lib/content/snippets.js - Issue 29829569: Issue 6538, 6781 - Add code injection wrapper to snippets library

Delta Between Two Patch Sets: lib/content/snippets.js

Issue 29829569: Issue 6538, 6781 - Add code injection wrapper to snippets library (Closed) Base URL: https://hg.adblockplus.org/adblockpluscore/

Left Patch Set: Add JSDoc comments for log and trace snippets Created July 17, 2018, 3:39 p.m.

Right Patch Set: Remove "safely" from comment, remove unnecessary checks Created July 17, 2018, 5:40 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

Left: Side by side diff | Download
Right: Side by side diff | Download

LEFT	RIGHT
1 /*	1 /*

2 * This file is part of Adblock Plus <https://adblockplus.org/>,	2 * This file is part of Adblock Plus <https://adblockplus.org/>,

3 * Copyright (C) 2006-present eyeo GmbH	3 * Copyright (C) 2006-present eyeo GmbH

4 *	4 *

5 * Adblock Plus is free software: you can redistribute it and/or modify	5 * Adblock Plus is free software: you can redistribute it and/or modify

6 * it under the terms of the GNU General Public License version 3 as	6 * it under the terms of the GNU General Public License version 3 as

7 * published by the Free Software Foundation.	7 * published by the Free Software Foundation.

8 *	8 *

9 * Adblock Plus is distributed in the hope that it will be useful,	9 * Adblock Plus is distributed in the hope that it will be useful,

10 * but WITHOUT ANY WARRANTY; without even the implied warranty of	10 * but WITHOUT ANY WARRANTY; without even the implied warranty of

(...skipping 40 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
51 let url = URL.createObjectURL(new Blob([code]));	51 let url = URL.createObjectURL(new Blob([code]));

52 script.src = url;	52 script.src = url;

53 document.documentElement.appendChild(script);	53 document.documentElement.appendChild(script);

54 URL.revokeObjectURL(url);	54 URL.revokeObjectURL(url);

55 }	55 }

56	56

57 document.documentElement.removeChild(script);	57 document.documentElement.removeChild(script);

58 }	58 }

59	59

60 /**	60 /**

61 * Safely converts a function and an optional list of arguments into a string	61 * Converts a function and an optional list of arguments into a string of code
kzar 2018/07/17 16:08:22 ("Safely" seems a bit optimistic, when we're talki ("Safely" seems a bit optimistic, when we're talking about evaling code.) Manish Jethani 2018/07/17 16:39:33 I really want it to be safe, but thanks to your co Show quoted text On 2018/07/17 16:08:22, kzar wrote: > ("Safely" seems a bit optimistic, when we're talking about evaling code.) I really want it to be safe, but thanks to your comment I realized it wasn't fully safe. Consider this: function foo() {} foo.toString = function () { // do something malicious }; Now when we do this: stringifyFunctionCall(foo); It executes the malicious JS in the content script's context, because we are calling toString directly. The function foo could still contain malicious JS, but it would get executed in the document's context, which at least has lower privileges (e.g. cannot send messages to the background page!). So now I have updated the patch to do this safely. "Safe" here means that it won't execute any arbitrary code in the extension. The safety is only guaranteed for the execution of the function. The function returns code of course, which could be unsafe to execute, but that's up to the caller. Only the generation of the code is safe, not its execution. kzar 2018/07/17 16:59:19 I guess I don't understand if they are able to mes Show quoted text On 2018/07/17 16:39:33, Manish Jethani wrote: > On 2018/07/17 16:08:22, kzar wrote: > > ("Safely" seems a bit optimistic, when we're talking about evaling code.) > > I really want it to be safe, but thanks to your comment I realized it wasn't > fully safe. > > Consider this: > > function foo() {} > foo.toString = function () > { > // do something malicious > }; > > Now when we do this: > > stringifyFunctionCall(foo); > > It executes the malicious JS in the content script's context, because we are > calling toString directly. > > The function foo could still contain malicious JS, but it would get executed in > the document's context, which at least has lower privileges (e.g. cannot send > messages to the background page!). > > So now I have updated the patch to do this safely. > > "Safe" here means that it won't execute any arbitrary code in the extension. > > The safety is only guaranteed for the execution of the function. The function > returns code of course, which could be unsafe to execute, but that's up to the > caller. Only the generation of the code is safe, not its execution. I guess I don't understand if they are able to mess with `func.toString` how they're not also able to mess with `Function.prototype.toString` (or other things like `Array.prototype.map`). Manish Jethani 2018/07/17 17:27:02 You're right, at this point I am merely being over Show quoted text On 2018/07/17 16:59:19, kzar wrote: > On 2018/07/17 16:39:33, Manish Jethani wrote: > > On 2018/07/17 16:08:22, kzar wrote: > > > ("Safely" seems a bit optimistic, when we're talking about evaling code.) > > > > I really want it to be safe, but thanks to your comment I realized it wasn't > > fully safe. > > > > Consider this: > > > > function foo() {} > > foo.toString = function () > > { > > // do something malicious > > }; > > > > Now when we do this: > > > > stringifyFunctionCall(foo); > > > > It executes the malicious JS in the content script's context, because we are > > calling toString directly. > > > > The function foo could still contain malicious JS, but it would get executed > in > > the document's context, which at least has lower privileges (e.g. cannot send > > messages to the background page!). > > > > So now I have updated the patch to do this safely. > > > > "Safe" here means that it won't execute any arbitrary code in the extension. > > > > The safety is only guaranteed for the execution of the function. The function > > returns code of course, which could be unsafe to execute, but that's up to the > > caller. Only the generation of the code is safe, not its execution. > > I guess I don't understand if they are able to mess with `func.toString` how > they're not also able to mess with `Function.prototype.toString` (or other > things like `Array.prototype.map`). You're right, at this point I am merely being overcautious and designing for some unknown future. Do you think it's overdone? I don't have a strong opinion, I can roll it back. But I would still leave the "safely" part in the comment; one of the reasons we call JSON.stringify is that, at least for the arguments (which come from outside this module), we want to avoid the possibility of (accidental) arbitrary code execution. The problem usually is not intentionally malicious code but rather some developer who doesn't know what they're doing. kzar 2018/07/18 07:40:08 Well, I'm all for being cautious, but if we leave Show quoted text On 2018/07/17 17:27:02, Manish Jethani wrote: > On 2018/07/17 16:59:19, kzar wrote: > > I guess I don't understand if they are able to mess with `func.toString` how > > they're not also able to mess with `Function.prototype.toString` (or other > > things like `Array.prototype.map`). > > You're right, at this point I am merely being overcautious and designing for > some unknown future. Do you think it's overdone? I don't have a strong opinion, > I can roll it back. Well, I'm all for being cautious, but if we leave other weaknesses there it seems kind of pointless. From my experience with the other wrappers, hardening against this kind of stuff properly is a shitload of work too.
62 * of code containing a function call. The function is converted to its string	62 * containing a function call. The function is converted to its string

63 * representation using the <code>Function.prototype.toString</code> method.	63 * representation using the <code>Function.prototype.toString</code> method.

64 * Each argument is stringified using <code>JSON.stringify</code>. The	64 * Each argument is stringified using <code>JSON.stringify</code>. The

65 * generated code begins with the <code>"use strict"</code> directive.	65 * generated code begins with the <code>"use strict"</code> directive.

66 *	66 *

67 * @param {function} func The function to convert.	67 * @param {function} func The function to convert.

68 * @param {...*} [params] The arguments to convert.	68 * @param {...*} [params] The arguments to convert.

69 *	69 *

70 * @returns {string} The generated code containing the function call.	70 * @returns {string} The generated code containing the function call.

71 */	71 */

72 function stringifyFunctionCall(func, ...params)	72 function stringifyFunctionCall(func, ...params)

73 {	73 {

	74 // Call JSON.stringify on the arguments to avoid any arbitrary code

	75 // execution.

74 return `"use strict";(${func})(${params.map(JSON.stringify).join(",")});`;	76 return `"use strict";(${func})(${params.map(JSON.stringify).join(",")});`;

75 }	77 }

76	78

77 /**	79 /**

78 * Wraps a function and its dependencies into an injector. The injector, when	80 * Wraps a function and its dependencies into an injector. The injector, when

79 * called with zero or more arguments, generates code that calls the function,	81 * called with zero or more arguments, generates code that calls the function,
kzar 2018/07/17 16:08:22 Nit: "with zero or more arguments" can be removed, Nit: "with zero or more arguments" can be removed, since you mention "if any" later. Manish Jethani 2018/07/17 16:39:33 Acknowledged. I'll leave it as it is though, if y Show quoted text On 2018/07/17 16:08:22, kzar wrote: > Nit: "with zero or more arguments" can be removed, since you mention "if any" > later. Acknowledged. I'll leave it as it is though, if you really don't mind. kzar 2018/07/17 16:59:19 OK. Show quoted text On 2018/07/17 16:39:33, Manish Jethani wrote: > On 2018/07/17 16:08:22, kzar wrote: > > Nit: "with zero or more arguments" can be removed, since you mention "if any" > > later. > > Acknowledged. > > I'll leave it as it is though, if you really don't mind. OK.
80 * with the given arguments, if any, and injects the code, along with any	82 * with the given arguments, if any, and injects the code, along with any

81 * dependencies, into the document using a temporary <code>script</code>	83 * dependencies, into the document using a temporary <code>script</code>

82 * element.	84 * element.

83 *	85 *

84 * @param {function} injectable The function to wrap into an injector.	86 * @param {function} injectable The function to wrap into an injector.

85 * @param {...(function\|string)} [dependencies] Any dependencies of the	87 * @param {...(function\|string)} [dependencies] Any dependencies of the

86 * function. A dependency may be either a function or a string containing	88 * function. A dependency may be either a function or a string containing

87 * some executable code.	89 * some executable code.

88 *	90 *

89 * @returns {function} The generated injector.	91 * @returns {function} The generated injector.

(...skipping 26 matching lines...) Expand all Loading...
116 * @param {...*} [args] The arguments to log.	118 * @param {...*} [args] The arguments to log.

117 */	119 */

118 function trace(...args)	120 function trace(...args)

119 {	121 {

120 // We could simply use console.log here, but the goal is to demonstrate the	122 // We could simply use console.log here, but the goal is to demonstrate the

121 // usage of snippet dependencies.	123 // usage of snippet dependencies.

122 log(...args);	124 log(...args);

123 }	125 }

124	126

125 exports.trace = makeInjector(trace, log);	127 exports.trace = makeInjector(trace, log);

LEFT	RIGHT