| Quellcodebibliothek Statistik Leitseite products/Sources/formale Sprachen/C/Firefox/js/xpconnect/src/ (Browser von der Mozilla Stiftung Version 136.0.1©) Datei vom 10.2.2025 mit Größe 74 kB |
|
Quelle Sandbox.cpp Sprache: C |
|||||||||||||||
|
/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ /* vim: set ts=8 sts=2 et sw=2 tw=80: */ /* This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ /* * The Components.Sandbox object. */ #include "AccessCheck.h" #include "jsfriendapi.h" #include "js/Array.h" // JS::GetArrayLength, JS::IsArrayObject #include "js/CallAndConstruct.h" // JS::Call, JS::IsCallable #include "js/CharacterEncoding.h" #include "js/CompilationAndEvaluation.h" #include "js/Object.h" // JS::GetClass, JS::GetCompartment, JS::GetReservedSlot #include "js/PropertyAndElement.h" // JS_DefineFunction, JS_DefineFunctions, JS_Defin #include "js/PropertyDescriptor.h" // JS::PropertyDescriptor, JS_GetOwnPropertyDescr #include "js/PropertySpec.h" #include "js/Proxy.h" #include "js/SourceText.h" #include "js/StructuredClone.h" #include "nsContentUtils.h" #include "nsGlobalWindowInner.h" #include "nsIException.h" // for nsIStackFrame #include "nsIScriptContext.h" #include "nsIScriptObjectPrincipal.h" #include "nsIURI.h" #include "nsJSUtils.h" #include "nsNetUtil.h" #include "ExpandedPrincipal.h" #include "WrapperFactory.h" #include "xpcprivate.h" #include "xpc_make_class.h" #include "XPCWrapper.h" #include "Crypto.h" #include "mozilla/Result.h" #include "mozilla/dom/AbortControllerBinding.h" #include "mozilla/dom/AutoEntryScript.h" #include "mozilla/dom/BindingCallContext.h" #include "mozilla/dom/BindingUtils.h" #include "mozilla/dom/BlobBinding.h" #include "mozilla/dom/cache/CacheStorage.h" #include "mozilla/dom/CSSBinding.h" #include "mozilla/dom/CSSRuleBinding.h" #include "mozilla/dom/DirectoryBinding.h" #include "mozilla/dom/DocumentBinding.h" #include "mozilla/dom/DOMExceptionBinding.h" #include "mozilla/dom/DOMParserBinding.h" #include "mozilla/dom/DOMTokenListBinding.h" #include "mozilla/dom/ElementBinding.h" #include "mozilla/dom/ElementInternalsBinding.h" #include "mozilla/dom/EventBinding.h" #include "mozilla/dom/Exceptions.h" #include "mozilla/dom/IndexedDatabaseManager.h" #include "mozilla/dom/Fetch.h" #include "mozilla/dom/FileBinding.h" #include "mozilla/dom/HeadersBinding.h" #include "mozilla/dom/IOUtilsBinding.h" #include "mozilla/dom/InspectorUtilsBinding.h" #include "mozilla/dom/LockManager.h" #include "mozilla/dom/MessageChannelBinding.h" #include "mozilla/dom/MessagePortBinding.h" #include "mozilla/dom/MIDIInputMapBinding.h" #include "mozilla/dom/MIDIOutputMapBinding.h" #include "mozilla/dom/ModuleLoader.h" #include "mozilla/dom/NodeBinding.h" #include "mozilla/dom/NodeFilterBinding.h" #include "mozilla/dom/PathUtilsBinding.h" #include "mozilla/dom/PerformanceBinding.h" #include "mozilla/dom/PromiseBinding.h" #include "mozilla/dom/PromiseDebuggingBinding.h" #include "mozilla/dom/RangeBinding.h" #include "mozilla/dom/RequestBinding.h" #include "mozilla/dom/ReadableStreamBinding.h" #include "mozilla/dom/ResponseBinding.h" #ifdef MOZ_WEBRTC # include "mozilla/dom/RTCIdentityProviderRegistrar.h" #endif #include "mozilla/dom/FileReaderBinding.h" #include "mozilla/dom/ScriptLoader.h" #include "mozilla/dom/ScriptSettings.h" #include "mozilla/dom/SelectionBinding.h" #include "mozilla/dom/StorageManager.h" #include "mozilla/dom/StorageManagerBinding.h" #include "mozilla/dom/TextDecoderBinding.h" #include "mozilla/dom/TextEncoderBinding.h" #include "mozilla/dom/URLBinding.h" #include "mozilla/dom/URLSearchParamsBinding.h" #include "mozilla/dom/XMLHttpRequest.h" #include "mozilla/dom/WebSocketBinding.h" #include "mozilla/dom/WindowBinding.h" #include "mozilla/dom/XMLSerializerBinding.h" #include "mozilla/dom/FormDataBinding.h" #include "mozilla/dom/nsCSPContext.h" #include "mozilla/ipc/BackgroundUtils.h" #include "mozilla/ipc/PBackgroundSharedTypes.h" #include "mozilla/BasePrincipal.h" #include "mozilla/DeferredFinalize.h" #include "mozilla/ExtensionPolicyService.h" #include "mozilla/Maybe.h" #include "mozilla/NullPrincipal.h" #include "mozilla/ResultExtensions.h" #include "mozilla/StaticPrefs_extensions.h" using namespace mozilla; using namespace mozilla::dom; using namespace JS; using namespace JS::loader; using namespace xpc; using mozilla::dom::DestroyProtoAndIfaceCache; using mozilla::dom::IndexedDatabaseManager; NS_IMPL_CYCLE_COLLECTION_WRAPPERCACHE_CLASS(SandboxPrivate) NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(SandboxPrivate) NS_IMPL_CYCLE_COLLECTION_UNLINK_PRESERVED_WRAPPER NS_IMPL_CYCLE_COLLECTION_UNLINK_WEAK_REFERENCE NS_IMPL_CYCLE_COLLECTION_UNLINK_WEAK_PTR NS_IMPL_CYCLE_COLLECTION_UNLINK(mModuleLoader) tmp->UnlinkObjectsInGlobal(); NS_IMPL_CYCLE_COLLECTION_UNLINK_END NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(SandboxPrivate) NS_IMPL_CYCLE_COLLECTION_TRAVERSE(mModuleLoader) tmp->TraverseObjectsInGlobal(cb); NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END NS_IMPL_CYCLE_COLLECTING_ADDREF(SandboxPrivate) NS_IMPL_CYCLE_COLLECTING_RELEASE(SandboxPrivate) NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(SandboxPrivate) NS_WRAPPERCACHE_INTERFACE_MAP_ENTRY NS_INTERFACE_MAP_ENTRY_AMBIGUOUS(nsISupports, nsIScriptObjectPrincipal) NS_INTERFACE_MAP_ENTRY(nsIScriptObjectPrincipal) NS_INTERFACE_MAP_ENTRY(nsIGlobalObject) NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference) NS_INTERFACE_MAP_END class nsXPCComponents_utils_Sandbox : public nsIXPCComponents_utils_Sandbox, public nsIXPCScriptable { public: // Aren't macros nice? NS_DECL_ISUPPORTS NS_DECL_NSIXPCCOMPONENTS_UTILS_SANDBOX NS_DECL_NSIXPCSCRIPTABLE public: nsXPCComponents_utils_Sandbox(); private: virtual ~nsXPCComponents_utils_Sandbox(); static nsresult CallOrConstruct(nsIXPConnectWrappedNative* wrapper, JSContext* cx, HandleObject obj, const CallArgs& args, bool* _retval); }; already_AddRefed<nsIXPCComponents_utils_Sandbox> xpc::NewSandboxConstructor() { nsCOMPtr<nsIXPCComponents_utils_Sandbox> sbConstructor = new nsXPCComponents_utils_Sandbox(); return sbConstructor.forget(); } static bool SandboxDump(JSContext* cx, unsigned argc, Value* vp) { if (!nsJSUtils::DumpEnabled()) { return true; } CallArgs args = CallArgsFromVp(argc, vp); if (args.length() == 0) { return true; } RootedString str(cx, ToString(cx, args[0])); if (!str) { return false; } JS::UniqueChars utf8str = JS_EncodeStringToUTF8(cx, str); char* cstr = utf8str.get(); if (!cstr) { return false; } #if defined(XP_MACOSX) // Be nice and convert all \r to \n. char* c = cstr; char* cEnd = cstr + strlen(cstr); while (c < cEnd) { if (*c == '\r') { *c = '\n'; } c++; } #endif MOZ_LOG(nsContentUtils::DOMDumpLog(), mozilla::LogLevel::Debug, ("[Sandbox.Dump] %s", cstr)); #ifdef ANDROID __android_log_write(ANDROID_LOG_INFO, "GeckoDump", cstr); #endif fputs(cstr, stdout); fflush(stdout); args.rval().setBoolean(true); return true; } static bool SandboxDebug(JSContext* cx, unsigned argc, Value* vp) { #ifdef DEBUG return SandboxDump(cx, argc, vp); #else return true; #endif } static bool SandboxImport(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (args.length() < 1 || args[0].isPrimitive()) { XPCThrower::Throw(NS_ERROR_INVALID_ARG, cx); return false; } RootedString funname(cx); if (args.length() > 1) { // Use the second parameter as the function name. funname = ToString(cx, args[1]); if (!funname) { return false; } } else { // NB: funobj must only be used to get the JSFunction out. RootedObject funobj(cx, &args[0].toObject()); if (js::IsProxy(funobj)) { funobj = XPCWrapper::UnsafeUnwrapSecurityWrapper(funobj); } JSAutoRealm ar(cx, funobj); RootedValue funval(cx, ObjectValue(*funobj)); JS::Rooted<JSFunction*> fun(cx, JS_ValueToFunction(cx, funval)); if (!fun) { XPCThrower::Throw(NS_ERROR_INVALID_ARG, cx); return false; } // Use the actual function name as the name. if (!JS_GetFunctionId(cx, fun, &funname)) { return false; } if (!funname) { XPCThrower::Throw(NS_ERROR_INVALID_ARG, cx); return false; } } JS_MarkCrossZoneIdValue(cx, StringValue(funname)); RootedId id(cx); if (!JS_StringToId(cx, funname, &id)) { return false; } // We need to resolve the this object, because this function is used // unbound and should still work and act on the original sandbox. RootedObject thisObject(cx); if (!args.computeThis(cx, &thisObject)) { return false; } if (!JS_SetPropertyById(cx, thisObject, id, args[0])) { return false; } args.rval().setUndefined(); return true; } bool xpc::SandboxCreateCrypto(JSContext* cx, JS::Handle<JSObject*> obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); nsIGlobalObject* native = xpc::NativeGlobal(obj); MOZ_ASSERT(native); dom::Crypto* crypto = new dom::Crypto(native); JS::RootedObject wrapped(cx, crypto->WrapObject(cx, nullptr)); return JS_DefineProperty(cx, obj, "crypto", wrapped, JSPROP_ENUMERATE); } #ifdef MOZ_WEBRTC static bool SandboxCreateRTCIdentityProvider(JSContext* cx, JS::HandleObject obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); nsCOMPtr<nsIGlobalObject> nativeGlobal = xpc::NativeGlobal(obj); MOZ_ASSERT(nativeGlobal); dom::RTCIdentityProviderRegistrar* registrar = new dom::RTCIdentityProviderRegistrar(nativeGlobal); JS::RootedObject wrapped(cx, registrar->WrapObject(cx, nullptr)); return JS_DefineProperty(cx, obj, "rtcIdentityProvider", wrapped, JSPROP_ENUMERATE); } #endif static bool SandboxFetch(JSContext* cx, JS::HandleObject scope, const CallArgs& args) { if (args.length() < 1) { JS_ReportErrorASCII(cx, "fetch requires at least 1 argument"); return false; } BindingCallContext callCx(cx, "fetch"); RequestOrUTF8String request; if (!request.Init(callCx, args[0], "Argument 1")) { return false; } RootedDictionary<dom::RequestInit> options(cx); if (!options.Init(callCx, args.hasDefined(1) ? args[1] : JS::NullHandleValue, "Argument 2", false)) { return false; } nsCOMPtr<nsIGlobalObject> global = xpc::NativeGlobal(scope); if (!global) { return false; } dom::CallerType callerType = nsContentUtils::IsSystemCaller(cx) ? dom::CallerType::System : dom::CallerType::NonSystem; ErrorResult rv; RefPtr<dom::Promise> response = FetchRequest( global, Constify(request), Constify(options), callerType, rv); if (rv.MaybeSetPendingException(cx)) { return false; } args.rval().setObject(*response->PromiseObj()); return true; } static bool SandboxFetchPromise(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); RootedObject scope(cx, JS::CurrentGlobalOrNull(cx)); if (SandboxFetch(cx, scope, args)) { return true; } return ConvertExceptionToPromise(cx, args.rval()); } bool xpc::SandboxCreateFetch(JSContext* cx, JS::Handle<JSObject*> obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); return JS_DefineFunction(cx, obj, "fetch", SandboxFetchPromise, 2, 0) && Request_Binding::CreateAndDefineOnGlobal(cx) && Response_Binding::CreateAndDefineOnGlobal(cx) && Headers_Binding::CreateAndDefineOnGlobal(cx); } static bool SandboxCreateStorage(JSContext* cx, JS::HandleObject obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); nsIGlobalObject* native = xpc::NativeGlobal(obj); MOZ_ASSERT(native); if (!StorageManager_Binding::CreateAndDefineOnGlobal(cx)) { return false; } dom::StorageManager* storageManager = new dom::StorageManager(native); JS::RootedObject wrapped(cx, storageManager->WrapObject(cx, nullptr)); return JS_DefineProperty(cx, obj, "storage", wrapped, JSPROP_ENUMERATE); } static bool SandboxStructuredClone(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (!args.requireAtLeast(cx, "structuredClone", 1)) { return false; } RootedDictionary<dom::StructuredSerializeOptions> options(cx); BindingCallContext callCx(cx, "structuredClone"); if (!options.Init(cx, args.hasDefined(1) ? args[1] : JS::NullHandleValue, "Argument 2", false)) { return false; } nsIGlobalObject* global = CurrentNativeGlobal(cx); if (!global) { JS_ReportErrorASCII(cx, "structuredClone: Missing global"); return false; } JS::Rooted<JS::Value> result(cx); ErrorResult rv; nsContentUtils::StructuredClone(cx, global, args[0], options, &result, rv); if (rv.MaybeSetPendingException(cx)) { return false; } MOZ_ASSERT_IF(result.isGCThing(), !JS::GCThingIsMarkedGray(result.toGCCellPtr())); args.rval().set(result); return true; } bool xpc::SandboxCreateStructuredClone(JSContext* cx, HandleObject obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); return JS_DefineFunction(cx, obj, "structuredClone", SandboxStructuredClone, 1, 0); } bool xpc::SandboxCreateLocks(JSContext* cx, JS::Handle<JSObject*> obj) { MOZ_ASSERT(JS_IsGlobalObject(obj)); nsIGlobalObject* native = xpc::NativeGlobal(obj); MOZ_ASSERT(native); RefPtr<dom::LockManager> lockManager = dom::LockManager::Create(*native); JS::RootedObject wrapped(cx, lockManager->WrapObject(cx, nullptr)); return JS_DefineProperty(cx, obj, "locks", wrapped, JSPROP_ENUMERATE); } static bool SandboxIsProxy(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (args.length() < 1) { JS_ReportErrorASCII(cx, "Function requires at least 1 argument"); return false; } if (!args[0].isObject()) { args.rval().setBoolean(false); return true; } RootedObject obj(cx, &args[0].toObject()); // CheckedUnwrapStatic is OK here, since we only care about whether // it's a scripted proxy and the things CheckedUnwrapStatic fails on // are not. obj = js::CheckedUnwrapStatic(obj); if (!obj) { args.rval().setBoolean(false); return true; } args.rval().setBoolean(js::IsScriptedProxy(obj)); return true; } /* * Expected type of the arguments and the return value: * function exportFunction(function funToExport, * object targetScope, * [optional] object options) */ static bool SandboxExportFunction(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (args.length() < 2) { JS_ReportErrorASCII(cx, "Function requires at least 2 arguments"); return false; } RootedValue options(cx, args.length() > 2 ? args[2] : UndefinedValue()); return ExportFunction(cx, args[0], args[1], options, args.rval()); } static bool SandboxCreateObjectIn(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (args.length() < 1) { JS_ReportErrorASCII(cx, "Function requires at least 1 argument"); return false; } RootedObject optionsObj(cx); bool calledWithOptions = args.length() > 1; if (calledWithOptions) { if (!args[1].isObject()) { JS_ReportErrorASCII( cx, "Expected the 2nd argument (options) to be an object"); return false; } optionsObj = &args[1].toObject(); } CreateObjectInOptions options(cx, optionsObj); if (calledWithOptions && !options.Parse()) { return false; } return xpc::CreateObjectIn(cx, args[0], options, args.rval()); } static bool SandboxCloneInto(JSContext* cx, unsigned argc, Value* vp) { CallArgs args = CallArgsFromVp(argc, vp); if (args.length() < 2) { JS_ReportErrorASCII(cx, "Function requires at least 2 arguments"); return false; } RootedValue options(cx, args.length() > 2 ? args[2] : UndefinedValue()); return xpc::CloneInto(cx, args[0], args[1], options, args.rval()); } static void sandbox_finalize(JS::GCContext* gcx, JSObject* obj) { SandboxPrivate* priv = SandboxPrivate::GetPrivate(obj); if (!priv) { // priv can be null if CreateSandboxObject fails in the middle. return; } priv->ForgetGlobalObject(obj); DestroyProtoAndIfaceCache(obj); DeferredFinalize(static_cast<nsIScriptObjectPrincipal*>(priv)); } static size_t sandbox_moved(JSObject* obj, JSObject* old) { // Note that this hook can be called before the private pointer is set. In // this case the SandboxPrivate will not exist yet, so there is nothing to // do. SandboxPrivate* priv = SandboxPrivate::GetPrivate(obj); if (!priv) { return 0; } return priv->ObjectMoved(obj, old); } #define XPCONNECT_SANDBOX_CLASS_METADATA_SLOT \ (XPCONNECT_GLOBAL_EXTRA_SLOT_OFFSET) static const JSClassOps SandboxClassOps = { nullptr, // addProperty nullptr, // delProperty nullptr, // enumerate JS_NewEnumerateStandardClasses, // newEnumerate JS_ResolveStandardClass, // resolve JS_MayResolveStandardClass, // mayResolve sandbox_finalize, // finalize nullptr, // call nullptr, // construct JS_GlobalObjectTraceHook, // trace }; static const js::ClassExtension SandboxClassExtension = { sandbox_moved, // objectMovedOp }; static const JSClass SandboxClass = { "Sandbox", XPCONNECT_GLOBAL_FLAGS_WITH_EXTRA_SLOTS(1) | JSCLASS_FOREGROUND_FINALIZE, &SandboxClassOps, JS_NULL_CLASS_SPEC, &SandboxClassExtension, JS_NULL_OBJECT_OPS}; static const JSFunctionSpec SandboxFunctions[] = { JS_FN("dump", SandboxDump, 1, 0), JS_FN("debug", SandboxDebug, 1, 0), JS_FN("importFunction", SandboxImport, 1, 0), JS_FS_END}; bool xpc::IsSandbox(JSObject* obj) { const JSClass* clasp = JS::GetClass(obj); return clasp == &SandboxClass; } /***************************************************************************/ nsXPCComponents_utils_Sandbox::nsXPCComponents_utils_Sandbox() = default; nsXPCComponents_utils_Sandbox::~nsXPCComponents_utils_Sandbox() = default; NS_IMPL_QUERY_INTERFACE(nsXPCComponents_utils_Sandbox, nsIXPCComponents_utils_Sandbox, nsIXPCScriptable) NS_IMPL_ADDREF(nsXPCComponents_utils_Sandbox) NS_IMPL_RELEASE(nsXPCComponents_utils_Sandbox) // We use the nsIXPScriptable macros to generate lots of stuff for us. #define XPC_MAP_CLASSNAME nsXPCComponents_utils_Sandbox #define XPC_MAP_QUOTED_CLASSNAME "nsXPCComponents_utils_Sandbox" #define XPC_MAP_FLAGS (XPC_SCRIPTABLE_WANT_CALL | XPC_SCRIPTABLE_WANT_CONSTRUCT) #include "xpc_map_end.h" /* This #undef's the above. */ class SandboxProxyHandler : public js::Wrapper { public: constexpr SandboxProxyHandler() : js::Wrapper(0) {} virtual bool getOwnPropertyDescriptor( JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, JS::MutableHandle<Maybe<JS::PropertyDescriptor>> desc) const override; // We just forward the high-level methods to the BaseProxyHandler versions // which implement them in terms of lower-level methods. virtual bool has(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) const override; virtual bool get(JSContext* cx, JS::Handle<JSObject*> proxy, JS::HandleValue receiver, JS::Handle<jsid> id, JS::MutableHandle<JS::Value> vp) const override; virtual bool set(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, JS::Handle<JS::Value> v, JS::Handle<JS::Value> receiver, JS::ObjectOpResult& result) const override; virtual bool hasOwn(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) const override; virtual bool getOwnEnumerablePropertyKeys( JSContext* cx, JS::Handle<JSObject*> proxy, JS::MutableHandleIdVector props) const override; virtual bool enumerate(JSContext* cx, JS::Handle<JSObject*> proxy, JS::MutableHandleIdVector props) const override; private: // Implements the custom getPropertyDescriptor behavior. If the getOwn // argument is true we only look for "own" properties. bool getPropertyDescriptorImpl( JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool getOwn, JS::MutableHandle<Maybe<JS::PropertyDescriptor>> desc) const; }; static const SandboxProxyHandler sandboxProxyHandler; namespace xpc { bool IsSandboxPrototypeProxy(JSObject* obj) { return js::IsProxy(obj) && js::GetProxyHandler(obj) == &sandboxProxyHandler; } bool IsWebExtensionContentScriptSandbox(JSObject* obj) { return IsSandbox(obj) && CompartmentPrivate::Get(obj)->isWebExtensionContentScript; } } // namespace xpc // A proxy handler that lets us wrap callables and invoke them with // the correct this object, while forwarding all other operations down // to them directly. class SandboxCallableProxyHandler : public js::Wrapper { public: constexpr SandboxCallableProxyHandler() : js::Wrapper(0) {} virtual bool call(JSContext* cx, JS::Handle<JSObject*> proxy, const JS::CallArgs& args) const override; static const size_t SandboxProxySlot = 0; static inline JSObject* getSandboxProxy(JS::Handle<JSObject*> proxy) { return &js::GetProxyReservedSlot(proxy, SandboxProxySlot).toObject(); } }; static const SandboxCallableProxyHandler sandboxCallableProxyHandler; bool SandboxCallableProxyHandler::call(JSContext* cx, JS::Handle<JSObject*> proxy, const JS::CallArgs& args) const { // We forward the call to our underlying callable. // Get our SandboxProxyHandler proxy. RootedObject sandboxProxy(cx, getSandboxProxy(proxy)); MOZ_ASSERT(js::IsProxy(sandboxProxy) && js::GetProxyHandler(sandboxProxy) == &sandboxProxyHandler); // The global of the sandboxProxy is the sandbox global, and the // target object is the original proto. RootedObject sandboxGlobal(cx, JS::GetNonCCWObjectGlobal(sandboxProxy)); MOZ_ASSERT(IsSandbox(sandboxGlobal)); // If our this object is the sandbox global, we call with this set to the // original proto instead. // // There are two different ways we can compute |this|. If we use // JS_THIS_VALUE, we'll get the bonafide |this| value as passed by the // caller, which may be undefined if a global function was invoked without // an explicit invocant. If we use JS_THIS or JS_THIS_OBJECT, the |this| // in |vp| will be coerced to the global, which is not the correct // behavior in ES5 strict mode. And we have no way to compute strictness // here. // // The naive approach is simply to use JS_THIS_VALUE here. If |this| was // explicit, we can remap it appropriately. If it was implicit, then we // leave it as undefined, and let the callee sort it out. Since the callee // is generally in the same compartment as its global (eg the Window's // compartment, not the Sandbox's), the callee will generally compute the // correct |this|. // // However, this breaks down in the Xray case. If the sandboxPrototype // is an Xray wrapper, then we'll end up reifying the native methods in // the Sandbox's scope, which means that they'll compute |this| to be the // Sandbox, breaking old-style XPC_WN_CallMethod methods. // // Luckily, the intent of Xrays is to provide a vanilla view of a foreign // DOM interface, which means that we don't care about script-enacted // strictness in the prototype's home compartment. Indeed, since DOM // methods are always non-strict, we can just assume non-strict semantics // if the sandboxPrototype is an Xray Wrapper, which lets us appropriately // remap |this|. bool isXray = WrapperFactory::IsXrayWrapper(sandboxProxy); RootedValue thisVal(cx, args.thisv()); if (isXray) { RootedObject thisObject(cx); if (!args.computeThis(cx, &thisObject)) { return false; } thisVal.setObject(*thisObject); } if (thisVal == ObjectValue(*sandboxGlobal)) { thisVal = ObjectValue(*js::GetProxyTargetObject(sandboxProxy)); } RootedValue func(cx, js::GetProxyPrivate(proxy)); return JS::Call(cx, thisVal, func, args, args.rval()); } /* * Wrap a callable such that if we're called with oldThisObj as the * "this" we will instead call it with newThisObj as the this. */ static JSObject* WrapCallable(JSContext* cx, HandleObject callable, HandleObject sandboxProtoProxy) { MOZ_ASSERT(JS::IsCallable(callable)); // Our proxy is wrapping the callable. So we need to use the // callable as the private. We put the given sandboxProtoProxy in // an extra slot, and our call() hook depends on that. MOZ_ASSERT(js::IsProxy(sandboxProtoProxy) && js::GetProxyHandler(sandboxProtoProxy) == &sandboxProxyHandler); RootedValue priv(cx, ObjectValue(*callable)); // We want to claim to have the same proto as our wrapped callable, so set // ourselves up with a lazy proto. js::ProxyOptions options; options.setLazyProto(true); JSObject* obj = js::NewProxyObject(cx, &sandboxCallableProxyHandler, priv, nullptr, options); if (obj) { js::SetProxyReservedSlot(obj, SandboxCallableProxyHandler::SandboxProxySlot, ObjectValue(*sandboxProtoProxy)); } return obj; } bool WrapAccessorFunction(JSContext* cx, MutableHandleObject accessor, HandleObject sandboxProtoProxy) { if (!accessor) { return true; } accessor.set(WrapCallable(cx, accessor, sandboxProtoProxy)); return !!accessor; } static bool IsMaybeWrappedDOMConstructor(JSObject* obj) { // We really care about the underlying object here, which might be wrapped in // cross-compartment wrappers. CheckedUnwrapStatic is fine, since we just // care whether it's a DOM constructor. obj = js::CheckedUnwrapStatic(obj); if (!obj) { return false; } return dom::IsDOMConstructor(obj); } bool SandboxProxyHandler::getPropertyDescriptorImpl( JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool getOwn, MutableHandle<Maybe<PropertyDescriptor>> desc_) const { JS::RootedObject obj(cx, wrappedObject(proxy)); MOZ_ASSERT(JS::GetCompartment(obj) == JS::GetCompartment(proxy)); if (getOwn) { if (!JS_GetOwnPropertyDescriptorById(cx, obj, id, desc_)) { return false; } } else { Rooted<JSObject*> holder(cx); if (!JS_GetPropertyDescriptorById(cx, obj, id, desc_, &holder)) { return false; } } if (desc_.isNothing()) { return true; } Rooted<PropertyDescriptor> desc(cx, *desc_); // Now fix up the getter/setter/value as needed. if (desc.hasGetter() && !WrapAccessorFunction(cx, desc.getter(), proxy)) { return false; } if (desc.hasSetter() && !WrapAccessorFunction(cx, desc.setter(), proxy)) { return false; } if (desc.hasValue() && desc.value().isObject()) { RootedObject val(cx, &desc.value().toObject()); if (JS::IsCallable(val) && // Don't wrap DOM constructors: they don't care about the "this" // they're invoked with anyway, being constructors. And if we wrap // them here we break invariants like Node == Node and whatnot. !IsMaybeWrappedDOMConstructor(val)) { val = WrapCallable(cx, val, proxy); if (!val) { return false; } desc.value().setObject(*val); } } desc_.set(Some(desc.get())); return true; } bool SandboxProxyHandler::getOwnPropertyDescriptor( JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, MutableHandle<Maybe<PropertyDescriptor>> desc) const { return getPropertyDescriptorImpl(cx, proxy, id, /* getOwn = */ true, desc); } /* * Reuse the BaseProxyHandler versions of the derived traps that are implemented * in terms of the fundamental traps. */ bool SandboxProxyHandler::has(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) const { // This uses JS_GetPropertyDescriptorById for backward compatibility. Rooted<Maybe<PropertyDescriptor>> desc(cx); if (!getPropertyDescriptorImpl(cx, proxy, id, /* getOwn = */ false, &desc)) { return false; } *bp = desc.isSome(); return true; } bool SandboxProxyHandler::hasOwn(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) const { return BaseProxyHandler::hasOwn(cx, proxy, id, bp); } bool SandboxProxyHandler::get(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<JS::Value> receiver, JS::Handle<jsid> id, JS::MutableHandle<Value> vp) const { // This uses JS_GetPropertyDescriptorById for backward compatibility. Rooted<Maybe<PropertyDescriptor>> desc(cx); if (!getPropertyDescriptorImpl(cx, proxy, id, /* getOwn = */ false, &desc)) { return false; } if (desc.isNothing()) { vp.setUndefined(); return true; } else { desc->assertComplete(); } // Everything after here follows [[Get]] for ordinary objects. if (desc->isDataDescriptor()) { vp.set(desc->value()); return true; } MOZ_ASSERT(desc->isAccessorDescriptor()); RootedObject getter(cx, desc->getter()); if (!getter) { vp.setUndefined(); return true; } return Call(cx, receiver, getter, HandleValueArray::empty(), vp); } bool SandboxProxyHandler::set(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, JS::Handle<Value> v, JS::Handle<Value> receiver, JS::ObjectOpResult& result) const { return BaseProxyHandler::set(cx, proxy, id, v, receiver, result); } bool SandboxProxyHandler::getOwnEnumerablePropertyKeys( JSContext* cx, JS::Handle<JSObject*> proxy, MutableHandleIdVector props) const { return BaseProxyHandler::getOwnEnumerablePropertyKeys(cx, proxy, props); } bool SandboxProxyHandler::enumerate(JSContext* cx, JS::Handle<JSObject*> proxy, JS::MutableHandleIdVector props) const { return BaseProxyHandler::enumerate(cx, proxy, props); } bool xpc::GlobalProperties::Parse(JSContext* cx, JS::HandleObject obj) { uint32_t length; bool ok = JS::GetArrayLength(cx, obj, &length); NS_ENSURE_TRUE(ok, false); for (uint32_t i = 0; i < length; i++) { RootedValue nameValue(cx); ok = JS_GetElement(cx, obj, i, &nameValue); NS_ENSURE_TRUE(ok, false); if (!nameValue.isString()) { JS_ReportErrorASCII(cx, "Property names must be strings"); return false; } JSLinearString* nameStr = JS_EnsureLinearString(cx, nameValue.toString()); if (!nameStr) { return false; } if (JS_LinearStringEqualsLiteral(nameStr, "AbortController")) { AbortController = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Blob")) { Blob = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "ChromeUtils")) { ChromeUtils = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "CSS")) { CSS = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "CSSRule")) { CSSRule = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "CustomStateSet")) { CustomStateSet = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Document")) { Document = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Directory")) { Directory = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "DOMException")) { DOMException = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "DOMParser")) { DOMParser = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "DOMTokenList")) { DOMTokenList = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Element")) { Element = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Event")) { Event = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "File")) { File = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "FileReader")) { FileReader = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "FormData")) { FormData = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Headers")) { Headers = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "IOUtils")) { IOUtils = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "InspectorCSSParser")) { InspectorCSSParser = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "InspectorUtils")) { InspectorUtils = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "MessageChannel")) { MessageChannel = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "MIDIInputMap")) { MIDIInputMap = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "MIDIOutputMap")) { MIDIOutputMap = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Node")) { Node = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "NodeFilter")) { NodeFilter = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "PathUtils")) { PathUtils = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Performance")) { Performance = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "PromiseDebugging")) { PromiseDebugging = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Range")) { Range = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Selection")) { Selection = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "TextDecoder")) { TextDecoder = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "TextEncoder")) { TextEncoder = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "URL")) { URL = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "URLSearchParams")) { URLSearchParams = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "XMLHttpRequest")) { XMLHttpRequest = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "WebSocket")) { WebSocket = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "Window")) { Window = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "XMLSerializer")) { XMLSerializer = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "ReadableStream")) { ReadableStream = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "atob")) { atob = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "btoa")) { btoa = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "caches")) { caches = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "crypto")) { crypto = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "fetch")) { fetch = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "storage")) { storage = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "structuredClone")) { structuredClone = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "locks")) { locks = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "indexedDB")) { indexedDB = true; } else if (JS_LinearStringEqualsLiteral(nameStr, "isSecureContext")) { isSecureContext = true; #ifdef MOZ_WEBRTC } else if (JS_LinearStringEqualsLiteral(nameStr, "rtcIdentityProvider")) { rtcIdentityProvider = true; #endif } else { RootedString nameStr(cx, nameValue.toString()); JS::UniqueChars name = JS_EncodeStringToUTF8(cx, nameStr); if (!name) { return false; } JS_ReportErrorUTF8(cx, "Unknown property name: %s", name.get()); return false; } } return true; } bool xpc::GlobalProperties::Define(JSContext* cx, JS::HandleObject obj) { MOZ_ASSERT(js::GetContextCompartment(cx) == JS::GetCompartment(obj)); // Properties will be exposed to System automatically but not to Sandboxes // if |[Exposed=System]| is specified. // This function holds common properties not exposed automatically but able // to be requested either in |Cu.importGlobalProperties| or // |wantGlobalProperties| of a sandbox. #define DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(_iface) \ if ((_iface) && !dom::_iface##_Binding::CreateAndDefineOnGlobal(cx)) { \ return false; \ } DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(AbortController) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(ChromeUtils) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Blob) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(CSS) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(CSSRule) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(CustomStateSet) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Directory) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Document) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(DOMException) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(DOMParser) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(DOMTokenList) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Element) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Event) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(File) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(FileReader) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(FormData) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Headers) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(IOUtils) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(InspectorCSSParser) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(InspectorUtils) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(MessageChannel) if (MessageChannel && !MessagePort_Binding::CreateAndDefineOnGlobal(cx)) { return false; } DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(MIDIInputMap) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(MIDIOutputMap) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Node) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(NodeFilter) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(PathUtils) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Performance) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(PromiseDebugging) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Range) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(ReadableStream) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Selection) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(TextDecoder) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(TextEncoder) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(URL) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(URLSearchParams) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(WebSocket) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(Window) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(XMLHttpRequest) DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE(XMLSerializer) #undef DEFINE_WEBIDL_INTERFACE_OR_NAMESPACE if (atob && !JS_DefineFunction(cx, obj, "atob", Atob, 1, 0)) return false; if (btoa && !JS_DefineFunction(cx, obj, "btoa", Btoa, 1, 0)) return false; if (caches && !dom::cache::CacheStorage::DefineCachesForSandbox(cx, obj)) { return false; } if (crypto && !SandboxCreateCrypto(cx, obj)) { return false; } if (fetch && !SandboxCreateFetch(cx, obj)) { return false; } if (storage && !SandboxCreateStorage(cx, obj)) { return false; } if (structuredClone && !SandboxCreateStructuredClone(cx, obj)) { return false; } if (locks && !SandboxCreateLocks(cx, obj)) { return false; } // Note that isSecureContext here doesn't mean the context is actually secure // - just that the caller wants the property defined if (isSecureContext) { bool hasSecureContext = IsSecureContextOrObjectIsFromSecureContext(cx, obj); JS::Rooted<JS::Value> secureJsValue(cx, JS::BooleanValue(hasSecureContext)); return JS_DefineProperty(cx, obj, "isSecureContext", secureJsValue, JSPROP_ENUMERATE); } #ifdef MOZ_WEBRTC if (rtcIdentityProvider && !SandboxCreateRTCIdentityProvider(cx, obj)) { return false; } #endif return true; } bool xpc::GlobalProperties::DefineInXPCComponents(JSContext* cx, JS::HandleObject obj) { if (indexedDB && !IndexedDatabaseManager::DefineIndexedDB(cx, obj)) return false; return Define(cx, obj); } bool xpc::GlobalProperties::DefineInSandbox(JSContext* cx, JS::HandleObject obj) { MOZ_ASSERT(IsSandbox(obj)); MOZ_ASSERT(js::GetContextCompartment(cx) == JS::GetCompartment(obj)); if (indexedDB && !(IndexedDatabaseManager::ResolveSandboxBinding(cx) && IndexedDatabaseManager::DefineIndexedDB(cx, obj))) return false; return Define(cx, obj); } nsresult SetSandboxCSP(nsISupports* prinOrSop, const nsAString& cspString) { nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(prinOrSop); if (!principal) { return NS_ERROR_INVALID_ARG; } auto* basePrin = BasePrincipal::Cast(principal); if (!basePrin->Is<ExpandedPrincipal>()) { return NS_ERROR_INVALID_ARG; } auto* expanded = basePrin->As<ExpandedPrincipal>(); nsCOMPtr<nsIContentSecurityPolicy> csp; // The choice of self-uri (self-origin) to use in a Sandbox depends on the // use case. For now, we default to a non-existing URL because there is no // use case that requires 'self' to have a particular value. Consumers can // always specify the URL explicitly instead of 'self'. Besides, the CSP // enforcement in a Sandbox is barely implemented, except for eval()-like // execution. // // moz-extension:-resources are never blocked by CSP because the protocol is // registered with URI_IS_LOCAL_RESOURCE and subjectToCSP in nsCSPService.cpp // therefore allows the load. This matches the CSP spec, which explicitly // states that CSP should not interfere with addons. Because of this, we do // not need to set selfURI to the real moz-extension:-URL, even in cases // where we want to restrict all scripts except for moz-extension:-URLs. nsCOMPtr<nsIURI> selfURI; MOZ_TRY(NS_NewURI(getter_AddRefs(selfURI), "moz-extension://dummy"_ns)); #ifdef MOZ_DEBUG // Bug 1548468: Move CSP off ExpandedPrincipal expanded->GetCsp(getter_AddRefs(csp)); if (csp) { uint32_t count = 0; csp->GetPolicyCount(&count); if (count > 0) { // Ensure that the policy was not already added. nsAutoString parsedPolicyStr; for (uint32_t i = 0; i < count; i++) { csp->GetPolicyString(i, parsedPolicyStr); MOZ_ASSERT(!parsedPolicyStr.Equals(cspString)); } } } #endif // Create a clone of the expanded principal to be used for the call to // SetRequestContextWithPrincipal (to prevent the CSP and expanded // principal instances to keep each other alive indefinitely, see // Bug 1741600). // // This may not be necessary anymore once Bug 1548468 will move CSP // off ExpandedPrincipal. RefPtr<ExpandedPrincipal> clonedPrincipal = ExpandedPrincipal::Create( expanded->AllowList(), expanded->OriginAttributesRef()); MOZ_ASSERT(clonedPrincipal); csp = new nsCSPContext(); MOZ_TRY( csp->SetRequestContextWithPrincipal(clonedPrincipal, selfURI, ""_ns, 0)); MOZ_TRY(csp->AppendPolicy(cspString, false, false)); expanded->SetCsp(csp); return NS_OK; } nsresult xpc::CreateSandboxObject(JSContext* cx, MutableHandleValue vp, nsISupports* prinOrSop, SandboxOptions& options) { // Create the sandbox global object nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(prinOrSop); nsCOMPtr<nsIGlobalObject> obj = do_QueryInterface(prinOrSop); if (obj) { nsGlobalWindowInner* window = WindowOrNull(js::UncheckedUnwrap(obj->GetGlobalJSObject(), false)); // If we have a secure context window inherit from it's parent if (window && window->IsSecureContext()) { options.forceSecureContext = true; } } if (!principal) { nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(prinOrSop); if (sop) { principal = sop->GetPrincipal(); } else { RefPtr<NullPrincipal> nullPrin = NullPrincipal::CreateWithoutOriginAttributes(); principal = nullPrin; } } MOZ_ASSERT(principal); JS::RealmOptions realmOptions; auto& creationOptions = realmOptions.creationOptions(); bool isSystemPrincipal = principal->IsSystemPrincipal(); if (isSystemPrincipal) { options.forceSecureContext = true; } // If we are able to see [SecureContext] API code if (options.forceSecureContext) { creationOptions.setSecureContext(true); } xpc::SetPrefableRealmOptions(realmOptions); if (options.sameZoneAs) { creationOptions.setNewCompartmentInExistingZone( js::UncheckedUnwrap(options.sameZoneAs)); } else if (options.freshZone) { creationOptions.setNewCompartmentAndZone(); } else if (isSystemPrincipal && !options.invisibleToDebugger && !options.freshCompartment) { // Use a shared system compartment for system-principal sandboxes that don't // require invisibleToDebugger (this is a compartment property, see bug // 1482215). creationOptions.setExistingCompartment(xpc::PrivilegedJunkScope()); } else { creationOptions.setNewCompartmentInSystemZone(); } if (options.alwaysUseFdlibm) { creationOptions.setAlwaysUseFdlibm(true); } creationOptions.setInvisibleToDebugger(options.invisibleToDebugger) .setTrace(TraceXPCGlobal); realmOptions.behaviors().setDiscardSource(options.discardSource); if (isSystemPrincipal) { realmOptions.behaviors().setClampAndJitterTime(false); } const JSClass* clasp = &SandboxClass; RootedObject sandbox( cx, xpc::CreateGlobalObject(cx, clasp, principal, realmOptions)); if (!sandbox) { return NS_ERROR_FAILURE; } // Use exclusive expandos for non-system-principal sandboxes. bool hasExclusiveExpandos = !isSystemPrincipal; // Set up the wantXrays flag, which indicates whether xrays are desired even // for same-origin access. // // This flag has historically been ignored for chrome sandboxes due to // quirks in the wrapping implementation that have now been removed. Indeed, // same-origin Xrays for chrome->chrome access seems a bit superfluous. // Arguably we should just flip the default for chrome and still honor the // flag, but such a change would break code in subtle ways for minimal // benefit. So we just switch it off here. bool wantXrays = AccessCheck::isChrome(sandbox) ? false : options.wantXrays; if (creationOptions.compartmentSpecifier() == JS::CompartmentSpecifier::ExistingCompartment) { // Make sure the compartment we're reusing has flags that match what we // would set on a new compartment. CompartmentPrivate* priv = CompartmentPrivate::Get(sandbox); MOZ_RELEASE_ASSERT(priv->allowWaivers == options.allowWaivers); MOZ_RELEASE_ASSERT(priv->isWebExtensionContentScript == options.isWebExtensionContentScript); MOZ_RELEASE_ASSERT(priv->isUAWidgetCompartment == options.isUAWidgetScope); MOZ_RELEASE_ASSERT(priv->hasExclusiveExpandos == hasExclusiveExpandos); MOZ_RELEASE_ASSERT(priv->wantXrays == wantXrays); } else { CompartmentPrivate* priv = CompartmentPrivate::Get(sandbox); priv->allowWaivers = options.allowWaivers; priv->isWebExtensionContentScript = options.isWebExtensionContentScript; priv->isUAWidgetCompartment = options.isUAWidgetScope; priv->hasExclusiveExpandos = hasExclusiveExpandos; priv->wantXrays = wantXrays; } { JSAutoRealm ar(cx, sandbox); // This creates a SandboxPrivate and passes ownership of it to |sandbox|. SandboxPrivate::Create(principal, sandbox); // Ensure |Object.prototype| is instantiated before prototype- // splicing below. if (!JS::GetRealmObjectPrototype(cx)) { return NS_ERROR_XPC_UNEXPECTED; } if (options.proto) { bool ok = JS_WrapObject(cx, &options.proto); if (!ok) { return NS_ERROR_XPC_UNEXPECTED; } // Now check what sort of thing we've got in |proto|, and figure out // if we need a SandboxProxyHandler. // // Note that, in the case of a window, we can't require that the // Sandbox subsumes the prototype, because we have to hold our // reference to it via an outer window, and the window may navigate // at any time. So we have to handle that case separately. bool useSandboxProxy = !!WindowOrNull(js::UncheckedUnwrap(options.proto, false)); if (!useSandboxProxy) { // We just wrapped options.proto into the compartment of whatever Realm // is on the cx, so use that same realm for the CheckedUnwrapDynamic // call. JSObject* unwrappedProto = js::CheckedUnwrapDynamic(options.proto, cx, false); if (!unwrappedProto) { JS_ReportErrorASCII(cx, "Sandbox must subsume sandboxPrototype"); return NS_ERROR_INVALID_ARG; } const JSClass* unwrappedClass = JS::GetClass(unwrappedProto); useSandboxProxy = unwrappedClass->isWrappedNative() || mozilla::dom::IsDOMClass(unwrappedClass); } if (useSandboxProxy) { // Wrap it up in a proxy that will do the right thing in terms // of this-binding for methods. RootedValue priv(cx, ObjectValue(*options.proto)); options.proto = js::NewProxyObject(cx, &sandboxProxyHandler, priv, nullptr); if (!options.proto) { return NS_ERROR_OUT_OF_MEMORY; } } ok = JS_SetPrototype(cx, sandbox, options.proto); if (!ok) { return NS_ERROR_XPC_UNEXPECTED; } } bool allowComponents = principal->IsSystemPrincipal(); if (options.wantComponents && allowComponents) { if (!ObjectScope(sandbox)->AttachComponentsObject(cx)) { return NS_ERROR_XPC_UNEXPECTED; } if (!ObjectScope(sandbox)->AttachJSServices(cx)) { return NS_ERROR_XPC_UNEXPECTED; } } if (!XPCNativeWrapper::AttachNewConstructorObject(cx, sandbox)) { return NS_ERROR_XPC_UNEXPECTED; } if (!JS_DefineFunctions(cx, sandbox, SandboxFunctions)) { return NS_ERROR_XPC_UNEXPECTED; } if (options.wantExportHelpers && (!JS_DefineFunction(cx, sandbox, "exportFunction", SandboxExportFunction, 3, 0) || !JS_DefineFunction(cx, sandbox, "createObjectIn", SandboxCreateObjectIn, 2, 0) || !JS_DefineFunction(cx, sandbox, "cloneInto", SandboxCloneInto, 3, 0) || !JS_DefineFunction(cx, sandbox, "isProxy", SandboxIsProxy, 1, 0))) return NS_ERROR_XPC_UNEXPECTED; if (!options.globalProperties.DefineInSandbox(cx, sandbox)) { return NS_ERROR_XPC_UNEXPECTED; } } // We handle the case where the context isn't in a compartment for the // benefit of UnprivilegedJunkScope(). vp.setObject(*sandbox); if (js::GetContextCompartment(cx) && !JS_WrapValue(cx, vp)) { return NS_ERROR_UNEXPECTED; } // Set the location information for the new global, so that tools like // about:memory may use that information xpc::SetLocationForGlobal(sandbox, options.sandboxName); nsresult rv = xpc::SetSandboxMetadata(cx, sandbox, options.metadata); if (NS_WARN_IF(NS_FAILED(rv))) { return rv; } JSAutoRealm ar(cx, sandbox); JS_FireOnNewGlobalObject(cx, sandbox); return NS_OK; } NS_IMETHODIMP nsXPCComponents_utils_Sandbox::Call(nsIXPConnectWrappedNative* wrapper, JSContext* cx, JSObject* objArg, const CallArgs& args, bool* _retval) { RootedObject obj(cx, objArg); return CallOrConstruct(wrapper, cx, obj, args, _retval); } NS_IMETHODIMP nsXPCComponents_utils_Sandbox::Construct(nsIXPConnectWrappedNative* wrapper, JSContext* cx, JSObject* objArg, const CallArgs& args, bool* _retval) { RootedObject obj(cx, objArg); return CallOrConstruct(wrapper, cx, obj, args, _retval); } /* * For sandbox constructor the first argument can be a URI string in which case * we use the related Content Principal for the sandbox. */ bool ParsePrincipal(JSContext* cx, HandleString contentUrl, const OriginAttributes& aAttrs, nsIPrincipal** principal) { MOZ_ASSERT(principal); MOZ_ASSERT(contentUrl); nsCOMPtr<nsIURI> uri; nsAutoJSString contentStr; NS_ENSURE_TRUE(contentStr.init(cx, contentUrl), false); nsresult rv = NS_NewURI(getter_AddRefs(uri), contentStr); if (NS_FAILED(rv)) { JS_ReportErrorASCII(cx, "Creating URI from string failed"); return false; } // We could allow passing in the app-id and browser-element info to the // sandbox constructor. But creating a sandbox based on a string is a // deprecated API so no need to add features to it. nsCOMPtr<nsIPrincipal> prin = BasePrincipal::CreateContentPrincipal(uri, aAttrs); prin.forget(principal); if (!*principal) { JS_ReportErrorASCII(cx, "Creating Principal from URI failed"); return false; } return true; } /* * For sandbox constructor the first argument can be a principal object or * a script object principal (Document, Window). */ static bool GetPrincipalOrSOP(JSContext* cx, HandleObject from, nsISupports** out) { MOZ_ASSERT(out); *out = nullptr; // We might have a Window here, so need ReflectorToISupportsDynamic nsCOMPtr<nsISupports> native = ReflectorToISupportsDynamic(from, cx); if (nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(native)) { sop.forget(out); return true; } nsCOMPtr<nsIPrincipal> principal = do_QueryInterface(native); principal.forget(out); NS_ENSURE_TRUE(*out, false); return true; } /* * The first parameter of the sandbox constructor might be an array of * principals, either in string format or actual objects (see GetPrincipalOrSOP) */ static bool GetExpandedPrincipal(JSContext* cx, HandleObject arrayObj, const SandboxOptions& options, nsIExpandedPrincipal** out) { MOZ_ASSERT(out); uint32_t length; if (!JS::GetArrayLength(cx, arrayObj, &length)) { return false; } if (!length) { // We need a whitelist of principals or uri strings to create an // expanded principal, if we got an empty array or something else // report error. JS_ReportErrorASCII(cx, "Expected an array of URI strings"); return false; } nsTArray<nsCOMPtr<nsIPrincipal>> allowedDomains(length); allowedDomains.SetLength(length); // If an originAttributes option has been specified, we will use that as the // OriginAttribute of all of the string arguments passed to this function. // Otherwise, we will use the OriginAttributes of a principal or SOP object // in the array, if any. If no such object is present, and all we have are // strings, then we will use a default OriginAttribute. // Otherwise, we will use the origin attributes of the passed object(s). If // more than one object is specified, we ensure that the OAs match. Maybe<OriginAttributes> attrs; if (options.originAttributes) { attrs.emplace(); JS::RootedValue val(cx, JS::ObjectValue(*options.originAttributes)); if (!attrs->Init(cx, val)) { // The originAttributes option, if specified, must be valid! JS_ReportErrorASCII(cx, "Expected a valid OriginAttributes object"); return false; } } // Now we go over the array in two passes. In the first pass, we ignore // strings, and only process objects. Assuming that no originAttributes // option has been passed, if we encounter a principal or SOP object, we // grab its OA and save it if it's the first OA encountered, otherwise // check to make sure that it is the same as the OA found before. // In the second pass, we ignore objects, and use the OA found in pass 0 // (or the previously computed OA if we have obtained it from the options) // to construct content principals. // // The effective OA selected above will also be set as the OA of the // expanded principal object. // First pass: for (uint32_t i = 0; i < length; ++i) { RootedValue allowed(cx); if (!JS_GetElement(cx, arrayObj, i, &allowed)) { return false; } nsCOMPtr<nsIPrincipal> principal; if (allowed.isObject()) { // In case of object let's see if it's a Principal or a // ScriptObjectPrincipal. nsCOMPtr<nsISupports> prinOrSop; RootedObject obj(cx, &allowed.toObject()); if (!GetPrincipalOrSOP(cx, obj, getter_AddRefs(prinOrSop))) { return false; } nsCOMPtr<nsIScriptObjectPrincipal> sop(do_QueryInterface(prinOrSop)); principal = do_QueryInterface(prinOrSop); if (sop) { principal = sop->GetPrincipal(); } NS_ENSURE_TRUE(principal, false); if (!options.originAttributes) { const OriginAttributes prinAttrs = principal->OriginAttributesRef(); if (attrs.isNothing()) { attrs.emplace(prinAttrs); } else if (prinAttrs != attrs.ref()) { // If attrs is from a previously encountered principal in the // array, we need to ensure that it matches the OA of the // principal we have here. // If attrs comes from OriginAttributes, we don't need // this check. return false; } } // We do not allow ExpandedPrincipals to contain any system principals. bool isSystem = principal->IsSystemPrincipal(); if (isSystem) { JS_ReportErrorASCII( cx, "System principal is not allowed in an expanded principal"); return false; } allowedDomains[i] = principal; } else if (allowed.isString()) { // Skip any string arguments - we handle them in the next pass. } else { // Don't know what this is. return false; } } if (attrs.isNothing()) { // If no OriginAttributes was found in the first pass, fall back to a // default one. attrs.emplace(); } // Second pass: for (uint32_t i = 0; i < length; ++i) { RootedValue allowed(cx); if (!JS_GetElement(cx, arrayObj, i, &allowed)) { return false; } nsCOMPtr<nsIPrincipal> principal; if (allowed.isString()) { // In case of string let's try to fetch a content principal from it. RootedString str(cx, allowed.toString()); // attrs here is either a default OriginAttributes in case the // originAttributes option isn't specified, and no object in the array // provides a principal. Otherwise it's either the forced principal, or // the principal found before, so we can use it here. if (!ParsePrincipal(cx, str, attrs.ref(), getter_AddRefs(principal))) { return false; } NS_ENSURE_TRUE(principal, false); allowedDomains[i] = principal; } else { MOZ_ASSERT(allowed.isObject()); } } RefPtr<ExpandedPrincipal> result = ExpandedPrincipal::Create(allowedDomains, attrs.ref()); result.forget(out); return true; } /* * Helper that tries to get a property from the options object. */ bool OptionsBase::ParseValue(const char* name, MutableHandleValue prop, bool* aFound) { bool found; bool ok = JS_HasProperty(mCx, mObject, name, &found); NS_ENSURE_TRUE(ok, false); if (aFound) { *aFound = found; } if (!found) { return true; } return JS_GetProperty(mCx, mObject, name, prop); } /* * Helper that tries to get a boolean property from the options object. */ bool OptionsBase::ParseBoolean(const char* name, bool* prop) { MOZ_ASSERT(prop); RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isBoolean()) { JS_ReportErrorASCII(mCx, "Expected a boolean value for property %s", name); return false; } *prop = value.toBoolean(); return true; } /* * Helper that tries to get an object property from the options object. */ bool OptionsBase::ParseObject(const char* name, MutableHandleObject prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isObject()) { JS_ReportErrorASCII(mCx, "Expected an object value for property %s", name); return false; } prop.set(&value.toObject()); return true; } /* * Helper that tries to get an object property from the options object. */ bool OptionsBase::ParseJSString(const char* name, MutableHandleString prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isString()) { JS_ReportErrorASCII(mCx, "Expected a string value for property %s", name); return false; } prop.set(value.toString()); return true; } /* * Helper that tries to get a string property from the options object. */ bool OptionsBase::ParseString(const char* name, nsCString& prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isString()) { JS_ReportErrorASCII(mCx, "Expected a string value for property %s", name); return false; } JS::UniqueChars tmp = JS_EncodeStringToLatin1(mCx, value.toString()); NS_ENSURE_TRUE(tmp, false); prop.Assign(tmp.get(), strlen(tmp.get())); return true; } /* * Helper that tries to get a string property from the options object. */ bool OptionsBase::ParseString(const char* name, nsString& prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isString()) { JS_ReportErrorASCII(mCx, "Expected a string value for property %s", name); return false; } nsAutoJSString strVal; if (!strVal.init(mCx, value.toString())) { return false; } prop = strVal; return true; } /* * Helper that tries to get a string property from the options object. */ bool OptionsBase::ParseOptionalString(const char* name, Maybe<nsString>& prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found || value.isUndefined()) { return true; } if (!value.isString()) { JS_ReportErrorASCII(mCx, "Expected a string value for property %s", name); return false; } nsAutoJSString strVal; if (!strVal.init(mCx, value.toString())) { return false; } prop = Some(strVal); return true; } /* * Helper that tries to get jsid property from the options object. */ bool OptionsBase::ParseId(const char* name, MutableHandleId prop) { RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } return JS_ValueToId(mCx, value, prop); } /* * Helper that tries to get a uint32_t property from the options object. */ bool OptionsBase::ParseUInt32(const char* name, uint32_t* prop) { MOZ_ASSERT(prop); RootedValue value(mCx); bool found; bool ok = ParseValue(name, &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!JS::ToUint32(mCx, value, prop)) { JS_ReportErrorASCII(mCx, "Expected a uint32_t value for property %s", name); return false; } return true; } /* * Helper that tries to get a list of DOM constructors and other helpers from * the options object. */ bool SandboxOptions::ParseGlobalProperties() { RootedValue value(mCx); bool found; bool ok = ParseValue("wantGlobalProperties", &value, &found); NS_ENSURE_TRUE(ok, false); if (!found) { return true; } if (!value.isObject()) { JS_ReportErrorASCII(mCx, "Expected an array value for wantGlobalProperties"); return false; } RootedObject ctors(mCx, &value.toObject()); bool isArray; if (!JS::IsArrayObject(mCx, ctors, &isArray)) { return false; } if (!isArray) { JS_ReportErrorASCII(mCx, "Expected an array value for wantGlobalProperties"); return false; } return globalProperties.Parse(mCx, ctors); } /* * Helper that parsing the sandbox options object (from) and sets the fields of * the incoming options struct (options). */ bool SandboxOptions::Parse() { /* All option names must be ASCII-only. */ bool ok = ParseObject("sandboxPrototype", &proto) && ParseBoolean("wantXrays", &wantXrays) && ParseBoolean("allowWaivers", &allowWaivers) && ParseBoolean("wantComponents", &wantComponents) && ParseBoolean("wantExportHelpers", &wantExportHelpers) && ParseBoolean("isWebExtensionContentScript", &isWebExtensionContentScript) && --> -------------------- --> maximum size reached --> --------------------
¤ Dauer der Verarbeitung: 0.18 Sekunden ¤*© Formatika GbR, Deutschland |
|
||||||||||||||
2026-04-02