Changeset 142099 in webkit

Timestamp:

Feb 7, 2013 5:01:02 AM (11 years ago)

Author:

tonyg@chromium.org

Message:

Call XSSAuditor.filterToken() from threaded HTML parser
​https://bugs.webkit.org/show_bug.cgi?id=107603

Reviewed by Adam Barth.

With this patch we now pass 180 of 182 tests in http/tests/security/xssAuditor.

We do this by creating aan XSSAuditor on the main thread and passing ownership of them to the BackgroundHTMLParser upon its creation.

Then the background thread calls filterToken() and stores the resulting XSSInfo (if any) on the CompactHTMLToken for the main thread to handle.

This involved trimming the XSSAuditor to only depend on the TextEncoding instead of the whole TextResourceDecoder.

No new tests because covered by existing tests.

• html/parser/BackgroundHTMLParser.cpp:

(WebCore::BackgroundHTMLParser::BackgroundHTMLParser):
(WebCore::BackgroundHTMLParser::pumpTokenizer):
(WebCore::BackgroundHTMLParser::createPartial):

• html/parser/BackgroundHTMLParser.h:

(WebCore):
(WebCore::BackgroundHTMLParser::create):
(BackgroundHTMLParser):

• html/parser/HTMLDocumentParser.cpp:

(WebCore::HTMLDocumentParser::pumpTokenizer):
(WebCore::HTMLDocumentParser::startBackgroundParser):

• html/parser/HTMLSourceTracker.cpp:

(WebCore::HTMLSourceTracker::start):
(WebCore::HTMLSourceTracker::end):

• html/parser/HTMLSourceTracker.h: Change the HTMLInputStream args to SegmentedString because the background thread only has a BackgroundHTMLInputStream.

(HTMLSourceTracker):

• html/parser/HTMLViewSourceParser.cpp:

(WebCore::HTMLViewSourceParser::pumpTokenizer):

• html/parser/XSSAuditor.cpp:

(WebCore::fullyDecodeString):
(WebCore::XSSAuditor::XSSAuditor):
(WebCore::XSSAuditor::init): Copies necessary to make isSafeToSendToAnotherThread() happy.
(WebCore::XSSAuditor::decodedSnippetForName):
(WebCore::XSSAuditor::decodedSnippetForAttribute):
(WebCore::XSSAuditor::decodedSnippetForJavaScript):
(WebCore::XSSAuditor::isSafeToSendToAnotherThread): Check that all String and KURL members are safe to send to another thread.
(WebCore):

• html/parser/XSSAuditor.h:

(WebCore):
(WebCore::FilterTokenRequest::FilterTokenRequest):
(FilterTokenRequest):
(XSSAuditor):

Location:

trunk/Source/WebCore

Files:

• ChangeLog (modified) (1 diff)
• html/parser/BackgroundHTMLParser.cpp (modified) (5 diffs)
• html/parser/BackgroundHTMLParser.h (modified) (6 diffs)
• html/parser/HTMLDocumentParser.cpp (modified) (4 diffs)
• html/parser/HTMLSourceTracker.cpp (modified) (2 diffs)
• html/parser/HTMLSourceTracker.h (modified) (2 diffs)
• html/parser/HTMLViewSourceParser.cpp (modified) (1 diff)
• html/parser/XSSAuditor.cpp (modified) (10 diffs)
• html/parser/XSSAuditor.h (modified) (5 diffs)

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2013-02-07  Tony Gentilcore  <tonyg@chromium.org>
+
+        Call XSSAuditor.filterToken() from threaded HTML parser
+        https://bugs.webkit.org/show_bug.cgi?id=107603
+
+        Reviewed by Adam Barth.
+
+        With this patch we now pass 180 of 182 tests in http/tests/security/xssAuditor.
+
+        We do this by creating aan XSSAuditor on the main thread and passing ownership of them to the BackgroundHTMLParser upon its creation.
+
+        Then the background thread calls filterToken() and stores the resulting XSSInfo (if any) on the CompactHTMLToken for the main thread to handle.
+
+        This involved trimming the XSSAuditor to only depend on the TextEncoding instead of the whole TextResourceDecoder.
+
+        No new tests because covered by existing tests.
+
+        * html/parser/BackgroundHTMLParser.cpp:
+        (WebCore::BackgroundHTMLParser::BackgroundHTMLParser):
+        (WebCore::BackgroundHTMLParser::pumpTokenizer):
+        (WebCore::BackgroundHTMLParser::createPartial):
+        * html/parser/BackgroundHTMLParser.h:
+        (WebCore):
+        (WebCore::BackgroundHTMLParser::create):
+        (BackgroundHTMLParser):
+        * html/parser/HTMLDocumentParser.cpp:
+        (WebCore::HTMLDocumentParser::pumpTokenizer):
+        (WebCore::HTMLDocumentParser::startBackgroundParser):
+        * html/parser/HTMLSourceTracker.cpp:
+        (WebCore::HTMLSourceTracker::start):
+        (WebCore::HTMLSourceTracker::end):
+        * html/parser/HTMLSourceTracker.h: Change the HTMLInputStream args to SegmentedString because the background thread only has a BackgroundHTMLInputStream.
+        (HTMLSourceTracker):
+        * html/parser/HTMLViewSourceParser.cpp:
+        (WebCore::HTMLViewSourceParser::pumpTokenizer):
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::fullyDecodeString):
+        (WebCore::XSSAuditor::XSSAuditor):
+        (WebCore::XSSAuditor::init): Copies necessary to make isSafeToSendToAnotherThread() happy.
+        (WebCore::XSSAuditor::decodedSnippetForName):
+        (WebCore::XSSAuditor::decodedSnippetForAttribute):
+        (WebCore::XSSAuditor::decodedSnippetForJavaScript):
+        (WebCore::XSSAuditor::isSafeToSendToAnotherThread): Check that all String and KURL members are safe to send to another thread.
+        (WebCore):
+        * html/parser/XSSAuditor.h:
+        (WebCore):
+        (WebCore::FilterTokenRequest::FilterTokenRequest):
+        (FilterTokenRequest):
+        (XSSAuditor):
+
 2013-02-07  ChangSeok Oh  <shivamidow@gmail.com>
 

trunk/Source/WebCore/html/parser/BackgroundHTMLParser.cpp

@@ -37 +37 @@
 #include "MathMLNames.h"
 #include "SVGNames.h"
+#include "XSSAuditor.h"
 #include <wtf/MainThread.h>
 #include <wtf/Vector.h>
@@ -72 +73 @@
 }
 
-BackgroundHTMLParser::BackgroundHTMLParser(const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser)
+BackgroundHTMLParser::BackgroundHTMLParser(const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser, PassOwnPtr<XSSAuditor> xssAuditor)
     : m_inForeignContent(false)
     , m_token(adoptPtr(new HTMLToken))
@@ -79 +80 @@
     , m_parser(parser)
     , m_pendingTokens(adoptPtr(new CompactHTMLTokenStream))
+    , m_xssAuditor(xssAuditor)
 {
 }
@@ -153 +155 @@
 void BackgroundHTMLParser::pumpTokenizer()
 {
-    while (m_tokenizer->nextToken(m_input.current(), *m_token.get())) {
-        // FIXME: Call m_xssAuditor.filterToken(m_token) and put resulting XSSInfo into CompactHTMLToken.
-        m_pendingTokens->append(CompactHTMLToken(m_token.get(), TextPosition(m_input.current().currentLine(), m_input.current().currentColumn())));
+    while (true) {
+        m_sourceTracker.start(m_input.current(), m_tokenizer.get(), *m_token);
+        if (!m_tokenizer->nextToken(m_input.current(), *m_token.get()))
+            break;
+        m_sourceTracker.end(m_input.current(), m_tokenizer.get(), *m_token);
+
+        {
+            OwnPtr<XSSInfo> xssInfo = m_xssAuditor->filterToken(FilterTokenRequest(*m_token, m_sourceTracker, m_tokenizer->shouldAllowCDATA()));
+            CompactHTMLToken token(m_token.get(), TextPosition(m_input.current().currentLine(), m_input.current().currentColumn()));
+            if (xssInfo)
+                token.setXSSInfo(xssInfo.release());
+            m_pendingTokens->append(token);
+        }
+
         m_token->clear();
 
@@ -182 +195 @@
 }
 
-void BackgroundHTMLParser::createPartial(ParserIdentifier identifier, const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser)
+void BackgroundHTMLParser::createPartial(ParserIdentifier identifier, const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser, PassOwnPtr<XSSAuditor> xssAuditor)
 {
     ASSERT(!parserMap().backgroundParsers().get(identifier));
-    parserMap().backgroundParsers().set(identifier, BackgroundHTMLParser::create(options, parser));
+    parserMap().backgroundParsers().set(identifier, BackgroundHTMLParser::create(options, parser, xssAuditor));
 }
 

trunk/Source/WebCore/html/parser/BackgroundHTMLParser.h

@@ -32 +32 @@
 #include "CompactHTMLToken.h"
 #include "HTMLParserOptions.h"
+#include "HTMLSourceTracker.h"
 #include "HTMLToken.h"
 #include "HTMLTokenizer.h"
+#include <wtf/PassOwnPtr.h>
+#include <wtf/RefPtr.h>
 #include <wtf/WeakPtr.h>
 
@@ -40 +43 @@
 typedef const void* ParserIdentifier;
 class HTMLDocumentParser;
+class XSSAuditor;
 
 class BackgroundHTMLParser {
@@ -48 +52 @@
     void finish();
 
-    static PassOwnPtr<BackgroundHTMLParser> create(const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser)
+    static PassOwnPtr<BackgroundHTMLParser> create(const HTMLParserOptions& options, const WeakPtr<HTMLDocumentParser>& parser, PassOwnPtr<XSSAuditor> xssAuditor)
     {
-        return adoptPtr(new BackgroundHTMLParser(options, parser));
+        return adoptPtr(new BackgroundHTMLParser(options, parser, xssAuditor));
     }
 
-    static void createPartial(ParserIdentifier, const HTMLParserOptions&, const WeakPtr<HTMLDocumentParser>&);
+    static void createPartial(ParserIdentifier, const HTMLParserOptions&, const WeakPtr<HTMLDocumentParser>&, PassOwnPtr<XSSAuditor>);
     static void stopPartial(ParserIdentifier);
     static void appendPartial(ParserIdentifier, const String& input);
@@ -60 +64 @@
 
 private:
-    BackgroundHTMLParser(const HTMLParserOptions&, const WeakPtr<HTMLDocumentParser>&);
+    BackgroundHTMLParser(const HTMLParserOptions&, const WeakPtr<HTMLDocumentParser>&, PassOwnPtr<XSSAuditor>);
 
     void markEndOfFile();
@@ -70 +74 @@
     bool m_inForeignContent; // FIXME: We need a stack of foreign content markers.
     BackgroundHTMLInputStream m_input;
+    HTMLSourceTracker m_sourceTracker;
     OwnPtr<HTMLToken> m_token;
     OwnPtr<HTMLTokenizer> m_tokenizer;
@@ -75 +80 @@
     WeakPtr<HTMLDocumentParser> m_parser;
     OwnPtr<CompactHTMLTokenStream> m_pendingTokens;
+    OwnPtr<XSSAuditor> m_xssAuditor;
 };
 

trunk/Source/WebCore/html/parser/HTMLDocumentParser.cpp

@@ -31 +31 @@
 #include "ContentSecurityPolicy.h"
 #include "DocumentFragment.h"
+#include "DocumentLoader.h"
 #include "Element.h"
 #include "Frame.h"
@@ -369 +370 @@
     while (canTakeNextToken(mode, session) && !session.needsYield) {
         if (!isParsingFragment())
-            m_sourceTracker.start(m_input, m_tokenizer.get(), token());
+            m_sourceTracker.start(m_input.current(), m_tokenizer.get(), token());
 
         if (!m_tokenizer->nextToken(m_input.current(), token()))
@@ -375 +376 @@
 
         if (!isParsingFragment()) {
-            m_sourceTracker.end(m_input, m_tokenizer.get(), token());
+            m_sourceTracker.end(m_input.current(), m_tokenizer.get(), token());
 
             // We do not XSS filter innerHTML, which means we (intentionally) fail
             // http/tests/security/xssAuditor/dom-write-innerHTML.html
-            if (OwnPtr<XSSInfo> xssInfo = m_xssAuditor.filterToken(FilterTokenRequest(token(), m_sourceTracker, document()->decoder(), m_tokenizer->shouldAllowCDATA())))
+            if (OwnPtr<XSSInfo> xssInfo = m_xssAuditor.filterToken(FilterTokenRequest(token(), m_sourceTracker, m_tokenizer->shouldAllowCDATA())))
                 m_xssAuditorDelegate.didBlockScript(*xssInfo);
         }
@@ -512 +513 @@
     m_haveBackgroundParser = true;
 
+    WeakPtr<HTMLDocumentParser> parser = m_weakFactory.createWeakPtr();
+    OwnPtr<XSSAuditor> xssAuditor = adoptPtr(new XSSAuditor);
+    xssAuditor->init(document());
+    ASSERT(xssAuditor->isSafeToSendToAnotherThread());
     ParserIdentifier identifier = ParserMap::identifierForParser(this);
-    WeakPtr<HTMLDocumentParser> parser = m_weakFactory.createWeakPtr();
-    HTMLParserThread::shared()->postTask(bind(&BackgroundHTMLParser::createPartial, identifier, m_options, parser));
+    HTMLParserThread::shared()->postTask(bind(&BackgroundHTMLParser::createPartial, identifier, m_options, parser, xssAuditor.release()));
 }
 

trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp

@@ -35 +35 @@
 }
 
-void HTMLSourceTracker::start(const HTMLInputStream& input, HTMLTokenizer* tokenizer, HTMLToken& token)
+void HTMLSourceTracker::start(SegmentedString& currentInput, HTMLTokenizer* tokenizer, HTMLToken& token)
 {
     if (token.type() == HTMLTokenTypes::Uninitialized) {
@@ -44 +44 @@
         m_previousSource.append(m_currentSource);
 
-    m_currentSource = input.current();
+    m_currentSource = currentInput;
     token.setBaseOffset(m_currentSource.numberOfCharactersConsumed() - m_previousSource.length());
 }
 
-void HTMLSourceTracker::end(const HTMLInputStream& input, HTMLTokenizer* tokenizer, HTMLToken& token)
+void HTMLSourceTracker::end(SegmentedString& currentInput, HTMLTokenizer* tokenizer, HTMLToken& token)
 {
     m_cachedSourceForToken = String();
 
     // FIXME: This work should really be done by the HTMLTokenizer.
-    token.end(input.current().numberOfCharactersConsumed() - tokenizer->numberOfBufferedCharacters());
+    token.end(currentInput.numberOfCharactersConsumed() - tokenizer->numberOfBufferedCharacters());
 }
 

trunk/Source/WebCore/html/parser/HTMLSourceTracker.h

@@ -27 +27 @@
 #define HTMLSourceTracker_h
 
-#include "HTMLInputStream.h"
 #include "HTMLToken.h"
+#include "SegmentedString.h"
 #include <wtf/text/StringBuilder.h>
 
@@ -43 +43 @@
     // something that makes it obvious that this method can be called multiple
     // times.
-    void start(const HTMLInputStream&, HTMLTokenizer*, HTMLToken&);
-    void end(const HTMLInputStream&, HTMLTokenizer*, HTMLToken&);
+    void start(SegmentedString&, HTMLTokenizer*, HTMLToken&);
+    void end(SegmentedString&, HTMLTokenizer*, HTMLToken&);
 
     String sourceForToken(const HTMLToken&);

trunk/Source/WebCore/html/parser/HTMLViewSourceParser.cpp

@@ -52 +52 @@
 {
     while (true) {
-        m_sourceTracker.start(m_input, m_tokenizer.get(), m_token);
+        m_sourceTracker.start(m_input.current(), m_tokenizer.get(), m_token);
         if (!m_tokenizer->nextToken(m_input.current(), m_token))
             break;
-        m_sourceTracker.end(m_input, m_tokenizer.get(), m_token);
+        m_sourceTracker.end(m_input.current(), m_tokenizer.get(), m_token);
 
         document()->addSource(sourceForToken(), m_token);

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -161 +161 @@
 }
 
-static String fullyDecodeString(const String& string, const TextResourceDecoder* decoder)
-{
-    const TextEncoding& encoding = decoder ? decoder->encoding() : UTF8Encoding();
+static String fullyDecodeString(const String& string, const TextEncoding& encoding)
+{
     size_t oldWorkingStringLength;
     String workingString = string;
@@ -180 +179 @@
     , m_state(Uninitialized)
     , m_scriptTagNestingLevel(0)
+    , m_encoding(UTF8Encoding())
 {
     // Although tempting to call init() at this point, the various objects
@@ -203 +203 @@
         return;
 
-    m_documentURL = document->url();
+    m_documentURL = document->url().copy();
 
     // In theory, the Document could have detached from the Frame after the
@@ -223 +223 @@
     }
 
-    TextResourceDecoder* decoder = document->decoder();
-    m_decodedURL = fullyDecodeString(m_documentURL.string(), decoder);
+    if (document->decoder())
+        m_encoding = document->decoder()->encoding();
+
+    m_decodedURL = fullyDecodeString(m_documentURL.string(), m_encoding);
     if (m_decodedURL.find(isRequiredForInjection) == notFound)
         m_decodedURL = String();
@@ -255 +257 @@
             httpBodyAsString = httpBody->flattenToString();
             if (!httpBodyAsString.isEmpty()) {
-                m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, decoder);
+                m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, m_encoding);
                 if (m_decodedHTTPBody.find(isRequiredForInjection) == notFound)
                     m_decodedHTTPBody = String();
@@ -271 +273 @@
     if (!m_reportURL.isEmpty()) {
         // May need these for reporting later on.
-        m_originalURL = m_documentURL;
+        m_originalURL = m_documentURL.copy();
         m_originalHTTPBody = httpBodyAsString;
     }
@@ -508 +510 @@
 {
     // Grab a fixed number of characters equal to the length of the token's name plus one (to account for the "<").
-    return fullyDecodeString(request.sourceTracker.sourceForToken(request.token), request.decoder).substring(0, request.token.name().size() + 1);
+    return fullyDecodeString(request.sourceTracker.sourceForToken(request.token), m_encoding).substring(0, request.token.name().size() + 1);
 }
 
@@ -519 +521 @@
     int start = attribute.m_nameRange.m_start - request.token.startIndex();
     int end = attribute.m_valueRange.m_end - request.token.startIndex();
-    String decodedSnippet = fullyDecodeString(request.sourceTracker.sourceForToken(request.token).substring(start, end - start), request.decoder);
+    String decodedSnippet = fullyDecodeString(request.sourceTracker.sourceForToken(request.token).substring(start, end - start), m_encoding);
     decodedSnippet.truncate(kMaximumFragmentLengthTarget);
     if (treatment == SrcLikeAttribute) {
@@ -627 +629 @@
         }
 
-        result = fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), request.decoder);
+        result = fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), m_encoding);
         startPosition = foundPosition + 1;
     }
@@ -665 +667 @@
 }
 
+bool XSSAuditor::isSafeToSendToAnotherThread() const
+{
+    return m_documentURL.isSafeToSendToAnotherThread()
+        && m_originalURL.isSafeToSendToAnotherThread()
+        && m_originalHTTPBody.isSafeToSendToAnotherThread()
+        && m_decodedURL.isSafeToSendToAnotherThread()
+        && m_decodedHTTPBody.isSafeToSendToAnotherThread()
+        && m_cachedDecodedSnippet.isSafeToSendToAnotherThread()
+        && m_reportURL.isSafeToSendToAnotherThread();
+}
+
 } // namespace WebCore

trunk/Source/WebCore/html/parser/XSSAuditor.h

@@ -30 +30 @@
 #include "HTTPParsers.h"
 #include "SuffixTree.h"
+#include "TextEncoding.h"
 #include <wtf/PassOwnPtr.h>
 
@@ -37 +38 @@
 class HTMLDocumentParser;
 class HTMLSourceTracker;
-class TextResourceDecoder;
 class XSSInfo;
 
 struct FilterTokenRequest {
-    FilterTokenRequest(HTMLToken& token, HTMLSourceTracker& sourceTracker, const TextResourceDecoder* decoder, bool shouldAllowCDATA)
+    FilterTokenRequest(HTMLToken& token, HTMLSourceTracker& sourceTracker, bool shouldAllowCDATA)
         : token(token)
         , sourceTracker(sourceTracker)
-        , decoder(decoder)
         , shouldAllowCDATA(shouldAllowCDATA)
     { }
@@ -50 +49 @@
     HTMLToken& token;
     HTMLSourceTracker& sourceTracker;
-    const TextResourceDecoder* decoder;
     bool shouldAllowCDATA;
 };
@@ -61 +59 @@
     void init(Document*);
     PassOwnPtr<XSSInfo> filterToken(const FilterTokenRequest&);
+    bool isSafeToSendToAnotherThread() const;
 
 private:
@@ -114 +113 @@
     unsigned m_scriptTagNestingLevel;
     KURL m_reportURL;
+    TextEncoding m_encoding;
 };