Bug 1890277: part 2) Add `require-trusted-types-for` directive to CSP parser, guarded...

[gecko.git] / caps / NullPrincipal.cpp

/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
/* vim: set sw=2 sts=2 ts=2 et tw=80: */
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

/**
 * This is the principal that has no rights and can't be accessed by
 * anything other than itself and chrome; null principals are not
 * same-origin with anything but themselves.
 */

#include "mozilla/ArrayUtils.h"

#include "mozilla/dom/BlobURLProtocolHandler.h"
#include "mozilla/StaticPrefs_network.h"
#include "nsDocShell.h"
#include "NullPrincipal.h"
#include "DefaultURI.h"
#include "nsSimpleURI.h"
#include "nsIClassInfoImpl.h"
#include "nsNetCID.h"
#include "nsError.h"
#include "nsEscape.h"
#include "ContentPrincipal.h"
#include "nsScriptSecurityManager.h"
#include "pratom.h"
#include "nsIObjectInputStream.h"

#include "js/JSON.h"
#include "NullPrincipalJSONHandler.h"

using namespace mozilla;

NS_IMPL_CLASSINFO(NullPrincipal, nullptr, 0, NS_NULLPRINCIPAL_CID)
NS_IMPL_QUERY_INTERFACE_CI(NullPrincipal, nsIPrincipal)
NS_IMPL_CI_INTERFACE_GETTER(NullPrincipal, nsIPrincipal)

NullPrincipal::NullPrincipal(nsIURI* aURI, const nsACString& aOriginNoSuffix,
                             const OriginAttributes& aOriginAttributes)
    : BasePrincipal(eNullPrincipal, aOriginNoSuffix, aOriginAttributes),
      mURI(aURI) {}

/* static */
already_AddRefed<NullPrincipal> NullPrincipal::CreateWithInheritedAttributes(
    nsIPrincipal* aInheritFrom) {
  MOZ_ASSERT(aInheritFrom);
  nsCOMPtr<nsIURI> uri = CreateURI(aInheritFrom);
  return Create(Cast(aInheritFrom)->OriginAttributesRef(), uri);
}

/* static */
already_AddRefed<NullPrincipal> NullPrincipal::Create(
    const OriginAttributes& aOriginAttributes, nsIURI* aNullPrincipalURI) {
  nsCOMPtr<nsIURI> uri = aNullPrincipalURI;
  if (!uri) {
    uri = NullPrincipal::CreateURI(nullptr);
  }

  MOZ_RELEASE_ASSERT(uri->SchemeIs(NS_NULLPRINCIPAL_SCHEME));

  nsAutoCString originNoSuffix;
  DebugOnly<nsresult> rv = uri->GetSpec(originNoSuffix);
  MOZ_ASSERT(NS_SUCCEEDED(rv));

  RefPtr<NullPrincipal> nullPrin =
      new NullPrincipal(uri, originNoSuffix, aOriginAttributes);
  return nullPrin.forget();
}

/* static */
already_AddRefed<NullPrincipal> NullPrincipal::CreateWithoutOriginAttributes() {
  return NullPrincipal::Create(OriginAttributes(), nullptr);
}

void NullPrincipal::EscapePrecursorQuery(nsACString& aPrecursorQuery) {
  // origins should not contain existing escape sequences, so set `esc_Forced`
  // to force any `%` in the input to be escaped in addition to non-ascii,
  // control characters and DEL.
  nsCString modified;
  if (NS_EscapeURLSpan(aPrecursorQuery, esc_Query | esc_Forced, modified)) {
    aPrecursorQuery.Assign(std::move(modified));
  }
}

void NullPrincipal::UnescapePrecursorQuery(nsACString& aPrecursorQuery) {
  nsCString modified;
  if (NS_UnescapeURL(aPrecursorQuery.BeginReading(), aPrecursorQuery.Length(),
                     /* aFlags */ 0, modified)) {
    aPrecursorQuery.Assign(std::move(modified));
  }
}

already_AddRefed<nsIURI> NullPrincipal::CreateURI(
    nsIPrincipal* aPrecursor, const nsID* aNullPrincipalID) {
  nsCOMPtr<nsIURIMutator> iMutator;
  if (StaticPrefs::network_url_useDefaultURI()) {
    iMutator = new mozilla::net::DefaultURI::Mutator();
  } else {
    iMutator = new mozilla::net::nsSimpleURI::Mutator();
  }

  nsID uuid = aNullPrincipalID ? *aNullPrincipalID : nsID::GenerateUUID();

  NS_MutateURI mutator(iMutator);
  mutator.SetSpec(NS_NULLPRINCIPAL_SCHEME ":"_ns +
                  nsDependentCString(nsIDToCString(uuid).get()));

  // If there's a precursor URI, encode it in the null principal URI's query.
  if (aPrecursor) {
    nsAutoCString precursorOrigin;
    switch (BasePrincipal::Cast(aPrecursor)->Kind()) {
      case eNullPrincipal: {
        // If the precursor null principal has a precursor, inherit it.
        if (nsCOMPtr<nsIURI> nullPrecursorURI = aPrecursor->GetURI()) {
          MOZ_ALWAYS_SUCCEEDS(nullPrecursorURI->GetQuery(precursorOrigin));
        }
        break;
      }
      case eContentPrincipal: {
        MOZ_ALWAYS_SUCCEEDS(aPrecursor->GetOriginNoSuffix(precursorOrigin));
#ifdef DEBUG
        nsAutoCString original(precursorOrigin);
#endif
        EscapePrecursorQuery(precursorOrigin);
#ifdef DEBUG
        nsAutoCString unescaped(precursorOrigin);
        UnescapePrecursorQuery(unescaped);
        MOZ_ASSERT(unescaped == original,
                   "cannot recover original precursor origin after escape");
#endif
        break;
      }

      // For now, we won't track expanded or system principal precursors. We may
      // want to track expanded principal precursors in the future, but it's
      // unlikely we'll want to track system principal precursors.
      case eExpandedPrincipal:
      case eSystemPrincipal:
        break;
    }
    if (!precursorOrigin.IsEmpty()) {
      mutator.SetQuery(precursorOrigin);
    }
  }

  nsCOMPtr<nsIURI> uri;
  MOZ_ALWAYS_SUCCEEDS(mutator.Finalize(getter_AddRefs(uri)));
  return uri.forget();
}

nsresult NullPrincipal::GetScriptLocation(nsACString& aStr) {
  return mURI->GetSpec(aStr);
}

/**
 * nsIPrincipal implementation
 */

uint32_t NullPrincipal::GetHashValue() { return (NS_PTR_TO_INT32(this) >> 2); }

NS_IMETHODIMP
NullPrincipal::GetURI(nsIURI** aURI) {
  nsCOMPtr<nsIURI> uri = mURI;
  uri.forget(aURI);
  return NS_OK;
}
NS_IMETHODIMP
NullPrincipal::GetIsOriginPotentiallyTrustworthy(bool* aResult) {
  *aResult = false;
  return NS_OK;
}

NS_IMETHODIMP
NullPrincipal::GetDomain(nsIURI** aDomain) {
  nsCOMPtr<nsIURI> uri = mURI;
  uri.forget(aDomain);
  return NS_OK;
}

NS_IMETHODIMP
NullPrincipal::SetDomain(nsIURI* aDomain) {
  // I think the right thing to do here is to just throw...  Silently failing
  // seems counterproductive.
  return NS_ERROR_NOT_AVAILABLE;
}

bool NullPrincipal::MayLoadInternal(nsIURI* aURI) {
  // Also allow the load if we are the principal of the URI being checked.
  nsCOMPtr<nsIPrincipal> blobPrincipal;
  if (dom::BlobURLProtocolHandler::GetBlobURLPrincipal(
          aURI, getter_AddRefs(blobPrincipal))) {
    MOZ_ASSERT(blobPrincipal);
    return SubsumesInternal(blobPrincipal,
                            BasePrincipal::ConsiderDocumentDomain);
  }

  return false;
}

NS_IMETHODIMP
NullPrincipal::GetBaseDomain(nsACString& aBaseDomain) {
  // For a null principal, we use our unique uuid as the base domain.
  return mURI->GetPathQueryRef(aBaseDomain);
}

NS_IMETHODIMP
NullPrincipal::GetAddonId(nsAString& aAddonId) {
  aAddonId.Truncate();
  return NS_OK;
};

/**
 * nsISerializable implementation
 */
NS_IMETHODIMP
NullPrincipal::Deserializer::Read(nsIObjectInputStream* aStream) {
  nsAutoCString spec;
  nsresult rv = aStream->ReadCString(spec);
  NS_ENSURE_SUCCESS(rv, rv);

  nsCOMPtr<nsIURI> uri;
  rv = NS_NewURI(getter_AddRefs(uri), spec);
  NS_ENSURE_SUCCESS(rv, rv);

  nsAutoCString suffix;
  rv = aStream->ReadCString(suffix);
  NS_ENSURE_SUCCESS(rv, rv);

  OriginAttributes attrs;
  bool ok = attrs.PopulateFromSuffix(suffix);
  NS_ENSURE_TRUE(ok, NS_ERROR_FAILURE);

  mPrincipal = NullPrincipal::Create(attrs, uri);
  NS_ENSURE_TRUE(mPrincipal, NS_ERROR_FAILURE);

  return NS_OK;
}

nsresult NullPrincipal::WriteJSONInnerProperties(JSONWriter& aWriter) {
  nsAutoCString principalURI;
  nsresult rv = mURI->GetSpec(principalURI);
  NS_ENSURE_SUCCESS(rv, rv);
  WriteJSONProperty<eSpec>(aWriter, principalURI);

  nsAutoCString suffix;
  OriginAttributesRef().CreateSuffix(suffix);
  if (suffix.Length() > 0) {
    WriteJSONProperty<eSuffix>(aWriter, suffix);
  }

  return NS_OK;
}

NS_IMETHODIMP
NullPrincipal::GetPrecursorPrincipal(nsIPrincipal** aPrincipal) {
  *aPrincipal = nullptr;

  nsAutoCString query;
  if (NS_FAILED(mURI->GetQuery(query)) || query.IsEmpty()) {
    return NS_OK;
  }
  UnescapePrecursorQuery(query);

  nsCOMPtr<nsIURI> precursorURI;
  if (NS_FAILED(NS_NewURI(getter_AddRefs(precursorURI), query))) {
    MOZ_ASSERT_UNREACHABLE(
        "Failed to parse precursor from nullprincipal query");
    return NS_OK;
  }

  // If our precursor is another null principal, re-construct it. This can
  // happen if a null principal without a precursor causes another principal to
  // be created.
  if (precursorURI->SchemeIs(NS_NULLPRINCIPAL_SCHEME)) {
#ifdef DEBUG
    nsAutoCString precursorQuery;
    precursorURI->GetQuery(precursorQuery);
    MOZ_ASSERT(precursorQuery.IsEmpty(),
               "Null principal with nested precursors?");
#endif
    *aPrincipal =
        NullPrincipal::Create(OriginAttributesRef(), precursorURI).take();
    return NS_OK;
  }

  RefPtr<BasePrincipal> contentPrincipal =
      BasePrincipal::CreateContentPrincipal(precursorURI,
                                            OriginAttributesRef());
  // If `CreateContentPrincipal` failed, it will create a new NullPrincipal and
  // return that instead. We only want to return real content principals here.
  if (!contentPrincipal || !contentPrincipal->Is<ContentPrincipal>()) {
    return NS_OK;
  }
  contentPrincipal.forget(aPrincipal);
  return NS_OK;
}

bool NullPrincipalJSONHandler::startObject() {
  switch (mState) {
    case State::Init:
      mState = State::StartObject;
      break;
    default:
      NS_WARNING("Unexpected object value");
      mState = State::Error;
      return false;
  }

  return true;
}

bool NullPrincipalJSONHandler::propertyName(const JS::Latin1Char* name,
                                            size_t length) {
  switch (mState) {
    case State::StartObject:
    case State::AfterPropertyValue: {
      if (length != 1) {
        NS_WARNING(
            nsPrintfCString("Unexpected property name length: %zu", length)
                .get());
        mState = State::Error;
        return false;
      }

      char key = char(name[0]);
      switch (key) {
        case NullPrincipal::SpecKey:
          mState = State::SpecKey;
          break;
        case NullPrincipal::SuffixKey:
          mState = State::SuffixKey;
          break;
        default:
          NS_WARNING(
              nsPrintfCString("Unexpected property name: '%c'", key).get());
          mState = State::Error;
          return false;
      }
      break;
    }
    default:
      NS_WARNING("Unexpected property name");
      mState = State::Error;
      return false;
  }

  return true;
}

bool NullPrincipalJSONHandler::endObject() {
  switch (mState) {
    case State::AfterPropertyValue:
      MOZ_ASSERT(mUri);

      mPrincipal = NullPrincipal::Create(mAttrs, mUri);
      MOZ_ASSERT(mPrincipal);

      mState = State::EndObject;
      break;
    default:
      NS_WARNING("Unexpected end of object");
      mState = State::Error;
      return false;
  }

  return true;
}

bool NullPrincipalJSONHandler::stringValue(const JS::Latin1Char* str,
                                           size_t length) {
  switch (mState) {
    case State::SpecKey: {
      nsDependentCSubstring spec(reinterpret_cast<const char*>(str), length);
      nsresult rv = NS_NewURI(getter_AddRefs(mUri), spec);
      if (NS_FAILED(rv)) {
        mState = State::Error;
        return false;
      }

      mState = State::AfterPropertyValue;
      break;
    }
    case State::SuffixKey: {
      nsDependentCSubstring attrs(reinterpret_cast<const char*>(str), length);
      if (!mAttrs.PopulateFromSuffix(attrs)) {
        mState = State::Error;
        return false;
      }

      mState = State::AfterPropertyValue;
      break;
    }
    default:
      NS_WARNING("Unexpected string value");
      mState = State::Error;
      return false;
  }

  return true;
}