caps/nsJSPrincipals.cpp

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #include "nsIPrincipal.h"
   7 #include "xpcpublic.h"
   8 #include "nsString.h"
   9 #include "nsJSPrincipals.h"
  10 #include "plstr.h"
  11 #include "nsCOMPtr.h"
  12 #include "nsMemory.h"
  13 #include "nsStringBuffer.h"
  14 #include "mozilla/BasePrincipal.h"
  15 #include "mozilla/dom/StructuredCloneTags.h"
  16 // for mozilla::dom::workerinternals::kJSPrincipalsDebugToken
  17 #include "mozilla/dom/workerinternals/JSSettings.h"
  18 // for mozilla::dom::worklet::kJSPrincipalsDebugToken
  19 #include "mozilla/dom/WorkletPrincipals.h"
  20 #include "mozilla/ipc/BackgroundUtils.h"
  21
  22 using namespace mozilla;
  23 using namespace mozilla::ipc;
  24
  25 NS_IMETHODIMP_(MozExternalRefCountType)
  26 nsJSPrincipals::AddRef() {
  27   MOZ_ASSERT(NS_IsMainThread());
  28   MOZ_ASSERT(int32_t(refcount) >= 0, "illegal refcnt");
  29   nsrefcnt count = ++refcount;
  30   NS_LOG_ADDREF(this, count, "nsJSPrincipals", sizeof(*this));
  31   return count;
  32 }
  33
  34 NS_IMETHODIMP_(MozExternalRefCountType)
  35 nsJSPrincipals::Release() {
  36   MOZ_ASSERT(NS_IsMainThread());
  37   MOZ_ASSERT(0 != refcount, "dup release");
  38   nsrefcnt count = --refcount;
  39   NS_LOG_RELEASE(this, count, "nsJSPrincipals");
  40   if (count == 0) {
  41     delete this;
  42   }
  43
  44   return count;
  45 }
  46
  47 /* static */
  48 bool nsJSPrincipals::Subsume(JSPrincipals* jsprin, JSPrincipals* other) {
  49   bool result;
  50   nsresult rv = nsJSPrincipals::get(jsprin)->Subsumes(
  51       nsJSPrincipals::get(other), &result);
  52   return NS_SUCCEEDED(rv) && result;
  53 }
  54
  55 /* static */
  56 void nsJSPrincipals::Destroy(JSPrincipals* jsprin) {
  57   // The JS runtime can call this method during the last GC when
  58   // nsScriptSecurityManager is destroyed. So we must not assume here that
  59   // the security manager still exists.
  60
  61   nsJSPrincipals* nsjsprin = nsJSPrincipals::get(jsprin);
  62
  63   // We need to destroy the nsIPrincipal. We'll do this by adding
  64   // to the refcount and calling release
  65
  66 #ifdef NS_BUILD_REFCNT_LOGGING
  67   // The refcount logging considers AddRef-to-1 to indicate creation,
  68   // so trick it into thinking it's otherwise, but balance the
  69   // Release() we do below.
  70   nsjsprin->refcount++;
  71   nsjsprin->AddRef();
  72   nsjsprin->refcount--;
  73 #else
  74   nsjsprin->refcount++;
  75 #endif
  76   nsjsprin->Release();
  77 }
  78
  79 #ifdef DEBUG
  80
  81 // Defined here so one can do principals->dump() in the debugger
  82 JS_PUBLIC_API void JSPrincipals::dump() {
  83   if (debugToken == nsJSPrincipals::DEBUG_TOKEN) {
  84     nsAutoCString str;
  85     nsresult rv = static_cast<nsJSPrincipals*>(this)->GetScriptLocation(str);
  86     fprintf(stderr, "nsIPrincipal (%p) = %s\n", static_cast<void*>(this),
  87             NS_SUCCEEDED(rv) ? str.get() : "(unknown)");
  88   } else if (debugToken == dom::workerinternals::kJSPrincipalsDebugToken) {
  89     fprintf(stderr, "Web Worker principal singleton (%p)\n", this);
  90   } else if (debugToken == dom::WorkletPrincipals::kJSPrincipalsDebugToken) {
  91     fprintf(stderr, "Web Worklet principal (%p)\n", this);
  92   } else {
  93     fprintf(stderr,
  94             "!!! JSPrincipals (%p) is not nsJSPrincipals instance - bad token: "
  95             "actual=0x%x expected=0x%x\n",
  96             this, unsigned(debugToken), unsigned(nsJSPrincipals::DEBUG_TOKEN));
  97   }
  98 }
  99
 100 #endif
 101
 102 /* static */
 103 bool nsJSPrincipals::ReadPrincipals(JSContext* aCx,
 104                                     JSStructuredCloneReader* aReader,
 105                                     JSPrincipals** aOutPrincipals) {
 106   uint32_t tag;
 107   uint32_t unused;
 108   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 109     return false;
 110   }
 111
 112   if (!(tag == SCTAG_DOM_NULL_PRINCIPAL || tag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 113         tag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 114         tag == SCTAG_DOM_EXPANDED_PRINCIPAL ||
 115         tag == SCTAG_DOM_WORKER_PRINCIPAL)) {
 116     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 117     return false;
 118   }
 119
 120   return ReadKnownPrincipalType(aCx, aReader, tag, aOutPrincipals);
 121 }
 122
 123 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 124                               OriginAttributes& aAttrs, nsACString& aSpec,
 125                               nsACString& aOriginNoSuffix,
 126                               nsACString& aBaseDomain) {
 127   uint32_t suffixLength, specLength;
 128   if (!JS_ReadUint32Pair(aReader, &suffixLength, &specLength)) {
 129     return false;
 130   }
 131
 132   nsAutoCString suffix;
 133   if (!suffix.SetLength(suffixLength, fallible)) {
 134     return false;
 135   }
 136
 137   if (!JS_ReadBytes(aReader, suffix.BeginWriting(), suffixLength)) {
 138     return false;
 139   }
 140
 141   if (!aAttrs.PopulateFromSuffix(suffix)) {
 142     return false;
 143   }
 144
 145   if (!aSpec.SetLength(specLength, fallible)) {
 146     return false;
 147   }
 148
 149   if (!JS_ReadBytes(aReader, aSpec.BeginWriting(), specLength)) {
 150     return false;
 151   }
 152
 153   uint32_t originNoSuffixLength, dummy;
 154   if (!JS_ReadUint32Pair(aReader, &originNoSuffixLength, &dummy)) {
 155     return false;
 156   }
 157
 158   MOZ_ASSERT(dummy == 0);
 159   if (dummy != 0) {
 160     return false;
 161   }
 162
 163   if (!aOriginNoSuffix.SetLength(originNoSuffixLength, fallible)) {
 164     return false;
 165   }
 166
 167   if (!JS_ReadBytes(aReader, aOriginNoSuffix.BeginWriting(),
 168                     originNoSuffixLength)) {
 169     return false;
 170   }
 171
 172   uint32_t baseDomainIsVoid, baseDomainLength;
 173   if (!JS_ReadUint32Pair(aReader, &baseDomainIsVoid, &baseDomainLength)) {
 174     return false;
 175   }
 176
 177   MOZ_ASSERT(baseDomainIsVoid == 0 || baseDomainIsVoid == 1);
 178
 179   if (baseDomainIsVoid) {
 180     MOZ_ASSERT(baseDomainLength == 0);
 181
 182     aBaseDomain.SetIsVoid(true);
 183     return true;
 184   }
 185
 186   if (!aBaseDomain.SetLength(baseDomainLength, fallible)) {
 187     return false;
 188   }
 189
 190   if (!JS_ReadBytes(aReader, aBaseDomain.BeginWriting(), baseDomainLength)) {
 191     return false;
 192   }
 193
 194   return true;
 195 }
 196
 197 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader, uint32_t aTag,
 198                               PrincipalInfo& aInfo) {
 199   if (aTag == SCTAG_DOM_SYSTEM_PRINCIPAL) {
 200     aInfo = SystemPrincipalInfo();
 201   } else if (aTag == SCTAG_DOM_NULL_PRINCIPAL) {
 202     OriginAttributes attrs;
 203     nsAutoCString spec;
 204     nsAutoCString originNoSuffix;
 205     nsAutoCString baseDomain;
 206     if (!ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix, baseDomain)) {
 207       return false;
 208     }
 209     aInfo = NullPrincipalInfo(attrs, spec);
 210   } else if (aTag == SCTAG_DOM_EXPANDED_PRINCIPAL) {
 211     uint32_t length, unused;
 212     if (!JS_ReadUint32Pair(aReader, &length, &unused)) {
 213       return false;
 214     }
 215
 216     ExpandedPrincipalInfo expanded;
 217
 218     for (uint32_t i = 0; i < length; i++) {
 219       uint32_t tag;
 220       if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 221         return false;
 222       }
 223
 224       PrincipalInfo sub;
 225       if (!ReadPrincipalInfo(aReader, tag, sub)) {
 226         return false;
 227       }
 228       expanded.allowlist().AppendElement(sub);
 229     }
 230
 231     aInfo = expanded;
 232   } else if (aTag == SCTAG_DOM_CONTENT_PRINCIPAL) {
 233     OriginAttributes attrs;
 234     nsAutoCString spec;
 235     nsAutoCString originNoSuffix;
 236     nsAutoCString baseDomain;
 237     if (!ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix, baseDomain)) {
 238       return false;
 239     }
 240
 241 #ifdef FUZZING
 242     if (originNoSuffix.IsEmpty()) {
 243       return false;
 244     }
 245 #endif
 246
 247     MOZ_DIAGNOSTIC_ASSERT(!originNoSuffix.IsEmpty());
 248
 249     // XXX: Do we care about mDomain for structured clone?
 250     aInfo = ContentPrincipalInfo(attrs, originNoSuffix, spec, Nothing(),
 251                                  baseDomain);
 252   } else {
 253 #ifdef FUZZING
 254     return false;
 255 #else
 256     MOZ_CRASH("unexpected principal structured clone tag");
 257 #endif
 258   }
 259
 260   return true;
 261 }
 262
 263 static StaticRefPtr<nsIPrincipal> sActiveWorkerPrincipal;
 264
 265 nsJSPrincipals::AutoSetActiveWorkerPrincipal::AutoSetActiveWorkerPrincipal(
 266     nsIPrincipal* aPrincipal) {
 267   MOZ_ASSERT(NS_IsMainThread());
 268   MOZ_RELEASE_ASSERT(!sActiveWorkerPrincipal);
 269   sActiveWorkerPrincipal = aPrincipal;
 270 }
 271
 272 nsJSPrincipals::AutoSetActiveWorkerPrincipal::~AutoSetActiveWorkerPrincipal() {
 273   sActiveWorkerPrincipal = nullptr;
 274 }
 275
 276 /* static */
 277 bool nsJSPrincipals::ReadKnownPrincipalType(JSContext* aCx,
 278                                             JSStructuredCloneReader* aReader,
 279                                             uint32_t aTag,
 280                                             JSPrincipals** aOutPrincipals) {
 281   MOZ_ASSERT(aTag == SCTAG_DOM_NULL_PRINCIPAL ||
 282              aTag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 283              aTag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 284              aTag == SCTAG_DOM_EXPANDED_PRINCIPAL ||
 285              aTag == SCTAG_DOM_WORKER_PRINCIPAL);
 286
 287   if (NS_WARN_IF(!NS_IsMainThread())) {
 288     xpc::Throw(aCx, NS_ERROR_UNCATCHABLE_EXCEPTION);
 289     return false;
 290   }
 291
 292   if (aTag == SCTAG_DOM_WORKER_PRINCIPAL) {
 293     // When reading principals which were written on a worker thread, we need to
 294     // know the principal of the worker which did the write.
 295     if (!sActiveWorkerPrincipal) {
 296       xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 297       return false;
 298     }
 299     RefPtr<nsJSPrincipals> retval = get(sActiveWorkerPrincipal);
 300     retval.forget(aOutPrincipals);
 301     return true;
 302   }
 303
 304   PrincipalInfo info;
 305   if (!ReadPrincipalInfo(aReader, aTag, info)) {
 306     return false;
 307   }
 308
 309   auto principalOrErr = PrincipalInfoToPrincipal(info);
 310   if (NS_WARN_IF(principalOrErr.isErr())) {
 311     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 312     return false;
 313   }
 314
 315   nsCOMPtr<nsIPrincipal> principal = principalOrErr.unwrap();
 316
 317   *aOutPrincipals = get(principal.forget().take());
 318   return true;
 319 }
 320
 321 static bool WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 322                                const OriginAttributes& aAttrs,
 323                                const nsCString& aSpec,
 324                                const nsCString& aOriginNoSuffix,
 325                                const nsCString& aBaseDomain) {
 326   nsAutoCString suffix;
 327   aAttrs.CreateSuffix(suffix);
 328
 329   if (!(JS_WriteUint32Pair(aWriter, suffix.Length(), aSpec.Length()) &&
 330         JS_WriteBytes(aWriter, suffix.get(), suffix.Length()) &&
 331         JS_WriteBytes(aWriter, aSpec.get(), aSpec.Length()) &&
 332         JS_WriteUint32Pair(aWriter, aOriginNoSuffix.Length(), 0) &&
 333         JS_WriteBytes(aWriter, aOriginNoSuffix.get(),
 334                       aOriginNoSuffix.Length()))) {
 335     return false;
 336   }
 337
 338   if (aBaseDomain.IsVoid()) {
 339     return JS_WriteUint32Pair(aWriter, 1, 0);
 340   }
 341
 342   return JS_WriteUint32Pair(aWriter, 0, aBaseDomain.Length()) &&
 343          JS_WriteBytes(aWriter, aBaseDomain.get(), aBaseDomain.Length());
 344 }
 345
 346 /* static */
 347 bool nsJSPrincipals::WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 348                                         const PrincipalInfo& aInfo) {
 349   if (aInfo.type() == PrincipalInfo::TNullPrincipalInfo) {
 350     const NullPrincipalInfo& nullInfo = aInfo;
 351     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_NULL_PRINCIPAL, 0) &&
 352            ::WritePrincipalInfo(aWriter, nullInfo.attrs(), nullInfo.spec(),
 353                                 ""_ns, ""_ns);
 354   }
 355   if (aInfo.type() == PrincipalInfo::TSystemPrincipalInfo) {
 356     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_SYSTEM_PRINCIPAL, 0);
 357   }
 358   if (aInfo.type() == PrincipalInfo::TExpandedPrincipalInfo) {
 359     const ExpandedPrincipalInfo& expanded = aInfo;
 360     if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_EXPANDED_PRINCIPAL, 0) ||
 361         !JS_WriteUint32Pair(aWriter, expanded.allowlist().Length(), 0)) {
 362       return false;
 363     }
 364
 365     for (uint32_t i = 0; i < expanded.allowlist().Length(); i++) {
 366       if (!WritePrincipalInfo(aWriter, expanded.allowlist()[i])) {
 367         return false;
 368       }
 369     }
 370     return true;
 371   }
 372
 373   MOZ_ASSERT(aInfo.type() == PrincipalInfo::TContentPrincipalInfo);
 374   const ContentPrincipalInfo& cInfo = aInfo;
 375   return JS_WriteUint32Pair(aWriter, SCTAG_DOM_CONTENT_PRINCIPAL, 0) &&
 376          ::WritePrincipalInfo(aWriter, cInfo.attrs(), cInfo.spec(),
 377                               cInfo.originNoSuffix(), cInfo.baseDomain());
 378 }
 379
 380 bool nsJSPrincipals::write(JSContext* aCx, JSStructuredCloneWriter* aWriter) {
 381   PrincipalInfo info;
 382   if (NS_WARN_IF(NS_FAILED(PrincipalToPrincipalInfo(this, &info)))) {
 383     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 384     return false;
 385   }
 386
 387   return WritePrincipalInfo(aWriter, info);
 388 }
 389
 390 bool nsJSPrincipals::isSystemOrAddonPrincipal() {
 391   JS::AutoSuppressGCAnalysis suppress;
 392   return this->IsSystemPrincipal() ||
 393          this->GetIsAddonOrExpandedAddonPrincipal();
 394 }