Changeset 193939 in webkit

Timestamp:

Dec 10, 2015 6:08:31 PM (8 years ago)

Author:

dbates@webkit.org

Message:

[CSP] eval() is not blocked for stringified literals
​https://bugs.webkit.org/show_bug.cgi?id=152158
<rdar://problem/15775625>

Reviewed by Saam Barati.

Source/JavaScriptCore:

Fixes an issue where stringified literals can be eval()ed despite being disallowed by
Content Security Policy of the page.

• interpreter/Interpreter.cpp:

(JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
and return undefined.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::globalFuncEval): Ditto.

LayoutTests:

Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be
more comprehensive.

Add tests to ensure that we block eval() from within an external JavaScript script when the
policy of the page disallows eval() and that we block eval() inside a subframe that disallows
eval() when the page in the main frame allows eval().

• http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
• http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added.
• http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added.
• http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
• http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added.
• http/tests/security/contentSecurityPolicy/eval-blocked.html:
• http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html (copied) (copied from trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html (added)
• LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html (modified) (1 diff)
• LayoutTests/http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/interpreter/Interpreter.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-12-10  Daniel Bates  <dabates@apple.com>
+
+        [CSP] eval() is not blocked for stringified literals
+        https://bugs.webkit.org/show_bug.cgi?id=152158
+        <rdar://problem/15775625>
+
+        Reviewed by Saam Barati.
+
+        Update test LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html to be
+        more comprehensive.
+
+        Add tests to ensure that we block eval() from within an external JavaScript script when the
+        policy of the page disallows eval() and that we block eval() inside a subframe that disallows
+        eval() when the page in the main frame allows eval().
+
+        * http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt:
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script-expected.txt: Added.
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html: Added.
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe-expected.txt: Copied from LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt.
+        * http/tests/security/contentSecurityPolicy/eval-blocked-in-subframe.html: Added.
+        * http/tests/security/contentSecurityPolicy/eval-blocked.html:
+        * http/tests/security/contentSecurityPolicy/resources/eval-blocked-in-external-script.js: Added.
+
 2015-12-10  Brady Eidson  <beidson@apple.com>
 

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: line 12: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+CONSOLE MESSAGE: line 14: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
 CONSOLE MESSAGE: line 15: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
+CONSOLE MESSAGE: line 32: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
 
+CONSOLE MESSAGE: line 33: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 34: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 35: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 36: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 37: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 38: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 39: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 40: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 41: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 42: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 43: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 44: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 45: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 46: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+CONSOLE MESSAGE: line 47: EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'unsafe-inline'".
+
+

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked-in-external-script.html

@@ -2 +2 @@
 <html>
 <head>
-<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'">
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'">
 <script>
 if (window.testRunner)
     testRunner.dumpAsText();
 </script>
+<script src="resources/eval-blocked-in-external-script.js"></script>
 </head>
-<body>
-<script>
-eval("alert('FAIL (1 of 2)')");
-</script>
-<script>
-window.eval("alert('FAIL (2 of 2)')");
-</script>
-</body>
 </html>

trunk/LayoutTests/http/tests/security/contentSecurityPolicy/eval-blocked.html

@@ -6 +6 @@
 if (window.testRunner)
     testRunner.dumpAsText();
+
+var dummy = 79;
 </script>
 </head>
 <body>
-<script>
-eval("alert('FAIL (1 of 2)')");
-</script>
-<script>
-window.eval("alert('FAIL (2 of 2)')");
-</script>
+<!-- eval() string literal "alert()" -->
+<script>eval("alert('FAIL')")</script>
+<script>window.eval("alert('FAIL')")</script>
+<!-- eval() non-string literal (should be allowed) -->
+<script>eval(0)</script>
+<script>window.eval(0)</script>
+<script>eval(1)</script>
+<script>window.eval(1)</script>
+<script>eval(7)</script>
+<script>window.eval(7)</script>
+<script>eval(3.14)</script>
+<script>window.eval(3.14)</script>
+<script>eval(true)</script>
+<script>window.eval(true)</script>
+<script>eval(false)</script>
+<script>window.eval(false)</script>
+<script>eval(Function)</script>
+<script>window.eval(Function)</script>
+<!-- eval() string literal -->
+<script>eval("")</script>
+<script>window.eval("")</script>
+<script>eval("0")</script>
+<script>window.eval("0")</script>
+<script>eval("1")</script>
+<script>window.eval("1")</script>
+<script>eval("2.73")</script>
+<script>window.eval("2.73")</script>
+<script>eval("true")</script>
+<script>window.eval("true")</script>
+<script>eval("false")</script>
+<script>window.eval("false")</script>
+<script>eval("Object")</script>
+<script>window.eval("Object")</script>
+<script>eval("dummy")</script>
+<script>window.eval("dummy")</script>
 </body>
 </html>

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-12-10  Daniel Bates  <dabates@apple.com>
+
+        [CSP] eval() is not blocked for stringified literals
+        https://bugs.webkit.org/show_bug.cgi?id=152158
+        <rdar://problem/15775625>
+
+        Reviewed by Saam Barati.
+
+        Fixes an issue where stringified literals can be eval()ed despite being disallowed by
+        Content Security Policy of the page.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::eval): Throw a JavaScript EvalError exception if eval() is disallowed for the page
+        and return undefined.
+        * runtime/JSGlobalObjectFunctions.cpp:
+        (JSC::globalFuncEval): Ditto.
+
 2015-12-10  Joseph Pecoraro  <pecoraro@apple.com>
 

trunk/Source/JavaScriptCore/interpreter/Interpreter.cpp

@@ -145 +145 @@
     if (!program.isString())
         return program;
-    
+
     TopCallFrameSetter topCallFrame(callFrame->vm(), callFrame);
+    JSGlobalObject* globalObject = callFrame->lexicalGlobalObject();
+    if (!globalObject->evalEnabled()) {
+        callFrame->vm().throwException(callFrame, createEvalError(callFrame, globalObject->evalDisabledErrorMessage()));
+        return jsUndefined();
+    }
     String programSource = asString(program)->value(callFrame);
     if (callFrame->hadException())

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -568 +568 @@
         return JSValue::encode(x);
 
+    JSGlobalObject* globalObject = exec->lexicalGlobalObject();
+    if (!globalObject->evalEnabled()) {
+        exec->vm().throwException(exec, createEvalError(exec, globalObject->evalDisabledErrorMessage()));
+        return JSValue::encode(jsUndefined());
+    }
+
     String s = x.toString(exec)->value(exec);