caps/nsJSPrincipals.cpp

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #include "nsIPrincipal.h"
   7 #include "xpcpublic.h"
   8 #include "nsString.h"
   9 #include "nsJSPrincipals.h"
  10 #include "nsCOMPtr.h"
  11 #include "nsStringBuffer.h"
  12 #include "mozilla/BasePrincipal.h"
  13 #include "mozilla/StaticPtr.h"
  14 #include "mozilla/dom/StructuredCloneTags.h"
  15 #include "mozilla/ipc/BackgroundUtils.h"
  16 #include "mozilla/ipc/PBackgroundSharedTypes.h"
  17
  18 using namespace mozilla;
  19 using namespace mozilla::dom;
  20 using namespace mozilla::ipc;
  21
  22 NS_IMETHODIMP_(MozExternalRefCountType)
  23 nsJSPrincipals::AddRef() {
  24   MOZ_ASSERT(int32_t(refcount) >= 0, "illegal refcnt");
  25   nsrefcnt count = ++refcount;
  26   NS_LOG_ADDREF(this, count, "nsJSPrincipals", sizeof(*this));
  27   return count;
  28 }
  29
  30 NS_IMETHODIMP_(MozExternalRefCountType)
  31 nsJSPrincipals::Release() {
  32   MOZ_ASSERT(0 != refcount, "dup release");
  33   nsrefcnt count = --refcount;
  34   NS_LOG_RELEASE(this, count, "nsJSPrincipals");
  35   if (count == 0) {
  36     delete this;
  37   }
  38
  39   return count;
  40 }
  41
  42 /* static */
  43 bool nsJSPrincipals::Subsume(JSPrincipals* jsprin, JSPrincipals* other) {
  44   bool result;
  45   nsresult rv = nsJSPrincipals::get(jsprin)->Subsumes(
  46       nsJSPrincipals::get(other), &result);
  47   return NS_SUCCEEDED(rv) && result;
  48 }
  49
  50 /* static */
  51 void nsJSPrincipals::Destroy(JSPrincipals* jsprin) {
  52   // The JS runtime can call this method during the last GC when
  53   // nsScriptSecurityManager is destroyed. So we must not assume here that
  54   // the security manager still exists.
  55
  56   nsJSPrincipals* nsjsprin = nsJSPrincipals::get(jsprin);
  57
  58   // We need to destroy the nsIPrincipal. We'll do this by adding
  59   // to the refcount and calling release
  60
  61 #ifdef NS_BUILD_REFCNT_LOGGING
  62   // The refcount logging considers AddRef-to-1 to indicate creation,
  63   // so trick it into thinking it's otherwise, but balance the
  64   // Release() we do below.
  65   nsjsprin->refcount++;
  66   nsjsprin->AddRef();
  67   nsjsprin->refcount--;
  68 #else
  69   nsjsprin->refcount++;
  70 #endif
  71   nsjsprin->Release();
  72 }
  73
  74 #ifdef DEBUG
  75
  76 // Defined here so one can do principals->dump() in the debugger
  77 JS_PUBLIC_API void JSPrincipals::dump() {
  78   if (debugToken == nsJSPrincipals::DEBUG_TOKEN) {
  79     nsAutoCString str;
  80     nsresult rv = static_cast<nsJSPrincipals*>(this)->GetScriptLocation(str);
  81     fprintf(stderr, "nsIPrincipal (%p) = %s\n", static_cast<void*>(this),
  82             NS_SUCCEEDED(rv) ? str.get() : "(unknown)");
  83   } else {
  84     fprintf(stderr,
  85             "!!! JSPrincipals (%p) is not nsJSPrincipals instance - bad token: "
  86             "actual=0x%x expected=0x%x\n",
  87             this, unsigned(debugToken), unsigned(nsJSPrincipals::DEBUG_TOKEN));
  88   }
  89 }
  90
  91 #endif
  92
  93 /* static */
  94 bool nsJSPrincipals::ReadPrincipals(JSContext* aCx,
  95                                     JSStructuredCloneReader* aReader,
  96                                     JSPrincipals** aOutPrincipals) {
  97   uint32_t tag;
  98   uint32_t unused;
  99   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 100     return false;
 101   }
 102
 103   if (tag != SCTAG_DOM_NULL_PRINCIPAL && tag != SCTAG_DOM_SYSTEM_PRINCIPAL &&
 104       tag != SCTAG_DOM_CONTENT_PRINCIPAL &&
 105       tag != SCTAG_DOM_EXPANDED_PRINCIPAL) {
 106     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 107     return false;
 108   }
 109
 110   return ReadKnownPrincipalType(aCx, aReader, tag, aOutPrincipals);
 111 }
 112
 113 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 114                               OriginAttributes& aAttrs, nsACString& aSpec,
 115                               nsACString& aOriginNoSuffix,
 116                               nsACString& aBaseDomain) {
 117   uint32_t suffixLength, specLength;
 118   if (!JS_ReadUint32Pair(aReader, &suffixLength, &specLength)) {
 119     return false;
 120   }
 121
 122   nsAutoCString suffix;
 123   if (!suffix.SetLength(suffixLength, fallible)) {
 124     return false;
 125   }
 126
 127   if (!JS_ReadBytes(aReader, suffix.BeginWriting(), suffixLength)) {
 128     return false;
 129   }
 130
 131   if (!aAttrs.PopulateFromSuffix(suffix)) {
 132     return false;
 133   }
 134
 135   if (!aSpec.SetLength(specLength, fallible)) {
 136     return false;
 137   }
 138
 139   if (!JS_ReadBytes(aReader, aSpec.BeginWriting(), specLength)) {
 140     return false;
 141   }
 142
 143   uint32_t originNoSuffixLength, dummy;
 144   if (!JS_ReadUint32Pair(aReader, &originNoSuffixLength, &dummy)) {
 145     return false;
 146   }
 147
 148   MOZ_ASSERT(dummy == 0);
 149   if (dummy != 0) {
 150     return false;
 151   }
 152
 153   if (!aOriginNoSuffix.SetLength(originNoSuffixLength, fallible)) {
 154     return false;
 155   }
 156
 157   if (!JS_ReadBytes(aReader, aOriginNoSuffix.BeginWriting(),
 158                     originNoSuffixLength)) {
 159     return false;
 160   }
 161
 162   uint32_t baseDomainIsVoid, baseDomainLength;
 163   if (!JS_ReadUint32Pair(aReader, &baseDomainIsVoid, &baseDomainLength)) {
 164     return false;
 165   }
 166
 167   if (baseDomainIsVoid != 0 && baseDomainIsVoid != 1) {
 168     return false;
 169   }
 170
 171   if (baseDomainIsVoid) {
 172     if (baseDomainLength != 0) {
 173       return false;
 174     }
 175
 176     aBaseDomain.SetIsVoid(true);
 177     return true;
 178   }
 179
 180   if (!aBaseDomain.SetLength(baseDomainLength, fallible)) {
 181     return false;
 182   }
 183
 184   if (!JS_ReadBytes(aReader, aBaseDomain.BeginWriting(), baseDomainLength)) {
 185     return false;
 186   }
 187
 188   return true;
 189 }
 190
 191 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader, uint32_t aTag,
 192                               PrincipalInfo& aInfo) {
 193   if (aTag == SCTAG_DOM_SYSTEM_PRINCIPAL) {
 194     aInfo = SystemPrincipalInfo();
 195   } else if (aTag == SCTAG_DOM_NULL_PRINCIPAL) {
 196     OriginAttributes attrs;
 197     nsAutoCString spec;
 198     nsAutoCString originNoSuffix;
 199     nsAutoCString baseDomain;
 200     if (!::ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix,
 201                              baseDomain)) {
 202       return false;
 203     }
 204     aInfo = NullPrincipalInfo(attrs, spec);
 205   } else if (aTag == SCTAG_DOM_EXPANDED_PRINCIPAL) {
 206     uint32_t length, unused;
 207     if (!JS_ReadUint32Pair(aReader, &length, &unused)) {
 208       return false;
 209     }
 210
 211     ExpandedPrincipalInfo expanded;
 212
 213     for (uint32_t i = 0; i < length; i++) {
 214       uint32_t tag;
 215       if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 216         return false;
 217       }
 218
 219       PrincipalInfo sub;
 220       if (!ReadPrincipalInfo(aReader, tag, sub)) {
 221         return false;
 222       }
 223       expanded.allowlist().AppendElement(sub);
 224     }
 225
 226     aInfo = expanded;
 227   } else if (aTag == SCTAG_DOM_CONTENT_PRINCIPAL) {
 228     OriginAttributes attrs;
 229     nsAutoCString spec;
 230     nsAutoCString originNoSuffix;
 231     nsAutoCString baseDomain;
 232     if (!::ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix,
 233                              baseDomain)) {
 234       return false;
 235     }
 236
 237 #ifdef FUZZING
 238     if (originNoSuffix.IsEmpty()) {
 239       return false;
 240     }
 241 #endif
 242
 243     MOZ_DIAGNOSTIC_ASSERT(!originNoSuffix.IsEmpty());
 244
 245     // XXX: Do we care about mDomain for structured clone?
 246     aInfo = ContentPrincipalInfo(attrs, originNoSuffix, spec, Nothing(),
 247                                  baseDomain);
 248   } else {
 249 #ifdef FUZZING
 250     return false;
 251 #else
 252     MOZ_CRASH("unexpected principal structured clone tag");
 253 #endif
 254   }
 255
 256   return true;
 257 }
 258
 259 /* static */
 260 bool nsJSPrincipals::ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 261                                        PrincipalInfo& aInfo) {
 262   uint32_t tag, unused;
 263   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 264     return false;
 265   }
 266   return ::ReadPrincipalInfo(aReader, tag, aInfo);
 267 }
 268
 269 /* static */
 270 bool nsJSPrincipals::ReadKnownPrincipalType(JSContext* aCx,
 271                                             JSStructuredCloneReader* aReader,
 272                                             uint32_t aTag,
 273                                             JSPrincipals** aOutPrincipals) {
 274   MOZ_ASSERT(aTag == SCTAG_DOM_NULL_PRINCIPAL ||
 275              aTag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 276              aTag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 277              aTag == SCTAG_DOM_EXPANDED_PRINCIPAL);
 278
 279   PrincipalInfo info;
 280   if (!::ReadPrincipalInfo(aReader, aTag, info)) {
 281     return false;
 282   }
 283
 284   auto principalOrErr = PrincipalInfoToPrincipal(info);
 285   if (NS_WARN_IF(principalOrErr.isErr())) {
 286     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 287     return false;
 288   }
 289
 290   nsCOMPtr<nsIPrincipal> principal = principalOrErr.unwrap();
 291
 292   *aOutPrincipals = get(principal.forget().take());
 293   return true;
 294 }
 295
 296 static bool WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 297                                const OriginAttributes& aAttrs,
 298                                const nsCString& aSpec,
 299                                const nsCString& aOriginNoSuffix,
 300                                const nsCString& aBaseDomain) {
 301   nsAutoCString suffix;
 302   aAttrs.CreateSuffix(suffix);
 303
 304   if (!(JS_WriteUint32Pair(aWriter, suffix.Length(), aSpec.Length()) &&
 305         JS_WriteBytes(aWriter, suffix.get(), suffix.Length()) &&
 306         JS_WriteBytes(aWriter, aSpec.get(), aSpec.Length()) &&
 307         JS_WriteUint32Pair(aWriter, aOriginNoSuffix.Length(), 0) &&
 308         JS_WriteBytes(aWriter, aOriginNoSuffix.get(),
 309                       aOriginNoSuffix.Length()))) {
 310     return false;
 311   }
 312
 313   if (aBaseDomain.IsVoid()) {
 314     return JS_WriteUint32Pair(aWriter, 1, 0);
 315   }
 316
 317   return JS_WriteUint32Pair(aWriter, 0, aBaseDomain.Length()) &&
 318          JS_WriteBytes(aWriter, aBaseDomain.get(), aBaseDomain.Length());
 319 }
 320
 321 /* static */
 322 bool nsJSPrincipals::WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 323                                         const PrincipalInfo& aInfo) {
 324   if (aInfo.type() == PrincipalInfo::TNullPrincipalInfo) {
 325     const NullPrincipalInfo& nullInfo = aInfo;
 326     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_NULL_PRINCIPAL, 0) &&
 327            ::WritePrincipalInfo(aWriter, nullInfo.attrs(), nullInfo.spec(),
 328                                 ""_ns, ""_ns);
 329   }
 330   if (aInfo.type() == PrincipalInfo::TSystemPrincipalInfo) {
 331     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_SYSTEM_PRINCIPAL, 0);
 332   }
 333   if (aInfo.type() == PrincipalInfo::TExpandedPrincipalInfo) {
 334     const ExpandedPrincipalInfo& expanded = aInfo;
 335     if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_EXPANDED_PRINCIPAL, 0) ||
 336         !JS_WriteUint32Pair(aWriter, expanded.allowlist().Length(), 0)) {
 337       return false;
 338     }
 339
 340     for (uint32_t i = 0; i < expanded.allowlist().Length(); i++) {
 341       if (!WritePrincipalInfo(aWriter, expanded.allowlist()[i])) {
 342         return false;
 343       }
 344     }
 345     return true;
 346   }
 347
 348   MOZ_ASSERT(aInfo.type() == PrincipalInfo::TContentPrincipalInfo);
 349   const ContentPrincipalInfo& cInfo = aInfo;
 350   return JS_WriteUint32Pair(aWriter, SCTAG_DOM_CONTENT_PRINCIPAL, 0) &&
 351          ::WritePrincipalInfo(aWriter, cInfo.attrs(), cInfo.spec(),
 352                               cInfo.originNoSuffix(), cInfo.baseDomain());
 353 }
 354
 355 bool nsJSPrincipals::write(JSContext* aCx, JSStructuredCloneWriter* aWriter) {
 356   PrincipalInfo info;
 357   if (NS_WARN_IF(NS_FAILED(PrincipalToPrincipalInfo(this, &info)))) {
 358     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 359     return false;
 360   }
 361
 362   return WritePrincipalInfo(aWriter, info);
 363 }
 364
 365 bool nsJSPrincipals::isSystemOrAddonPrincipal() {
 366   JS::AutoSuppressGCAnalysis suppress;
 367   return this->IsSystemPrincipal() ||
 368          this->GetIsAddonOrExpandedAddonPrincipal();
 369 }