Changeset 252035 in webkit

Timestamp:

Nov 4, 2019 8:05:07 PM (4 years ago)

Author:

jiewen_tan@apple.com

Message:

[WebAuthn] Guard against unexpected -[_WKWebAuthenticationPanel cancel]
​https://bugs.webkit.org/show_bug.cgi?id=203830
<rdar://problem/56797134>

Reviewed by Brent Fulgham .

Source/WebKit:

-[_WKWebAuthenticationPanel cancel] was only expected to be called on behalf of an
explicit user cancel from the UI. However, clients may call it in different other
unexpected scenarios as well. We should guard against that.

To do so, two counter ways are implemented:
1) AuthenticatorManager::cancelRequest is changed to invoke the pending request if there
is no GlobalFrameID. This case can only be reached via calling -[_WKWebAuthenticationPanel cancel]
before AuthenticatorManager::cancelRequest.
2) WebAuthenticationPanelClient::updatePanel and WebAuthenticationPanelClient::dismissPanel
will call delegate methods in the next run loop to prevent -[_WKWebAuthenticationPanel cancel]
being called in the delegates.

Covered by new API tests.

• UIProcess/WebAuthentication/AuthenticatorManager.cpp:

(WebKit::AuthenticatorManager::cancelRequest):
(WebKit::AuthenticatorManager::createService const):
(WebKit::AuthenticatorManager::invokePendingCompletionHandler):

• UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:

(WebKit::WebAuthenticationPanelClient::updatePanel const):
(WebKit::WebAuthenticationPanelClient::dismissPanel const):

Tools:

• TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:

(-[TestWebAuthenticationPanelDelegate panel:updateWebAuthenticationPanel:]):
(-[TestWebAuthenticationPanelDelegate panel:dismissWebAuthenticationPanelWithResult:]):
(TestWebKitAPI::TEST):

Location:

trunk

Files:

• Source/WebKit/ChangeLog (modified) (1 diff)
• Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp (modified) (5 diffs)
• Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm (modified) (3 diffs)
• Tools/ChangeLog (modified) (1 diff)
• Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm (modified) (5 diffs)

trunk/Source/WebKit/ChangeLog

@@ +1 @@
+2019-11-04  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Guard against unexpected -[_WKWebAuthenticationPanel cancel]
+        https://bugs.webkit.org/show_bug.cgi?id=203830
+        <rdar://problem/56797134>
+
+        Reviewed by Brent Fulgham .
+
+        -[_WKWebAuthenticationPanel cancel] was only expected to be called on behalf of an
+        explicit user cancel from the UI. However, clients may call it in different other
+        unexpected scenarios as well. We should guard against that.
+
+        To do so, two counter ways are implemented:
+        1) AuthenticatorManager::cancelRequest is changed to invoke the pending request if there
+        is no GlobalFrameID. This case can only be reached via calling -[_WKWebAuthenticationPanel cancel]
+        before AuthenticatorManager::cancelRequest.
+        2) WebAuthenticationPanelClient::updatePanel and WebAuthenticationPanelClient::dismissPanel
+        will call delegate methods in the next run loop to prevent -[_WKWebAuthenticationPanel cancel]
+        being called in the delegates.
+
+        Covered by new API tests.
+
+        * UIProcess/WebAuthentication/AuthenticatorManager.cpp:
+        (WebKit::AuthenticatorManager::cancelRequest):
+        (WebKit::AuthenticatorManager::createService const):
+        (WebKit::AuthenticatorManager::invokePendingCompletionHandler):
+        * UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm:
+        (WebKit::WebAuthenticationPanelClient::updatePanel const):
+        (WebKit::WebAuthenticationPanelClient::dismissPanel const):
+
 2019-11-04  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/WebKit/UIProcess/WebAuthentication/AuthenticatorManager.cpp

@@ -176 +176 @@
 }
 
-void AuthenticatorManager::cancelRequest(const WebCore::PageIdentifier& pageID, const Optional<FrameIdentifier>& frameID)
+void AuthenticatorManager::cancelRequest(const PageIdentifier& pageID, const Optional<FrameIdentifier>& frameID)
 {
     if (!m_pendingCompletionHandler)
         return;
-    ASSERT(m_pendingRequestData.frameID);
-    if (m_pendingRequestData.frameID->pageID != pageID)
-        return;
-    if (frameID && frameID != m_pendingRequestData.frameID->frameID)
-        return;
+    if (auto pendingFrameID = m_pendingRequestData.frameID) {
+        if (pendingFrameID->pageID != pageID)
+            return;
+        if (frameID && frameID != pendingFrameID->frameID)
+            return;
+    }
     invokePendingCompletionHandler(ExceptionData { NotAllowedError, "Operation timed out."_s });
     clearState();
@@ -195 +196 @@
 void AuthenticatorManager::cancelRequest(const API::WebAuthenticationPanel& panel)
 {
+    RELEASE_ASSERT(RunLoop::isMain());
     if (!m_pendingCompletionHandler || m_pendingRequestData.panel.get() != &panel)
         return;
@@ -268 +270 @@
 }
 
-UniqueRef<AuthenticatorTransportService> AuthenticatorManager::createService(WebCore::AuthenticatorTransport transport, AuthenticatorTransportService::Observer& observer) const
+UniqueRef<AuthenticatorTransportService> AuthenticatorManager::createService(AuthenticatorTransport transport, AuthenticatorTransportService::Observer& observer) const
 {
     return AuthenticatorTransportService::create(transport, observer);
@@ -344 +346 @@
 {
     if (auto *panel = m_pendingRequestData.panel.get()) {
-        WTF::switchOn(respond, [&](const WebCore::PublicKeyCredentialData&) {
+        WTF::switchOn(respond, [&](const PublicKeyCredentialData&) {
             panel->client().dismissPanel(WebAuthenticationResult::Succeeded);
-        }, [&](const WebCore::ExceptionData&) {
+        }, [&](const ExceptionData&) {
             panel->client().dismissPanel(WebAuthenticationResult::Failed);
         });
@@ -352 +354 @@
     m_pendingCompletionHandler(WTFMove(respond));
 }
-
 
 void AuthenticatorManager::resetState()

trunk/Source/WebKit/UIProcess/WebAuthentication/Cocoa/WebAuthenticationPanelClient.mm

@@ -31 +31 @@
 #import "WebAuthenticationFlags.h"
 #import "_WKWebAuthenticationPanel.h"
+#import <wtf/RunLoop.h>
 
 namespace WebKit {
@@ -59 +60 @@
 void WebAuthenticationPanelClient::updatePanel(WebAuthenticationStatus status) const
 {
-    if (!m_delegateMethods.panelUpdateWebAuthenticationPanel)
-        return;
+    // Call delegates in the next run loop to prevent clients' reentrance that would potentially modify the state
+    // of the current run loop in unexpected ways.
+    RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), this, status] {
+        if (!weakThis)
+            return;
 
-    auto delegate = m_delegate.get();
-    if (!delegate)
-        return;
+        if (!m_delegateMethods.panelUpdateWebAuthenticationPanel)
+            return;
 
-    [delegate panel:m_panel updateWebAuthenticationPanel:wkWebAuthenticationPanelUpdate(status)];
+        auto delegate = m_delegate.get();
+        if (!delegate)
+            return;
+
+        [delegate panel:m_panel updateWebAuthenticationPanel:wkWebAuthenticationPanelUpdate(status)];
+    });
 }
 
@@ -83 +91 @@
 void WebAuthenticationPanelClient::dismissPanel(WebAuthenticationResult result) const
 {
-    if (!m_delegateMethods.panelDismissWebAuthenticationPanelWithResult)
-        return;
+    // Call delegates in the next run loop to prevent clients' reentrance that would potentially modify the state
+    // of the current run loop in unexpected ways.
+    RunLoop::main().dispatch([weakThis = makeWeakPtr(*this), this, result] {
+        if (!weakThis)
+            return;
 
-    auto delegate = m_delegate.get();
-    if (!delegate)
-        return;
+        if (!m_delegateMethods.panelDismissWebAuthenticationPanelWithResult)
+            return;
 
-    [delegate panel:m_panel dismissWebAuthenticationPanelWithResult:wkWebAuthenticationResult(result)];
+        auto delegate = m_delegate.get();
+        if (!delegate)
+            return;
+
+        [delegate panel:m_panel dismissWebAuthenticationPanelWithResult:wkWebAuthenticationResult(result)];
+    });
 }
 

trunk/Tools/ChangeLog

@@ +1 @@
+2019-11-04  Jiewen Tan  <jiewen_tan@apple.com>
+
+        [WebAuthn] Guard against unexpected -[_WKWebAuthenticationPanel cancel]
+        https://bugs.webkit.org/show_bug.cgi?id=203830
+        <rdar://problem/56797134>
+
+        Reviewed by Brent Fulgham .
+
+        * TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm:
+        (-[TestWebAuthenticationPanelDelegate panel:updateWebAuthenticationPanel:]):
+        (-[TestWebAuthenticationPanelDelegate panel:dismissWebAuthenticationPanelWithResult:]):
+        (TestWebKitAPI::TEST):
+
 2019-11-04  Jonathan Bedard  <jbedard@apple.com>
 

trunk/Tools/TestWebKitAPI/Tests/WebKitCocoa/_WKWebAuthenticationPanel.mm

@@ -45 +45 @@
 static bool webAuthenticationPanelUpdateMultipleNFCTagsPresent = false;
 static bool webAuthenticationPanelUpdateNoCredentialsFound = false;
+static bool webAuthenticationPanelCancelImmediately = false;
 
 @interface TestWebAuthenticationPanelDelegate : NSObject <_WKWebAuthenticationPanelDelegate>
@@ -54 +55 @@
 {
     ASSERT_NE(panel, nil);
+    if (webAuthenticationPanelCancelImmediately)
+        [panel cancel];
+
     if (update == _WKWebAuthenticationPanelUpdateMultipleNFCTagsPresent) {
         webAuthenticationPanelUpdateMultipleNFCTagsPresent = true;
@@ -67 +71 @@
 {
     ASSERT_NE(panel, nil);
+    if (webAuthenticationPanelCancelImmediately)
+        [panel cancel];
+
     if (result == _WKWebAuthenticationResultFailed) {
         webAuthenticationPanelFailed = true;
@@ -190 +197 @@
     webAuthenticationPanelFailed = false;
     webAuthenticationPanelSucceded = false;
+    webAuthenticationPanelCancelImmediately = false;
 }
 
@@ -681 +689 @@
 #endif
 
+TEST(WebAuthenticationPanel, PanelHidCancelReloadNoCrash)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-hid-cancel" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    Util::run(&webAuthenticationPanelRan);
+    [[delegate panel] cancel];
+    [webView reload];
+    [webView waitForMessage:@"Operation timed out."];
+}
+
+TEST(WebAuthenticationPanel, PanelHidSuccessCancelNoCrash)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-hid" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelCancelImmediately = true;
+
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    [webView waitForMessage:@"Succeeded!"];
+}
+
+TEST(WebAuthenticationPanel, PanelHidCtapNoCredentialsFoundCancelNoCrash)
+{
+    reset();
+    RetainPtr<NSURL> testURL = [[NSBundle mainBundle] URLForResource:@"web-authentication-get-assertion-hid-no-credentials" withExtension:@"html" subdirectory:@"TestWebKitAPI.resources"];
+
+    auto *configuration = [WKWebViewConfiguration _test_configurationWithTestPlugInClassName:@"WebProcessPlugInWithInternals" configureJSCForTesting:YES];
+    [[configuration preferences] _setEnabled:YES forExperimentalFeature:webAuthenticationExperimentalFeature()];
+
+    auto webView = adoptNS([[TestWKWebView alloc] initWithFrame:NSZeroRect configuration:configuration]);
+    auto delegate = adoptNS([[TestWebAuthenticationPanelUIDelegate alloc] init]);
+    [webView setUIDelegate:delegate.get()];
+    webAuthenticationPanelCancelImmediately = true;
+
+    [webView loadRequest:[NSURLRequest requestWithURL:testURL.get()]];
+    Util::run(&webAuthenticationPanelUpdateNoCredentialsFound);
+}
+
 } // namespace TestWebKitAPI