Changeset 251358 in webkit

Timestamp:

Oct 20, 2019, 6:55:11 PM (6 years ago)

Author:

Brent Fulgham

Message:

Improve serialization logic
​https://bugs.webkit.org/show_bug.cgi?id=203039
<rdar://problem/55631691>

Reviewed by Alex Christensen.

Check that the SecItemRequestData only contains relevant types for
CFNetwork uses.

• Platform/spi/Cocoa/SecItemSPI.h: Added.
• Shared/mac/SecItemRequestData.cpp:

(WebKit::arrayContainsInvalidType): Added.
(WebKit::dictionaryContainsInvalidType): Added.
(WebKit::validTypeIDs): Added.
(WebKit::isValidType): Added.
(WebKit::SecItemRequestData::decode): Check types during decode.

• Shared/mac/SecItemRequestData.h:
• WebKit.xcodeproj/project.pbxproj:

Location:

trunk/Source/WebKit

Files:

• ChangeLog (modified) (1 diff)
• Platform/spi/Cocoa/SecItemSPI.h (copied) (copied from trunk/Source/WebKit/Shared/mac/SecItemRequestData.h ) (2 diffs)
• Shared/mac/SecItemRequestData.cpp (modified) (5 diffs)
• Shared/mac/SecItemRequestData.h (modified) (3 diffs)
• WebKit.xcodeproj/project.pbxproj (modified) (4 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-10-20  Brent Fulgham  <bfulgham@apple.com>
+
+        Improve serialization logic
+        https://bugs.webkit.org/show_bug.cgi?id=203039
+        <rdar://problem/55631691>
+
+        Reviewed by Alex Christensen.
+
+        Check that the SecItemRequestData only contains relevant types for
+        CFNetwork uses. 
+
+        * Platform/spi/Cocoa/SecItemSPI.h: Added.
+        * Shared/mac/SecItemRequestData.cpp:
+        (WebKit::arrayContainsInvalidType): Added.
+        (WebKit::dictionaryContainsInvalidType): Added.
+        (WebKit::validTypeIDs): Added.
+        (WebKit::isValidType): Added.
+        (WebKit::SecItemRequestData::decode): Check types during decode.
+        * Shared/mac/SecItemRequestData.h:
+        * WebKit.xcodeproj/project.pbxproj:
+
 2019-10-19  Adrian Perez de Castro  <aperez@igalia.com>
 

trunk/Source/WebKit/Platform/spi/Cocoa/SecItemSPI.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#ifndef SecItemRequestData_h
-#define SecItemRequestData_h
+#pragma once
 
-#include <wtf/RetainPtr.h>
+#include <Security/SecAccessControl.h>
+#include <Security/SecBase.h>
+#include <Security/SecCertificate.h>
+#include <Security/SecIdentity.h>
+#include <Security/SecPolicy.h>
+#include <Security/SecTrust.h>
 
-namespace IPC {
-class Decoder;
-class Encoder;
+#if PLATFORM(MAC)
+#include <Security/SecACL.h>
+#include <Security/SecAccess.h>
+#include <Security/SecTrustedApplication.h>
+#endif
+
+#if USE(APPLE_INTERNAL_SDK)
+
+#include <Security/SecCode.h>
+#include <Security/SecRequirement.h>
+#include <Security/SecStaticCode.h>
+
+#else
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+CF_ASSUME_NONNULL_BEGIN
+
+CFTypeID SecCodeGetTypeID();
+CFTypeID SecRequirementGetTypeID();
+CFTypeID SecStaticCodeGetTypeID();
+
+CF_ASSUME_NONNULL_END
+
+#ifdef __cplusplus
 }
+#endif
 
-namespace WebKit {
-    
-class SecItemRequestData {
-public:
-    enum Type {
-        Invalid,
-        CopyMatching,
-        Add,
-        Update,
-        Delete,
-    };
-
-    SecItemRequestData();
-    SecItemRequestData(Type, CFDictionaryRef query);
-    SecItemRequestData(Type, CFDictionaryRef query, CFDictionaryRef attributesToMatch);
-
-    void encode(IPC::Encoder&) const;
-    static bool decode(IPC::Decoder&, SecItemRequestData&);
-
-    Type type() const { return m_type; }
-
-    CFDictionaryRef query() const { return m_queryDictionary.get(); }
-    CFDictionaryRef attributesToMatch() const { return m_attributesToMatch.get(); }
-
-private:
-    Type m_type;
-    RetainPtr<CFDictionaryRef> m_queryDictionary;
-    RetainPtr<CFDictionaryRef> m_attributesToMatch;
-};
-    
-} // namespace WebKit
-
-#endif // SecItemRequestData_h
+#endif // USE(APPLE_INTERNAL_SDK)

trunk/Source/WebKit/Shared/mac/SecItemRequestData.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -29 +29 @@
 #include "ArgumentCoders.h"
 #include "ArgumentCodersCF.h"
+#include "SecItemSPI.h"
+#include <CoreFoundation/CoreFoundation.h>
 
 namespace WebKit {
@@ -63 +65 @@
 }
 
+static bool isValidType(CFTypeRef);
+
+static bool arrayContainsInvalidType(CFArrayRef array)
+{
+    CFIndex entryCount = CFArrayGetCount(array);
+
+    for (CFIndex entry = 0; entry < entryCount; ++entry) {
+        CFTypeRef value = reinterpret_cast<CFTypeRef>(CFArrayGetValueAtIndex(array, entry));
+        if (!isValidType(value))
+            return true;
+    }
+
+    return false;
+}
+
+static bool dictionaryContainsInvalidType(CFDictionaryRef dict)
+{
+    CFIndex entryCount = CFDictionaryGetCount(dict);
+
+    Vector<const void*> keys(entryCount);
+    Vector<const void*> values(entryCount);
+    CFDictionaryGetKeysAndValues(dict, keys.data(), values.data());
+
+    for (CFIndex entry = 0; entry < entryCount; ++entry) {
+        CFTypeRef key = reinterpret_cast<CFTypeRef>(keys[entry]);
+        if (!isValidType(key))
+            return true;
+
+        CFTypeRef value = reinterpret_cast<CFTypeRef>(values[entry]);
+        if (!isValidType(value))
+            return true;
+    }
+
+    return false;
+}
+
+#if PLATFORM(MAC)
+typedef std::array<CFTypeID, 16> ValidTypes;
+#else
+typedef std::array<CFTypeID, 13> ValidTypes;
+#endif
+
+static const ValidTypes& validTypeIDs()
+{
+    static ValidTypes types = {{
+        CFBooleanGetTypeID(), CFDataGetTypeID(), CFStringGetTypeID(), CFNullGetTypeID(), CFNumberGetTypeID(),
+        SecAccessControlGetTypeID(), SecCertificateGetTypeID(), SecCodeGetTypeID(), SecIdentityGetTypeID(),
+        SecPolicyGetTypeID(), SecRequirementGetTypeID(), SecStaticCodeGetTypeID(), SecTrustGetTypeID()
+#if PLATFORM(MAC)
+        , SecACLGetTypeID(), SecAccessGetTypeID(), SecTrustedApplicationGetTypeID()
+#endif
+    }};
+
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        std::sort(types.begin(), types.end());
+    });
+
+    return types;
+}
+
+static bool isValidType(CFTypeRef type)
+{
+    auto typeID = CFGetTypeID(type);
+    if (typeID == CFDictionaryGetTypeID())
+        return !dictionaryContainsInvalidType(reinterpret_cast<CFDictionaryRef>(type));
+
+    if (typeID == CFArrayGetTypeID())
+        return !arrayContainsInvalidType(reinterpret_cast<CFArrayRef>(type));
+
+    const auto& validTypes = validTypeIDs();
+    
+    bool validType = std::binary_search(validTypes.begin(), validTypes.end(), typeID);
+    if (!validType) {
+        String typeName { adoptCF(CFCopyTypeIDDescription(typeID)).get() };
+        WTFLogAlways("SecItemRequestData::decode: Attempted to serialized invalid type %s", typeName.utf8().data());
+    }
+    return validType;
+}
+
 bool SecItemRequestData::decode(IPC::Decoder& decoder, SecItemRequestData& secItemRequestData)
 {
@@ -72 +154 @@
         return false;
 
-    if (expectQuery && !IPC::decode(decoder, secItemRequestData.m_queryDictionary))
-        return false;
+    if (expectQuery) {
+        if (!IPC::decode(decoder, secItemRequestData.m_queryDictionary))
+            return false;
+
+        if (dictionaryContainsInvalidType(secItemRequestData.m_queryDictionary.get()))
+            return false;
+    }
     
     bool expectAttributes;
@@ -79 +166 @@
         return false;
     
-    if (expectAttributes && !IPC::decode(decoder, secItemRequestData.m_attributesToMatch))
-        return false;
-    
+    if (expectAttributes) {
+        if (!IPC::decode(decoder, secItemRequestData.m_attributesToMatch))
+            return false;
+
+        if (dictionaryContainsInvalidType(secItemRequestData.m_attributesToMatch.get()))
+            return false;
+    }
+
     return true;
 }

trunk/Source/WebKit/Shared/mac/SecItemRequestData.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2011 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -24 +24 @@
  */
 
-#ifndef SecItemRequestData_h
-#define SecItemRequestData_h
+#pragma once
 
 #include <wtf/RetainPtr.h>
@@ -65 +64 @@
     
 } // namespace WebKit
-
-#endif // SecItemRequestData_h

trunk/Source/WebKit/WebKit.xcodeproj/project.pbxproj

@@ -1179 +1179 @@
                 7A8A9D5A1EF13029009801AE /* APIInjectedBundleBundleClient.h in Headers */ = {isa = PBXBuildFile; fileRef = 7A8A9D591EF13020009801AE /* APIInjectedBundleBundleClient.h */; };
                 7A8A9D5C1EF14598009801AE /* APIInjectedBundlePageResourceLoadClient.h in Headers */ = {isa = PBXBuildFile; fileRef = 7A8A9D5B1EF1458E009801AE /* APIInjectedBundlePageResourceLoadClient.h */; };
+                7AA746D523593D8100095050 /* SecItemSPI.h in Headers */ = {isa = PBXBuildFile; fileRef = 7AA746D42359308400095050 /* SecItemSPI.h */; };
                 7AB6EA451EEAAE3800037B2B /* APIIconDatabaseClient.h in Headers */ = {isa = PBXBuildFile; fileRef = 7AB6EA441EEAAE2300037B2B /* APIIconDatabaseClient.h */; };
                 7AB6EA471EEAB6B800037B2B /* APIGeolocationProvider.h in Headers */ = {isa = PBXBuildFile; fileRef = 7AB6EA461EEAB6B000037B2B /* APIGeolocationProvider.h */; };
@@ -3768 +3769 @@
                 7A8A9D591EF13020009801AE /* APIInjectedBundleBundleClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIInjectedBundleBundleClient.h; sourceTree = "<group>"; };
                 7A8A9D5B1EF1458E009801AE /* APIInjectedBundlePageResourceLoadClient.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = APIInjectedBundlePageResourceLoadClient.h; sourceTree = "<group>"; };
+                7AA746D42359308400095050 /* SecItemSPI.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SecItemSPI.h; sourceTree = "<group>"; };
                 7AB4EA3F22777C460085BBAA /* SandboxExtensionCocoa.mm */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.objcpp; path = SandboxExtensionCocoa.mm; sourceTree = "<group>"; };
                 7AB4EA4122777FC70085BBAA /* SandboxInitialiationParametersCocoa.mm */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.objcpp; path = SandboxInitialiationParametersCocoa.mm; sourceTree = "<group>"; };
@@ -6270 +6272 @@
                                 57B826402304EB3E00B72EB0 /* NearFieldSPI.h */,
                                 3754D5441B3A29FD003A4C7F /* NSInvocationSPI.h */,
+                                0E97D74C200E8FF300BF6643 /* SafeBrowsingSPI.h */,
+                                7AA746D42359308400095050 /* SecItemSPI.h */,
                                 37B47E2C1D64DB76005F4EFF /* objcSPI.h */,
-                                0E97D74C200E8FF300BF6643 /* SafeBrowsingSPI.h */,
                         );
                         path = Cocoa;
@@ -9407 +9410 @@
                                 1A4D664818A2D91A00D82E21 /* APIUIClient.h in Headers */,
                                 BCDB86C11200FB97007254BE /* APIURL.h in Headers */,
+                                7AA746D523593D8100095050 /* SecItemSPI.h in Headers */,
                                 BCE2315D122C30CA00D5C35A /* APIURLRequest.h in Headers */,
                                 BC90A1D2122DD55E00CC8C50 /* APIURLResponse.h in Headers */,