caps/nsJSPrincipals.cpp

   1 /* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
   2 /* This Source Code Form is subject to the terms of the Mozilla Public
   3  * License, v. 2.0. If a copy of the MPL was not distributed with this
   4  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
   5
   6 #include "nsIPrincipal.h"
   7 #include "xpcpublic.h"
   8 #include "nsString.h"
   9 #include "nsJSPrincipals.h"
  10 #include "plstr.h"
  11 #include "nsCOMPtr.h"
  12 #include "nsStringBuffer.h"
  13 #include "mozilla/BasePrincipal.h"
  14 #include "mozilla/StaticPtr.h"
  15 #include "mozilla/dom/StructuredCloneTags.h"
  16 #include "mozilla/ipc/BackgroundUtils.h"
  17 #include "mozilla/ipc/PBackgroundSharedTypes.h"
  18
  19 using namespace mozilla;
  20 using namespace mozilla::dom;
  21 using namespace mozilla::ipc;
  22
  23 NS_IMETHODIMP_(MozExternalRefCountType)
  24 nsJSPrincipals::AddRef() {
  25   MOZ_ASSERT(int32_t(refcount) >= 0, "illegal refcnt");
  26   nsrefcnt count = ++refcount;
  27   NS_LOG_ADDREF(this, count, "nsJSPrincipals", sizeof(*this));
  28   return count;
  29 }
  30
  31 NS_IMETHODIMP_(MozExternalRefCountType)
  32 nsJSPrincipals::Release() {
  33   MOZ_ASSERT(0 != refcount, "dup release");
  34   nsrefcnt count = --refcount;
  35   NS_LOG_RELEASE(this, count, "nsJSPrincipals");
  36   if (count == 0) {
  37     delete this;
  38   }
  39
  40   return count;
  41 }
  42
  43 /* static */
  44 bool nsJSPrincipals::Subsume(JSPrincipals* jsprin, JSPrincipals* other) {
  45   bool result;
  46   nsresult rv = nsJSPrincipals::get(jsprin)->Subsumes(
  47       nsJSPrincipals::get(other), &result);
  48   return NS_SUCCEEDED(rv) && result;
  49 }
  50
  51 /* static */
  52 void nsJSPrincipals::Destroy(JSPrincipals* jsprin) {
  53   // The JS runtime can call this method during the last GC when
  54   // nsScriptSecurityManager is destroyed. So we must not assume here that
  55   // the security manager still exists.
  56
  57   nsJSPrincipals* nsjsprin = nsJSPrincipals::get(jsprin);
  58
  59   // We need to destroy the nsIPrincipal. We'll do this by adding
  60   // to the refcount and calling release
  61
  62 #ifdef NS_BUILD_REFCNT_LOGGING
  63   // The refcount logging considers AddRef-to-1 to indicate creation,
  64   // so trick it into thinking it's otherwise, but balance the
  65   // Release() we do below.
  66   nsjsprin->refcount++;
  67   nsjsprin->AddRef();
  68   nsjsprin->refcount--;
  69 #else
  70   nsjsprin->refcount++;
  71 #endif
  72   nsjsprin->Release();
  73 }
  74
  75 #ifdef DEBUG
  76
  77 // Defined here so one can do principals->dump() in the debugger
  78 JS_PUBLIC_API void JSPrincipals::dump() {
  79   if (debugToken == nsJSPrincipals::DEBUG_TOKEN) {
  80     nsAutoCString str;
  81     nsresult rv = static_cast<nsJSPrincipals*>(this)->GetScriptLocation(str);
  82     fprintf(stderr, "nsIPrincipal (%p) = %s\n", static_cast<void*>(this),
  83             NS_SUCCEEDED(rv) ? str.get() : "(unknown)");
  84   } else {
  85     fprintf(stderr,
  86             "!!! JSPrincipals (%p) is not nsJSPrincipals instance - bad token: "
  87             "actual=0x%x expected=0x%x\n",
  88             this, unsigned(debugToken), unsigned(nsJSPrincipals::DEBUG_TOKEN));
  89   }
  90 }
  91
  92 #endif
  93
  94 /* static */
  95 bool nsJSPrincipals::ReadPrincipals(JSContext* aCx,
  96                                     JSStructuredCloneReader* aReader,
  97                                     JSPrincipals** aOutPrincipals) {
  98   uint32_t tag;
  99   uint32_t unused;
 100   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 101     return false;
 102   }
 103
 104   if (tag != SCTAG_DOM_NULL_PRINCIPAL && tag != SCTAG_DOM_SYSTEM_PRINCIPAL &&
 105       tag != SCTAG_DOM_CONTENT_PRINCIPAL &&
 106       tag != SCTAG_DOM_EXPANDED_PRINCIPAL) {
 107     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 108     return false;
 109   }
 110
 111   return ReadKnownPrincipalType(aCx, aReader, tag, aOutPrincipals);
 112 }
 113
 114 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 115                               OriginAttributes& aAttrs, nsACString& aSpec,
 116                               nsACString& aOriginNoSuffix,
 117                               nsACString& aBaseDomain) {
 118   uint32_t suffixLength, specLength;
 119   if (!JS_ReadUint32Pair(aReader, &suffixLength, &specLength)) {
 120     return false;
 121   }
 122
 123   nsAutoCString suffix;
 124   if (!suffix.SetLength(suffixLength, fallible)) {
 125     return false;
 126   }
 127
 128   if (!JS_ReadBytes(aReader, suffix.BeginWriting(), suffixLength)) {
 129     return false;
 130   }
 131
 132   if (!aAttrs.PopulateFromSuffix(suffix)) {
 133     return false;
 134   }
 135
 136   if (!aSpec.SetLength(specLength, fallible)) {
 137     return false;
 138   }
 139
 140   if (!JS_ReadBytes(aReader, aSpec.BeginWriting(), specLength)) {
 141     return false;
 142   }
 143
 144   uint32_t originNoSuffixLength, dummy;
 145   if (!JS_ReadUint32Pair(aReader, &originNoSuffixLength, &dummy)) {
 146     return false;
 147   }
 148
 149   MOZ_ASSERT(dummy == 0);
 150   if (dummy != 0) {
 151     return false;
 152   }
 153
 154   if (!aOriginNoSuffix.SetLength(originNoSuffixLength, fallible)) {
 155     return false;
 156   }
 157
 158   if (!JS_ReadBytes(aReader, aOriginNoSuffix.BeginWriting(),
 159                     originNoSuffixLength)) {
 160     return false;
 161   }
 162
 163   uint32_t baseDomainIsVoid, baseDomainLength;
 164   if (!JS_ReadUint32Pair(aReader, &baseDomainIsVoid, &baseDomainLength)) {
 165     return false;
 166   }
 167
 168   if (baseDomainIsVoid != 0 && baseDomainIsVoid != 1) {
 169     return false;
 170   }
 171
 172   if (baseDomainIsVoid) {
 173     if (baseDomainLength != 0) {
 174       return false;
 175     }
 176
 177     aBaseDomain.SetIsVoid(true);
 178     return true;
 179   }
 180
 181   if (!aBaseDomain.SetLength(baseDomainLength, fallible)) {
 182     return false;
 183   }
 184
 185   if (!JS_ReadBytes(aReader, aBaseDomain.BeginWriting(), baseDomainLength)) {
 186     return false;
 187   }
 188
 189   return true;
 190 }
 191
 192 static bool ReadPrincipalInfo(JSStructuredCloneReader* aReader, uint32_t aTag,
 193                               PrincipalInfo& aInfo) {
 194   if (aTag == SCTAG_DOM_SYSTEM_PRINCIPAL) {
 195     aInfo = SystemPrincipalInfo();
 196   } else if (aTag == SCTAG_DOM_NULL_PRINCIPAL) {
 197     OriginAttributes attrs;
 198     nsAutoCString spec;
 199     nsAutoCString originNoSuffix;
 200     nsAutoCString baseDomain;
 201     if (!::ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix,
 202                              baseDomain)) {
 203       return false;
 204     }
 205     aInfo = NullPrincipalInfo(attrs, spec);
 206   } else if (aTag == SCTAG_DOM_EXPANDED_PRINCIPAL) {
 207     uint32_t length, unused;
 208     if (!JS_ReadUint32Pair(aReader, &length, &unused)) {
 209       return false;
 210     }
 211
 212     ExpandedPrincipalInfo expanded;
 213
 214     for (uint32_t i = 0; i < length; i++) {
 215       uint32_t tag;
 216       if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 217         return false;
 218       }
 219
 220       PrincipalInfo sub;
 221       if (!ReadPrincipalInfo(aReader, tag, sub)) {
 222         return false;
 223       }
 224       expanded.allowlist().AppendElement(sub);
 225     }
 226
 227     aInfo = expanded;
 228   } else if (aTag == SCTAG_DOM_CONTENT_PRINCIPAL) {
 229     OriginAttributes attrs;
 230     nsAutoCString spec;
 231     nsAutoCString originNoSuffix;
 232     nsAutoCString baseDomain;
 233     if (!::ReadPrincipalInfo(aReader, attrs, spec, originNoSuffix,
 234                              baseDomain)) {
 235       return false;
 236     }
 237
 238 #ifdef FUZZING
 239     if (originNoSuffix.IsEmpty()) {
 240       return false;
 241     }
 242 #endif
 243
 244     MOZ_DIAGNOSTIC_ASSERT(!originNoSuffix.IsEmpty());
 245
 246     // XXX: Do we care about mDomain for structured clone?
 247     aInfo = ContentPrincipalInfo(attrs, originNoSuffix, spec, Nothing(),
 248                                  baseDomain);
 249   } else {
 250 #ifdef FUZZING
 251     return false;
 252 #else
 253     MOZ_CRASH("unexpected principal structured clone tag");
 254 #endif
 255   }
 256
 257   return true;
 258 }
 259
 260 /* static */
 261 bool nsJSPrincipals::ReadPrincipalInfo(JSStructuredCloneReader* aReader,
 262                                        PrincipalInfo& aInfo) {
 263   uint32_t tag, unused;
 264   if (!JS_ReadUint32Pair(aReader, &tag, &unused)) {
 265     return false;
 266   }
 267   return ::ReadPrincipalInfo(aReader, tag, aInfo);
 268 }
 269
 270 /* static */
 271 bool nsJSPrincipals::ReadKnownPrincipalType(JSContext* aCx,
 272                                             JSStructuredCloneReader* aReader,
 273                                             uint32_t aTag,
 274                                             JSPrincipals** aOutPrincipals) {
 275   MOZ_ASSERT(aTag == SCTAG_DOM_NULL_PRINCIPAL ||
 276              aTag == SCTAG_DOM_SYSTEM_PRINCIPAL ||
 277              aTag == SCTAG_DOM_CONTENT_PRINCIPAL ||
 278              aTag == SCTAG_DOM_EXPANDED_PRINCIPAL);
 279
 280   PrincipalInfo info;
 281   if (!::ReadPrincipalInfo(aReader, aTag, info)) {
 282     return false;
 283   }
 284
 285   auto principalOrErr = PrincipalInfoToPrincipal(info);
 286   if (NS_WARN_IF(principalOrErr.isErr())) {
 287     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 288     return false;
 289   }
 290
 291   nsCOMPtr<nsIPrincipal> principal = principalOrErr.unwrap();
 292
 293   *aOutPrincipals = get(principal.forget().take());
 294   return true;
 295 }
 296
 297 static bool WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 298                                const OriginAttributes& aAttrs,
 299                                const nsCString& aSpec,
 300                                const nsCString& aOriginNoSuffix,
 301                                const nsCString& aBaseDomain) {
 302   nsAutoCString suffix;
 303   aAttrs.CreateSuffix(suffix);
 304
 305   if (!(JS_WriteUint32Pair(aWriter, suffix.Length(), aSpec.Length()) &&
 306         JS_WriteBytes(aWriter, suffix.get(), suffix.Length()) &&
 307         JS_WriteBytes(aWriter, aSpec.get(), aSpec.Length()) &&
 308         JS_WriteUint32Pair(aWriter, aOriginNoSuffix.Length(), 0) &&
 309         JS_WriteBytes(aWriter, aOriginNoSuffix.get(),
 310                       aOriginNoSuffix.Length()))) {
 311     return false;
 312   }
 313
 314   if (aBaseDomain.IsVoid()) {
 315     return JS_WriteUint32Pair(aWriter, 1, 0);
 316   }
 317
 318   return JS_WriteUint32Pair(aWriter, 0, aBaseDomain.Length()) &&
 319          JS_WriteBytes(aWriter, aBaseDomain.get(), aBaseDomain.Length());
 320 }
 321
 322 /* static */
 323 bool nsJSPrincipals::WritePrincipalInfo(JSStructuredCloneWriter* aWriter,
 324                                         const PrincipalInfo& aInfo) {
 325   if (aInfo.type() == PrincipalInfo::TNullPrincipalInfo) {
 326     const NullPrincipalInfo& nullInfo = aInfo;
 327     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_NULL_PRINCIPAL, 0) &&
 328            ::WritePrincipalInfo(aWriter, nullInfo.attrs(), nullInfo.spec(),
 329                                 ""_ns, ""_ns);
 330   }
 331   if (aInfo.type() == PrincipalInfo::TSystemPrincipalInfo) {
 332     return JS_WriteUint32Pair(aWriter, SCTAG_DOM_SYSTEM_PRINCIPAL, 0);
 333   }
 334   if (aInfo.type() == PrincipalInfo::TExpandedPrincipalInfo) {
 335     const ExpandedPrincipalInfo& expanded = aInfo;
 336     if (!JS_WriteUint32Pair(aWriter, SCTAG_DOM_EXPANDED_PRINCIPAL, 0) ||
 337         !JS_WriteUint32Pair(aWriter, expanded.allowlist().Length(), 0)) {
 338       return false;
 339     }
 340
 341     for (uint32_t i = 0; i < expanded.allowlist().Length(); i++) {
 342       if (!WritePrincipalInfo(aWriter, expanded.allowlist()[i])) {
 343         return false;
 344       }
 345     }
 346     return true;
 347   }
 348
 349   MOZ_ASSERT(aInfo.type() == PrincipalInfo::TContentPrincipalInfo);
 350   const ContentPrincipalInfo& cInfo = aInfo;
 351   return JS_WriteUint32Pair(aWriter, SCTAG_DOM_CONTENT_PRINCIPAL, 0) &&
 352          ::WritePrincipalInfo(aWriter, cInfo.attrs(), cInfo.spec(),
 353                               cInfo.originNoSuffix(), cInfo.baseDomain());
 354 }
 355
 356 bool nsJSPrincipals::write(JSContext* aCx, JSStructuredCloneWriter* aWriter) {
 357   PrincipalInfo info;
 358   if (NS_WARN_IF(NS_FAILED(PrincipalToPrincipalInfo(this, &info)))) {
 359     xpc::Throw(aCx, NS_ERROR_DOM_DATA_CLONE_ERR);
 360     return false;
 361   }
 362
 363   return WritePrincipalInfo(aWriter, info);
 364 }
 365
 366 bool nsJSPrincipals::isSystemOrAddonPrincipal() {
 367   JS::AutoSuppressGCAnalysis suppress;
 368   return this->IsSystemPrincipal() ||
 369          this->GetIsAddonOrExpandedAddonPrincipal();
 370 }