extensions/renderer/safe_builtins.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "extensions/renderer/safe_builtins.h"
   6
   7 #include "base/logging.h"
   8 #include "base/stl_util.h"
   9 #include "base/strings/stringprintf.h"
  10 #include "extensions/renderer/script_context.h"
  11
  12 namespace extensions {
  13
  14 namespace {
  15
  16 const char kClassName[] = "extensions::SafeBuiltins";
  17
  18 // Documentation for makeCallback in the JavaScript, out here to reduce the
  19 // (very small) amount of effort that the v8 parser needs to do:
  20 //
  21 // Returns a new object with every function on |obj| configured to call()\n"
  22 // itself with the given arguments.\n"
  23 // E.g. given\n"
  24 //    var result = makeCallable(Function.prototype)\n"
  25 // |result| will be a object including 'bind' such that\n"
  26 //    result.bind(foo, 1, 2, 3);\n"
  27 // is equivalent to Function.prototype.bind.call(foo, 1, 2, 3), and so on.\n"
  28 // This is a convenient way to save functions that user scripts may clobber.\n"
  29 const char kScript[] =
  30     "(function() {\n"
  31     "'use strict';\n"
  32     "native function Apply();\n"
  33     "native function Save();\n"
  34     "\n"
  35     "// Used in the callback implementation, could potentially be clobbered.\n"
  36     "function makeCallable(obj, target, isStatic, propertyNames) {\n"
  37     "  propertyNames.forEach(function(propertyName) {\n"
  38     "    var property = obj[propertyName];\n"
  39     "    target[propertyName] = function() {\n"
  40     "      var recv = obj;\n"
  41     "      var firstArgIndex = 0;\n"
  42     "      if (!isStatic) {\n"
  43     "        if (arguments.length == 0)\n"
  44     "          throw 'There must be at least one argument, the receiver';\n"
  45     "        recv = arguments[0];\n"
  46     "        firstArgIndex = 1;\n"
  47     "      }\n"
  48     "      return Apply(\n"
  49     "          property, recv, arguments, firstArgIndex, arguments.length);\n"
  50     "    };\n"
  51     "  });\n"
  52     "}\n"
  53     "\n"
  54     "function saveBuiltin(builtin, protoPropertyNames, staticPropertyNames) {\n"
  55     "  var safe = function() {\n"
  56     "    throw 'Safe objects cannot be called nor constructed. ' +\n"
  57     "          'Use $Foo.self() or new $Foo.self() instead.';\n"
  58     "  };\n"
  59     "  safe.self = builtin;\n"
  60     "  makeCallable(builtin.prototype, safe, false, protoPropertyNames);\n"
  61     "  if (staticPropertyNames)\n"
  62     "    makeCallable(builtin, safe, true, staticPropertyNames);\n"
  63     "  Save(builtin.name, safe);\n"
  64     "}\n"
  65     "\n"
  66     "// Save only what is needed by the extension modules.\n"
  67     "saveBuiltin(Object,\n"
  68     "            ['hasOwnProperty'],\n"
  69     "            ['create', 'defineProperty', 'freeze',\n"
  70     "             'getOwnPropertyDescriptor', 'getPrototypeOf', 'keys']);\n"
  71     "saveBuiltin(Function,\n"
  72     "            ['apply', 'bind', 'call']);\n"
  73     "saveBuiltin(Array,\n"
  74     "            ['concat', 'forEach', 'indexOf', 'join', 'push', 'slice',\n"
  75     "             'splice', 'map', 'filter']);\n"
  76     "saveBuiltin(String,\n"
  77     "            ['indexOf', 'slice', 'split', 'substr', 'toUpperCase',\n"
  78     "             'replace']);\n"
  79     "saveBuiltin(RegExp,\n"
  80     "            ['test']);\n"
  81     "saveBuiltin(Error,\n"
  82     "            [],\n"
  83     "            ['captureStackTrace']);\n"
  84     "\n"
  85     "// JSON is trickier because extensions can override toJSON in\n"
  86     "// incompatible ways, and we need to prevent that.\n"
  87     "var builtinTypes = [\n"
  88     "  Object, Function, Array, String, Boolean, Number, Date, RegExp\n"
  89     "];\n"
  90     "var builtinToJSONs = builtinTypes.map(function(t) {\n"
  91     "  return t.toJSON;\n"
  92     "});\n"
  93     "var builtinArray = Array;\n"
  94     "var builtinJSONStringify = JSON.stringify;\n"
  95     "Save('JSON', {\n"
  96     "  parse: JSON.parse,\n"
  97     "  stringify: function(obj) {\n"
  98     "    var savedToJSONs = new builtinArray(builtinTypes.length);\n"
  99     "    try {\n"
 100     "      for (var i = 0; i < builtinTypes.length; ++i) {\n"
 101     "        try {\n"
 102     "          if (builtinTypes[i].prototype.toJSON !==\n"
 103     "              builtinToJSONs[i]) {\n"
 104     "            savedToJSONs[i] = builtinTypes[i].prototype.toJSON;\n"
 105     "            builtinTypes[i].prototype.toJSON = builtinToJSONs[i];\n"
 106     "          }\n"
 107     "        } catch (e) {}\n"
 108     "      }\n"
 109     "    } catch (e) {}\n"
 110     "    try {\n"
 111     "      return builtinJSONStringify(obj);\n"
 112     "    } finally {\n"
 113     "      for (var i = 0; i < builtinTypes.length; ++i) {\n"
 114     "        try {\n"
 115     "          if (i in savedToJSONs)\n"
 116     "            builtinTypes[i].prototype.toJSON = savedToJSONs[i];\n"
 117     "        } catch (e) {}\n"
 118     "      }\n"
 119     "    }\n"
 120     "  }\n"
 121     "});\n"
 122     "\n"
 123     "}());\n";
 124
 125 v8::Local<v8::String> MakeKey(const char* name, v8::Isolate* isolate) {
 126   return v8::String::NewFromUtf8(
 127       isolate, base::StringPrintf("%s::%s", kClassName, name).c_str());
 128 }
 129
 130 void SaveImpl(const char* name,
 131               v8::Local<v8::Value> value,
 132               v8::Local<v8::Context> context) {
 133   CHECK(!value.IsEmpty() && value->IsObject()) << name;
 134   context->Global()->SetHiddenValue(MakeKey(name, context->GetIsolate()),
 135                                     value);
 136 }
 137
 138 v8::Local<v8::Object> Load(const char* name, v8::Local<v8::Context> context) {
 139   v8::Local<v8::Value> value =
 140       context->Global()->GetHiddenValue(MakeKey(name, context->GetIsolate()));
 141   CHECK(!value.IsEmpty() && value->IsObject()) << name;
 142   return v8::Local<v8::Object>::Cast(value);
 143 }
 144
 145 class ExtensionImpl : public v8::Extension {
 146  public:
 147   ExtensionImpl() : v8::Extension(kClassName, kScript) {}
 148
 149  private:
 150   v8::Local<v8::FunctionTemplate> GetNativeFunctionTemplate(
 151       v8::Isolate* isolate,
 152       v8::Local<v8::String> name) override {
 153     if (name->Equals(v8::String::NewFromUtf8(isolate, "Apply")))
 154       return v8::FunctionTemplate::New(isolate, Apply);
 155     if (name->Equals(v8::String::NewFromUtf8(isolate, "Save")))
 156       return v8::FunctionTemplate::New(isolate, Save);
 157     NOTREACHED() << *v8::String::Utf8Value(name);
 158     return v8::Local<v8::FunctionTemplate>();
 159   }
 160
 161   static void Apply(const v8::FunctionCallbackInfo<v8::Value>& info) {
 162     CHECK(info.Length() == 5 && info[0]->IsFunction() &&  // function
 163           // info[1] could be an object or a string
 164           info[2]->IsObject() &&  // args
 165           info[3]->IsInt32() &&   // first_arg_index
 166           info[4]->IsInt32());    // args_length
 167     v8::Local<v8::Function> function = info[0].As<v8::Function>();
 168     v8::Local<v8::Object> recv;
 169     if (info[1]->IsObject()) {
 170       recv = v8::Local<v8::Object>::Cast(info[1]);
 171     } else if (info[1]->IsString()) {
 172       recv = v8::StringObject::New(v8::Local<v8::String>::Cast(info[1]))
 173                  ->ToObject(info.GetIsolate());
 174     } else {
 175       info.GetIsolate()->ThrowException(
 176           v8::Exception::TypeError(v8::String::NewFromUtf8(
 177               info.GetIsolate(),
 178               "The first argument is the receiver and must be an object")));
 179       return;
 180     }
 181     v8::Local<v8::Object> args = v8::Local<v8::Object>::Cast(info[2]);
 182     int first_arg_index = info[3]->ToInt32(info.GetIsolate())->Value();
 183     int args_length = info[4]->ToInt32(info.GetIsolate())->Value();
 184
 185     int argc = args_length - first_arg_index;
 186     scoped_ptr<v8::Local<v8::Value> []> argv(new v8::Local<v8::Value>[argc]);
 187     for (int i = 0; i < argc; ++i) {
 188       CHECK(args->Has(i + first_arg_index));
 189       argv[i] = args->Get(i + first_arg_index);
 190     }
 191
 192     v8::Local<v8::Value> return_value = function->Call(recv, argc, argv.get());
 193     if (!return_value.IsEmpty())
 194       info.GetReturnValue().Set(return_value);
 195   }
 196
 197   static void Save(const v8::FunctionCallbackInfo<v8::Value>& info) {
 198     CHECK(info.Length() == 2 && info[0]->IsString() && info[1]->IsObject());
 199     SaveImpl(*v8::String::Utf8Value(info[0]),
 200              info[1],
 201              info.GetIsolate()->GetCallingContext());
 202   }
 203 };
 204
 205 }  // namespace
 206
 207 // static
 208 v8::Extension* SafeBuiltins::CreateV8Extension() { return new ExtensionImpl(); }
 209
 210 SafeBuiltins::SafeBuiltins(ScriptContext* context) : context_(context) {}
 211
 212 SafeBuiltins::~SafeBuiltins() {}
 213
 214 v8::Local<v8::Object> SafeBuiltins::GetArray() const {
 215   return Load("Array", context_->v8_context());
 216 }
 217
 218 v8::Local<v8::Object> SafeBuiltins::GetFunction() const {
 219   return Load("Function", context_->v8_context());
 220 }
 221
 222 v8::Local<v8::Object> SafeBuiltins::GetJSON() const {
 223   return Load("JSON", context_->v8_context());
 224 }
 225
 226 v8::Local<v8::Object> SafeBuiltins::GetObjekt() const {
 227   return Load("Object", context_->v8_context());
 228 }
 229
 230 v8::Local<v8::Object> SafeBuiltins::GetRegExp() const {
 231   return Load("RegExp", context_->v8_context());
 232 }
 233
 234 v8::Local<v8::Object> SafeBuiltins::GetString() const {
 235   return Load("String", context_->v8_context());
 236 }
 237
 238 v8::Local<v8::Object> SafeBuiltins::GetError() const {
 239   return Load("Error", context_->v8_context());
 240 }
 241
 242 }  //  namespace extensions