Changeset 217051 in webkit

Timestamp:

May 18, 2017, 11:09:24 AM (9 years ago)

Author:

Joseph Pecoraro

Message:

Remote Inspector: Be stricter about checking message types
​https://bugs.webkit.org/show_bug.cgi?id=172259
<rdar://problem/32264839>

Reviewed by Brian Burg.

• inspector/remote/cocoa/RemoteInspectorCocoa.mm:

(Inspector::RemoteInspector::receivedSetupMessage):
(Inspector::RemoteInspector::receivedDataMessage):
(Inspector::RemoteInspector::receivedDidCloseMessage):
(Inspector::RemoteInspector::receivedIndicateMessage):
(Inspector::RemoteInspector::receivedConnectionDiedMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
(Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
(Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):

• inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:

(Inspector::RemoteInspectorXPCConnection::deserializeMessage):
(Inspector::RemoteInspectorXPCConnection::handleEvent):
(Inspector::RemoteInspectorXPCConnection::sendMessage):
Bail if we don't receive the expected types for message data.

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• inspector/remote/cocoa/RemoteInspectorCocoa.mm (modified) (13 diffs)
• inspector/remote/cocoa/RemoteInspectorXPCConnection.mm (modified) (3 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2017-05-18  Joseph Pecoraro  <pecoraro@apple.com>
+
+        Remote Inspector: Be stricter about checking message types
+        https://bugs.webkit.org/show_bug.cgi?id=172259
+        <rdar://problem/32264839>
+
+        Reviewed by Brian Burg.
+
+        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+        (Inspector::RemoteInspector::receivedSetupMessage):
+        (Inspector::RemoteInspector::receivedDataMessage):
+        (Inspector::RemoteInspector::receivedDidCloseMessage):
+        (Inspector::RemoteInspector::receivedIndicateMessage):
+        (Inspector::RemoteInspector::receivedConnectionDiedMessage):
+        (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
+        (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
+        (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
+        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+        (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
+        (Inspector::RemoteInspectorXPCConnection::handleEvent):
+        (Inspector::RemoteInspectorXPCConnection::sendMessage):
+        Bail if we don't receive the expected types for message data.
+
 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/inspector/remote/cocoa/RemoteInspectorCocoa.mm

@@ -44 +44 @@
 #import <wtf/text/WTFString.h>
 
+#define BAIL_IF_UNEXPECTED_TYPE(expr, classExpr)          \
+    do {                                                  \
+        id value = (expr);                                \
+        id classValue = (classExpr);                      \
+        if (![value isKindOfClass:classValue])            \
+            return;                                       \
+    } while (0);
+
 namespace Inspector {
 
@@ -450 +458 @@
 void RemoteInspector::receivedSetupMessage(NSDictionary *userInfo)
 {
-    unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
+    NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+    NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
+
+    NSString *sender = userInfo[WIRSenderKey];
+    BAIL_IF_UNEXPECTED_TYPE(sender, [NSString class]);
+
+    NSNumber *automaticallyPauseNumber = userInfo[WIRAutomaticallyPause];
+    BAIL_IF_UNEXPECTED_TYPE(automaticallyPauseNumber, [NSNumber class]);
+    BOOL automaticallyPause = automaticallyPauseNumber.boolValue;
+
+    unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
     if (!targetIdentifier)
-        return;
-
-    NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
-    if (!connectionIdentifier)
-        return;
-
-    NSString *sender = [userInfo objectForKey:WIRSenderKey];
-    if (!sender)
         return;
 
@@ -475 +488 @@
     if (is<RemoteInspectionTarget>(target)) {
         bool isAutomaticInspection = m_automaticInspectionCandidateTargetIdentifier == target->targetIdentifier();
-        bool automaticallyPause = [[userInfo objectForKey:WIRAutomaticallyPause] boolValue];
 
         if (!connectionToTarget->setup(isAutomaticInspection, automaticallyPause)) {
@@ -496 +508 @@
 void RemoteInspector::receivedDataMessage(NSDictionary *userInfo)
 {
-    unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
+    NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+    NSData *data = userInfo[WIRSocketDataKey];
+    BAIL_IF_UNEXPECTED_TYPE(data, [NSData class]);
+
+    unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
     if (!targetIdentifier)
         return;
@@ -504 +522 @@
         return;
 
-    NSData *data = [userInfo objectForKey:WIRSocketDataKey];
     RetainPtr<NSString> message = adoptNS([[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]);
     connectionToTarget->sendMessageToTarget(message.get());
@@ -511 +528 @@
 void RemoteInspector::receivedDidCloseMessage(NSDictionary *userInfo)
 {
-    unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
+    NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+    NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
+
+    unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
     if (!targetIdentifier)
-        return;
-
-    NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
-    if (!connectionIdentifier)
         return;
 
@@ -539 +558 @@
 void RemoteInspector::receivedIndicateMessage(NSDictionary *userInfo)
 {
-    unsigned identifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
-    if (!identifier)
-        return;
-
-    BOOL indicateEnabled = [[userInfo objectForKey:WIRIndicateEnabledKey] boolValue];
+    NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+    NSNumber *indicateEnabledNumber = userInfo[WIRIndicateEnabledKey];
+    BAIL_IF_UNEXPECTED_TYPE(indicateEnabledNumber, [NSNumber class]);
+    BOOL indicateEnabled = indicateEnabledNumber.boolValue;
+
+    unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
+    if (!targetIdentifier)
+        return;
 
     callOnWebThreadOrDispatchAsyncOnMainThread(^{
@@ -550 +574 @@
             std::lock_guard<Lock> lock(m_mutex);
 
-            auto findResult = m_targetMap.find(identifier);
+            auto findResult = m_targetMap.find(targetIdentifier);
             if (findResult == m_targetMap.end())
                 return;
@@ -589 +613 @@
 void RemoteInspector::receivedConnectionDiedMessage(NSDictionary *userInfo)
 {
-    NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
-    if (!connectionIdentifier)
-        return;
+    NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
 
     auto it = m_targetConnectionMap.begin();
@@ -612 +635 @@
 void RemoteInspector::receivedAutomaticInspectionConfigurationMessage(NSDictionary *userInfo)
 {
-    m_automaticInspectionEnabled = [[userInfo objectForKey:WIRAutomaticInspectionEnabledKey] boolValue];
+    NSNumber *automaticInspectionEnabledNumber = userInfo[WIRAutomaticInspectionEnabledKey];
+    BAIL_IF_UNEXPECTED_TYPE(automaticInspectionEnabledNumber, [NSNumber class]);
+
+    m_automaticInspectionEnabled = automaticInspectionEnabledNumber.boolValue;
 
     if (!m_automaticInspectionEnabled && m_automaticInspectionPaused)
@@ -620 +646 @@
 void RemoteInspector::receivedAutomaticInspectionRejectMessage(NSDictionary *userInfo)
 {
-    unsigned rejectionIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntValue];
-
-    ASSERT(rejectionIdentifier == m_automaticInspectionCandidateTargetIdentifier);
-    if (rejectionIdentifier == m_automaticInspectionCandidateTargetIdentifier)
+    NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+    unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
+    if (!targetIdentifier)
+        return;
+
+    ASSERT(targetIdentifier == m_automaticInspectionCandidateTargetIdentifier);
+    if (targetIdentifier == m_automaticInspectionCandidateTargetIdentifier)
         m_automaticInspectionPaused = false;
 }
@@ -629 +660 @@
 void RemoteInspector::receivedAutomationSessionRequestMessage(NSDictionary *userInfo)
 {
+    NSString *suggestedSessionIdentifier = userInfo[WIRSessionIdentifierKey];
+    BAIL_IF_UNEXPECTED_TYPE(suggestedSessionIdentifier, [NSString class]);
+
     if (!m_client)
         return;
@@ -635 +669 @@
         return;
 
-    NSString *suggestedSessionIdentifier = [userInfo objectForKey:WIRSessionIdentifierKey];
-    if (!suggestedSessionIdentifier)
-        return;
-
     m_client->requestAutomationSession(suggestedSessionIdentifier);
 }

trunk/Source/JavaScriptCore/inspector/remote/cocoa/RemoteInspectorXPCConnection.mm

@@ -145 +145 @@
     RetainPtr<CFDictionaryRef> dictionary = adoptCF((CFDictionaryRef)_CFXPCCreateCFObjectFromXPCMessage(xpcDictionary));
     ASSERT_WITH_MESSAGE(dictionary, "Unable to deserialize xpc message");
+    ASSERT(CFGetTypeID(dictionary.get()) == CFDictionaryGetTypeID());
     return (NSDictionary *)dictionary.autorelease();
 }
@@ -183 +184 @@
 #endif
 
-    NSDictionary *dataDictionary = deserializeMessage(object);
-    if (!dataDictionary)
-        return;
-
-    NSString *message = [dataDictionary objectForKey:RemoteInspectorXPCConnectionMessageNameKey];
-    NSDictionary *userInfo = [dataDictionary objectForKey:RemoteInspectorXPCConnectionUserInfoKey];
+    NSDictionary *dictionary = deserializeMessage(object);
+    if (![dictionary isKindOfClass:[NSDictionary class]])
+        return;
+
+    NSString *message = dictionary[RemoteInspectorXPCConnectionMessageNameKey];
+    if (![message isKindOfClass:[NSString class]])
+        return;
+
+    NSDictionary *userInfo = dictionary[RemoteInspectorXPCConnectionUserInfoKey];
+    if (userInfo && ![userInfo isKindOfClass:[NSDictionary class]])
+        return;
+
     std::lock_guard<Lock> lock(m_mutex);
     if (m_client)
@@ -200 +207 @@
         return;
 
-    NSMutableDictionary *dictionary = [NSMutableDictionary dictionaryWithObject:messageName forKey:RemoteInspectorXPCConnectionMessageNameKey];
+    RetainPtr<NSMutableDictionary> dictionary = adoptNS([[NSMutableDictionary alloc] init]);
+    [dictionary setObject:messageName forKey:RemoteInspectorXPCConnectionMessageNameKey];
     if (userInfo)
         [dictionary setObject:userInfo forKey:RemoteInspectorXPCConnectionUserInfoKey];
 
-    xpc_object_t xpcDictionary = _CFXPCCreateXPCMessageWithCFObject((CFDictionaryRef)dictionary);
+    xpc_object_t xpcDictionary = _CFXPCCreateXPCMessageWithCFObject((CFDictionaryRef)dictionary.get());
     ASSERT_WITH_MESSAGE(xpcDictionary && xpc_get_type(xpcDictionary) == XPC_TYPE_DICTIONARY, "Unable to serialize xpc message");
     if (!xpcDictionary)