFilter.prototype = extend(ElemHideBase, {
   type: "elemhideemulation"
 });