|
1 /* |
|
2 * Copyright (C) 2008, 2009 Daniel Bates (dbates@intudata.com) |
|
3 * All rights reserved. |
|
4 * |
|
5 * Redistribution and use in source and binary forms, with or without |
|
6 * modification, are permitted provided that the following conditions |
|
7 * are met: |
|
8 * 1. Redistributions of source code must retain the above copyright |
|
9 * notice, this list of conditions and the following disclaimer. |
|
10 * 2. Redistributions in binary form must reproduce the above copyright |
|
11 * notice, this list of conditions and the following disclaimer in the |
|
12 * documentation and/or other materials provided with the distribution. |
|
13 * |
|
14 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY |
|
15 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
|
16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
|
17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE COMPUTER, INC. OR |
|
18 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
|
19 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
|
20 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
|
21 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY |
|
22 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
|
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
|
24 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
|
25 */ |
|
26 |
|
27 #ifndef XSSAuditor_h |
|
28 #define XSSAuditor_h |
|
29 |
|
30 #include "HTTPParsers.h" |
|
31 #include "PlatformString.h" |
|
32 #include "SuffixTree.h" |
|
33 #include "TextEncoding.h" |
|
34 |
|
35 namespace WebCore { |
|
36 |
|
37 class FormData; |
|
38 class Frame; |
|
39 class ScriptSourceCode; |
|
40 |
|
41 // The XSSAuditor class is used to prevent type 1 cross-site scripting |
|
42 // vulnerabilities (also known as reflected vulnerabilities). |
|
43 // |
|
44 // More specifically, the XSSAuditor class decides whether the execution of |
|
45 // a script is to be allowed or denied based on the content of any |
|
46 // user-submitted data, including: |
|
47 // |
|
48 // * the URL. |
|
49 // * the HTTP-POST data. |
|
50 // |
|
51 // If the source code of a script resembles any user-submitted data then it |
|
52 // is denied execution. |
|
53 // |
|
54 // When you instantiate the XSSAuditor you must specify the Frame of the |
|
55 // page that you wish to audit. |
|
56 // |
|
57 // Bindings |
|
58 // |
|
59 // An XSSAuditor is instantiated within the constructor of a |
|
60 // ScriptController object and passed the Frame the script originated. The |
|
61 // ScriptController calls back to the XSSAuditor to determine whether a |
|
62 // JavaScript script is safe to execute before executing it. The following |
|
63 // methods call into XSSAuditor: |
|
64 // |
|
65 // * ScriptController::evaluateInWorld - used to evaluate JavaScript scripts. |
|
66 // * ScriptController::executeIfJavaScriptURL - used to evaluate JavaScript URLs. |
|
67 // * ScriptEventListener::createAttributeEventListener - used to create JavaScript event handlers. |
|
68 // * HTMLBaseElement::process - used to set the document base URL. |
|
69 // * LegacyHTMLDocumentParser::parseTag - used to load external JavaScript scripts. |
|
70 // * SubframeLoader::requestObject - used to load <object>/<embed> elements. |
|
71 // |
|
72 class XSSAuditor : public Noncopyable { |
|
73 public: |
|
74 XSSAuditor(Frame*); |
|
75 ~XSSAuditor(); |
|
76 |
|
77 bool isEnabled() const; |
|
78 |
|
79 // Determines whether the script should be allowed or denied execution |
|
80 // based on the content of any user-submitted data. |
|
81 bool canEvaluate(const String& code) const; |
|
82 |
|
83 // Determines whether the JavaScript URL should be allowed or denied execution |
|
84 // based on the content of any user-submitted data. |
|
85 bool canEvaluateJavaScriptURL(const String& code) const; |
|
86 |
|
87 // Determines whether the event listener should be created based on the |
|
88 // content of any user-submitted data. |
|
89 bool canCreateInlineEventListener(const String& functionName, const String& code) const; |
|
90 |
|
91 // Determines whether the external script should be loaded based on the |
|
92 // content of any user-submitted data. |
|
93 bool canLoadExternalScriptFromSrc(const String& url) const; |
|
94 |
|
95 // Determines whether object should be loaded based on the content of |
|
96 // any user-submitted data. |
|
97 // |
|
98 // This method is called by SubframeLoader::requestObject. |
|
99 bool canLoadObject(const String& url) const; |
|
100 |
|
101 // Determines whether the base URL should be changed based on the content |
|
102 // of any user-submitted data. |
|
103 // |
|
104 // This method is called by HTMLBaseElement::process. |
|
105 bool canSetBaseElementURL(const String& url) const; |
|
106 |
|
107 private: |
|
108 class CachingURLCanonicalizer |
|
109 { |
|
110 public: |
|
111 CachingURLCanonicalizer() : m_decodeEntities(false), m_decodeURLEscapeSequencesTwice(false), m_generation(0) { } |
|
112 String canonicalizeURL(FormData*, const TextEncoding& encoding, bool decodeEntities, |
|
113 bool decodeURLEscapeSequencesTwice); |
|
114 String canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities, |
|
115 bool decodeURLEscapeSequencesTwice); |
|
116 |
|
117 void clear(); |
|
118 |
|
119 int generation() const { return m_generation; } |
|
120 |
|
121 private: |
|
122 // The parameters we were called with last. |
|
123 String m_inputURL; |
|
124 TextEncoding m_encoding; |
|
125 bool m_decodeEntities; |
|
126 bool m_decodeURLEscapeSequencesTwice; |
|
127 RefPtr<FormData> m_formData; |
|
128 |
|
129 // Incremented every time we see a new URL. |
|
130 int m_generation; |
|
131 |
|
132 // The cached result. |
|
133 String m_cachedCanonicalizedURL; |
|
134 }; |
|
135 |
|
136 struct FindTask { |
|
137 FindTask() |
|
138 : decodeEntities(true) |
|
139 , allowRequestIfNoIllegalURICharacters(false) |
|
140 , decodeURLEscapeSequencesTwice(false) |
|
141 { |
|
142 } |
|
143 |
|
144 String context; |
|
145 String string; |
|
146 bool decodeEntities; |
|
147 bool allowRequestIfNoIllegalURICharacters; |
|
148 bool decodeURLEscapeSequencesTwice; |
|
149 }; |
|
150 |
|
151 static String canonicalize(const String&); |
|
152 static String decodeURL(const String& url, const TextEncoding& encoding, bool decodeEntities, |
|
153 bool decodeURLEscapeSequencesTwice = false); |
|
154 static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true); |
|
155 |
|
156 bool isSameOriginResource(const String& url) const; |
|
157 bool findInRequest(const FindTask&) const; |
|
158 bool findInRequest(Frame*, const FindTask&) const; |
|
159 |
|
160 XSSProtectionDisposition xssProtection() const; |
|
161 |
|
162 // The frame to audit. |
|
163 Frame* m_frame; |
|
164 |
|
165 // A state store to help us avoid canonicalizing the same URL repeated. |
|
166 // When a page has form data, we need two caches: one to store the |
|
167 // canonicalized URL and another to store the cannonicalized form |
|
168 // data. If we only had one cache, we'd always generate a cache miss |
|
169 // and load some pages extremely slowly. |
|
170 // https://bugs.webkit.org/show_bug.cgi?id=35373 |
|
171 mutable CachingURLCanonicalizer m_pageURLCache; |
|
172 mutable CachingURLCanonicalizer m_formDataCache; |
|
173 |
|
174 mutable OwnPtr<SuffixTree<ASCIICodebook> > m_formDataSuffixTree; |
|
175 mutable int m_generationOfSuffixTree; |
|
176 }; |
|
177 |
|
178 } // namespace WebCore |
|
179 |
|
180 #endif // XSSAuditor_h |