caps/nsJSPrincipals.cpp

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #include "nsIPrincipal.h"
   7 #include "xpcpublic.h"
   8 #include "nsString.h"
   9 #include "nsJSPrincipals.h"
  10 #include "plstr.h"
  11 #include "nsCOMPtr.h"
  12 #include "nsStringBuffer.h"
  13 #include "mozilla/BasePrincipal.h"
  14 #include "mozilla/StaticPtr.h"
  15 #include "mozilla/dom/StructuredCloneTags.h"
  16 // for mozilla::dom::workerinternals::kJSPrincipalsDebugToken
  17 #include "mozilla/dom/workerinternals/JSSettings.h"
  18 // for mozilla::dom::worklet::kJSPrincipalsDebugToken
  19 #include "mozilla/dom/WorkletPrincipals.h"
  20 #include "mozilla/ipc/BackgroundUtils.h"
  21 #include "mozilla/ipc/PBackgroundSharedTypes.h"
  22
  23 using namespace mozilla;
  24 using namespace mozilla::dom;
  25 using namespace mozilla::ipc;
  26
  27 NS_IMETHODIMP_(MozExternalRefCountType)
  28 nsJSPrincipals::AddRef() {
  29   MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
  30   MOZ_ASSERT(int32_t(refcount) >= 0, "illegal refcnt");
  31   nsrefcnt count = ++refcount;
  32   NS_LOG_ADDREF(this, count, "nsJSPrincipals", sizeof(*this));
  33   return count;
  34 }
  35
  36 NS_IMETHODIMP_(MozExternalRefCountType)
  37 nsJSPrincipals::Release() {
  38   MOZ_DIAGNOSTIC_ASSERT(NS_IsMainThread());
  39   MOZ_ASSERT(0 != refcount, "dup release");
  40   nsrefcnt count = --refcount;
  41   NS_LOG_RELEASE(this, count, "nsJSPrincipals");
  42   if (count == 0) {
  43     delete this;
  44   }
  45
  46   return count;
  47 }
  48
  49 /* static */
  50 bool nsJSPrincipals::Subsume(JSPrincipals* jsprin, JSPrincipals* other) {
  51   bool result;
  52   nsresult rv = nsJSPrincipals::get(jsprin)->Subsumes(
  53       nsJSPrincipals::get(other), &result);
  54   return NS_SUCCEEDED(rv) && result;
  55 }
  56
  57 /* static */
  58 void nsJSPrincipals::Destroy(JSPrincipals* jsprin) {
  59   // The JS runtime can call this method during the last GC when
  60   // nsScriptSecurityManager is destroyed. So we must not assume here that
  61   // the security manager still exists.
  62
  63   nsJSPrincipals* nsjsprin = nsJSPrincipals::get(jsprin);
  64
  65   // We need to destroy the nsIPrincipal. We'll do this by adding
  66   // to the refcount and calling release
  67
  68 #ifdef NS_BUILD_REFCNT_LOGGING
  69   // The refcount logging considers AddRef-to-1 to indicate creation,
  70   // so trick it into thinking it's otherwise, but balance the
  71   // Release() we do below.
  72   nsjsprin->refcount++;
  73   nsjsprin->AddRef();
  74   nsjsprin->refcount--;
  75 #else
  76   nsjsprin->refcount++;
  77 #endif
  78   nsjsprin->Release();
  79 }
  80
  81 #ifdef DEBUG
  82
  83 // Defined here so one can do principals->dump() in the debugger
  84 JS_PUBLIC_API void JSPrincipals::dump() {
  85   if (debugToken == nsJSPrincipals::DEBUG_TOKEN) {
  86     nsAutoCString str;
  87     nsresult rv = static_cast<nsJSPrincipals*>(this)->GetScriptLocation(str);
  88     fprintf(stderr, "nsIPrincipal (%p) = %s\n", static_cast<void*>(this),
  89             NS_SUCCEEDED(rv) ? str.get() : "(unknown)");
  90   } else if (debugToken == dom::workerinternals::kJSPrincipalsDebugToken) {
  91     fprintf(stderr, "Web Worker principal singleton (%p)\n", this);
  92   } else if (debugToken == dom::WorkletPrincipals::kJSPrincipalsDebugToken) {
  93     fprintf(stderr, "Web Worklet principal (%p)\n", this);
  94   } else {
  95     fprintf(stderr,
  96             "!!! JSPrincipals (%p) is not nsJSPrincipals instance - bad token: "
  97             "actual=0x%x expected=0x%x\n",
  98             this, unsigned(debugToken), unsigned(nsJSPrincipals::DEBUG_TOKEN));
  99   }
 100 }
 101
 102 #endif
 103
 104 /* static */
 105 bool nsJSPrincipals::ReadPrincipals(JSContext* aCx,
 106                                     JSStructuredCloneReader* aReader,
 107                                     JSPrincipals** aOutPrincipals) {
 108   uint32_t tag;
 109   uint32_t unused;
 110   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 111     return false;
 112   }
 113
 114   if (!(tag == SCTAG_DOM_NULL_PRINCIPAL || tag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 115         tag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 116         tag == SCTAG_DOM_EXPANDED_PRINCIPAL ||
 117         tag == SCTAG_DOM_WORKER_PRINCIPAL)) {
 118     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 119     return false;
 120   }
 121
 122   return ReadKnownPrincipalType(aCx, aReader, tag, aOutPrincipals);
 123 }
 124
 125 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 126                               OriginAttributes& aAttrs, nsACString& aSpec,
 127                               nsACString& aOriginNoSuffix,
 128                               nsACString& aBaseDomain) {
 129   uint32_t suffixLength, specLength;
 130   if (!JS_ReadUint32Pair(aReader, &suffixLength, &specLength)) {
 131     return false;
 132   }
 133
 134   nsAutoCString suffix;
 135   if (!suffix.SetLength(suffixLength, fallible)) {
 136     return false;
 137   }
 138
 139   if (!JS_ReadBytes(aReader, suffix.BeginWriting(), suffixLength)) {
 140     return false;
 141   }
 142
 143   if (!aAttrs.PopulateFromSuffix(suffix)) {
 144     return false;
 145   }
 146
 147   if (!aSpec.SetLength(specLength, fallible)) {
 148     return false;
 149   }
 150
 151   if (!JS_ReadBytes(aReader, aSpec.BeginWriting(), specLength)) {
 152     return false;
 153   }
 154
 155   uint32_t originNoSuffixLength, dummy;
 156   if (!JS_ReadUint32Pair(aReader, &originNoSuffixLength, &dummy)) {
 157     return false;
 158   }
 159
 160   MOZ_ASSERT(dummy == 0);
 161   if (dummy != 0) {
 162     return false;
 163   }
 164
 165   if (!aOriginNoSuffix.SetLength(originNoSuffixLength, fallible)) {
 166     return false;
 167   }
 168
 169   if (!JS_ReadBytes(aReader, aOriginNoSuffix.BeginWriting(),
 170                     originNoSuffixLength)) {
 171     return false;
 172   }
 173
 174   uint32_t baseDomainIsVoid, baseDomainLength;
 175   if (!JS_ReadUint32Pair(aReader, &baseDomainIsVoid, &baseDomainLength)) {
 176     return false;
 177   }
 178
 179   if (baseDomainIsVoid != 0 && baseDomainIsVoid != 1) {
 180     return false;
 181   }
 182
 183   if (baseDomainIsVoid) {
 184     if (baseDomainLength != 0) {
 185       return false;
 186     }
 187
 188     aBaseDomain.SetIsVoid(true);
 189     return true;
 190   }
 191
 192   if (!aBaseDomain.SetLength(baseDomainLength, fallible)) {
 193     return false;
 194   }
 195
 196   if (!JS_ReadBytes(aReader, aBaseDomain.BeginWriting(), baseDomainLength)) {
 197     return false;
 198   }
 199
 200   return true;
 201 }
 202
 203 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader, uint32_t aTag,
 204                               PrincipalInfo& aInfo) {
 205   if (aTag == SCTAG_DOM_SYSTEM_PRINCIPAL) {
 206     aInfo = SystemPrincipalInfo();
 207   } else if (aTag == SCTAG_DOM_NULL_PRINCIPAL) {
 208     OriginAttributes attrs;
 209     nsAutoCString spec;
 210     nsAutoCString originNoSuffix;
 211     nsAutoCString baseDomain;
 212     if (!ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix, baseDomain)) {
 213       return false;
 214     }
 215     aInfo = NullPrincipalInfo(attrs, spec);
 216   } else if (aTag == SCTAG_DOM_EXPANDED_PRINCIPAL) {
 217     uint32_t length, unused;
 218     if (!JS_ReadUint32Pair(aReader, &length, &unused)) {
 219       return false;
 220     }
 221
 222     ExpandedPrincipalInfo expanded;
 223
 224     for (uint32_t i = 0; i < length; i++) {
 225       uint32_t tag;
 226       if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 227         return false;
 228       }
 229
 230       PrincipalInfo sub;
 231       if (!ReadPrincipalInfo(aReader, tag, sub)) {
 232         return false;
 233       }
 234       expanded.allowlist().AppendElement(sub);
 235     }
 236
 237     aInfo = expanded;
 238   } else if (aTag == SCTAG_DOM_CONTENT_PRINCIPAL) {
 239     OriginAttributes attrs;
 240     nsAutoCString spec;
 241     nsAutoCString originNoSuffix;
 242     nsAutoCString baseDomain;
 243     if (!ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix, baseDomain)) {
 244       return false;
 245     }
 246
 247 #ifdef FUZZING
 248     if (originNoSuffix.IsEmpty()) {
 249       return false;
 250     }
 251 #endif
 252
 253     MOZ_DIAGNOSTIC_ASSERT(!originNoSuffix.IsEmpty());
 254
 255     // XXX: Do we care about mDomain for structured clone?
 256     aInfo = ContentPrincipalInfo(attrs, originNoSuffix, spec, Nothing(),
 257                                  baseDomain);
 258   } else {
 259 #ifdef FUZZING
 260     return false;
 261 #else
 262     MOZ_CRASH("unexpected principal structured clone tag");
 263 #endif
 264   }
 265
 266   return true;
 267 }
 268
 269 static StaticRefPtr<nsIPrincipal> sActiveWorkerPrincipal;
 270
 271 nsJSPrincipals::AutoSetActiveWorkerPrincipal::AutoSetActiveWorkerPrincipal(
 272     nsIPrincipal* aPrincipal) {
 273   MOZ_ASSERT(NS_IsMainThread());
 274   MOZ_RELEASE_ASSERT(!sActiveWorkerPrincipal);
 275   sActiveWorkerPrincipal = aPrincipal;
 276 }
 277
 278 nsJSPrincipals::AutoSetActiveWorkerPrincipal::~AutoSetActiveWorkerPrincipal() {
 279   sActiveWorkerPrincipal = nullptr;
 280 }
 281
 282 /* static */
 283 bool nsJSPrincipals::ReadKnownPrincipalType(JSContext* aCx,
 284                                             JSStructuredCloneReader* aReader,
 285                                             uint32_t aTag,
 286                                             JSPrincipals** aOutPrincipals) {
 287   MOZ_ASSERT(aTag == SCTAG_DOM_NULL_PRINCIPAL ||
 288              aTag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 289              aTag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 290              aTag == SCTAG_DOM_EXPANDED_PRINCIPAL ||
 291              aTag == SCTAG_DOM_WORKER_PRINCIPAL);
 292
 293   if (NS_WARN_IF(!NS_IsMainThread())) {
 294     xpc::Throw(aCx, NS_ERROR_UNCATCHABLE_EXCEPTION);
 295     return false;
 296   }
 297
 298   if (aTag == SCTAG_DOM_WORKER_PRINCIPAL) {
 299     // When reading principals which were written on a worker thread, we need to
 300     // know the principal of the worker which did the write.
 301     if (!sActiveWorkerPrincipal) {
 302       xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 303       return false;
 304     }
 305     RefPtr<nsJSPrincipals> retval = get(sActiveWorkerPrincipal);
 306     retval.forget(aOutPrincipals);
 307     return true;
 308   }
 309
 310   PrincipalInfo info;
 311   if (!ReadPrincipalInfo(aReader, aTag, info)) {
 312     return false;
 313   }
 314
 315   auto principalOrErr = PrincipalInfoToPrincipal(info);
 316   if (NS_WARN_IF(principalOrErr.isErr())) {
 317     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 318     return false;
 319   }
 320
 321   nsCOMPtr<nsIPrincipal> principal = principalOrErr.unwrap();
 322
 323   *aOutPrincipals = get(principal.forget().take());
 324   return true;
 325 }
 326
 327 static bool WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 328                                const OriginAttributes& aAttrs,
 329                                const nsCString& aSpec,
 330                                const nsCString& aOriginNoSuffix,
 331                                const nsCString& aBaseDomain) {
 332   nsAutoCString suffix;
 333   aAttrs.CreateSuffix(suffix);
 334
 335   if (!(JS_WriteUint32Pair(aWriter, suffix.Length(), aSpec.Length()) &&
 336         JS_WriteBytes(aWriter, suffix.get(), suffix.Length()) &&
 337         JS_WriteBytes(aWriter, aSpec.get(), aSpec.Length()) &&
 338         JS_WriteUint32Pair(aWriter, aOriginNoSuffix.Length(), 0) &&
 339         JS_WriteBytes(aWriter, aOriginNoSuffix.get(),
 340                       aOriginNoSuffix.Length()))) {
 341     return false;
 342   }
 343
 344   if (aBaseDomain.IsVoid()) {
 345     return JS_WriteUint32Pair(aWriter, 1, 0);
 346   }
 347
 348   return JS_WriteUint32Pair(aWriter, 0, aBaseDomain.Length()) &&
 349          JS_WriteBytes(aWriter, aBaseDomain.get(), aBaseDomain.Length());
 350 }
 351
 352 /* static */
 353 bool nsJSPrincipals::WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 354                                         const PrincipalInfo& aInfo) {
 355   if (aInfo.type() == PrincipalInfo::TNullPrincipalInfo) {
 356     const NullPrincipalInfo& nullInfo = aInfo;
 357     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_NULL_PRINCIPAL, 0) &&
 358            ::WritePrincipalInfo(aWriter, nullInfo.attrs(), nullInfo.spec(),
 359                                 ""_ns, ""_ns);
 360   }
 361   if (aInfo.type() == PrincipalInfo::TSystemPrincipalInfo) {
 362     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_SYSTEM_PRINCIPAL, 0);
 363   }
 364   if (aInfo.type() == PrincipalInfo::TExpandedPrincipalInfo) {
 365     const ExpandedPrincipalInfo& expanded = aInfo;
 366     if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_EXPANDED_PRINCIPAL, 0) ||
 367         !JS_WriteUint32Pair(aWriter, expanded.allowlist().Length(), 0)) {
 368       return false;
 369     }
 370
 371     for (uint32_t i = 0; i < expanded.allowlist().Length(); i++) {
 372       if (!WritePrincipalInfo(aWriter, expanded.allowlist()[i])) {
 373         return false;
 374       }
 375     }
 376     return true;
 377   }
 378
 379   MOZ_ASSERT(aInfo.type() == PrincipalInfo::TContentPrincipalInfo);
 380   const ContentPrincipalInfo& cInfo = aInfo;
 381   return JS_WriteUint32Pair(aWriter, SCTAG_DOM_CONTENT_PRINCIPAL, 0) &&
 382          ::WritePrincipalInfo(aWriter, cInfo.attrs(), cInfo.spec(),
 383                               cInfo.originNoSuffix(), cInfo.baseDomain());
 384 }
 385
 386 bool nsJSPrincipals::write(JSContext* aCx, JSStructuredCloneWriter* aWriter) {
 387   PrincipalInfo info;
 388   if (NS_WARN_IF(NS_FAILED(PrincipalToPrincipalInfo(this, &info)))) {
 389     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 390     return false;
 391   }
 392
 393   return WritePrincipalInfo(aWriter, info);
 394 }
 395
 396 bool nsJSPrincipals::isSystemOrAddonPrincipal() {
 397   JS::AutoSuppressGCAnalysis suppress;
 398   return this->IsSystemPrincipal() ||
 399          this->GetIsAddonOrExpandedAddonPrincipal();
 400 }