Changeset 258631 in webkit

Timestamp:

Mar 18, 2020 7:49:37 AM (4 years ago)

Author:

youenn@apple.com

Message:

Make sure a preflight fails if response headers are invalid
​https://bugs.webkit.org/show_bug.cgi?id=208924

Reviewed by Alex Christensen.

LayoutTests/imported/w3c:

• web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any-expected.txt: Added.
• web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.html: Added.
• web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.js: Added.

(corsPreflightResponseValidation):

• web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker-expected.txt: Added.
• web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker.html: Added.

Source/WebCore:

Implement ​https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 step 7.3.
In case header parsing is wrong, fail the preflight with a meaningful message.
Update parsing of headers to return an Optional so that parsing error is handled as a nullopt.
Minor refactoring to return Expected/Optional for error handlng instead of passing an out parameter.
Also, adding preflight cache entry if it is valid, no matter whether preflight succeeds or not.

Tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.html

imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker.html

• loader/CrossOriginAccessControl.cpp:

(WebCore::validatePreflightResponse):

• loader/CrossOriginPreflightResultCache.cpp:

(WebCore::CrossOriginPreflightResultCacheItem::create):
(WebCore::CrossOriginPreflightResultCacheItem::validateMethodAndHeaders const):

• loader/CrossOriginPreflightResultCache.h:

(WebCore::CrossOriginPreflightResultCacheItem::CrossOriginPreflightResultCacheItem):

• platform/network/HTTPParsers.h:

(WebCore::parseAccessControlAllowList):

• platform/network/ResourceResponseBase.cpp:

(WebCore::ResourceResponseBase::filter):
(WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting):

Location:

trunk

Files:

• LayoutTests/imported/w3c/ChangeLog (modified) (1 diff)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.html (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.js (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker-expected.txt (added)
• LayoutTests/imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/loader/CrossOriginAccessControl.cpp (modified) (1 diff)
• Source/WebCore/loader/CrossOriginPreflightResultCache.cpp (modified) (2 diffs)
• Source/WebCore/loader/CrossOriginPreflightResultCache.h (modified) (3 diffs)
• Source/WebCore/platform/network/HTTPParsers.h (modified) (2 diffs)
• Source/WebCore/platform/network/ResourceResponseBase.cpp (modified) (2 diffs)

trunk/LayoutTests/imported/w3c/ChangeLog

@@ +1 @@
+2020-03-18  youenn fablet  <youenn@apple.com>
+
+        Make sure a preflight fails if response headers are invalid
+        https://bugs.webkit.org/show_bug.cgi?id=208924
+
+        Reviewed by Alex Christensen.
+
+        * web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any-expected.txt: Added.
+        * web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.html: Added.
+        * web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.js: Added.
+        (corsPreflightResponseValidation):
+        * web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker-expected.txt: Added.
+        * web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker.html: Added.
+
 2020-03-17  Frederic Wang  <fwang@igalia.com>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2020-03-18  youenn fablet  <youenn@apple.com>
+
+        Make sure a preflight fails if response headers are invalid
+        https://bugs.webkit.org/show_bug.cgi?id=208924
+
+        Reviewed by Alex Christensen.
+
+        Implement https://fetch.spec.whatwg.org/#cors-preflight-fetch-0 step 7.3.
+        In case header parsing is wrong, fail the preflight with a meaningful message.
+        Update parsing of headers to return an Optional so that parsing error is handled as a nullopt.
+        Minor refactoring to return Expected/Optional for error handlng instead of passing an out parameter.
+        Also, adding preflight cache entry if it is valid, no matter whether preflight succeeds or not.
+
+        Tests: imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.html
+               imported/w3c/web-platform-tests/fetch/api/cors/cors-preflight-response-validation.any.worker.html
+
+        * loader/CrossOriginAccessControl.cpp:
+        (WebCore::validatePreflightResponse):
+        * loader/CrossOriginPreflightResultCache.cpp:
+        (WebCore::CrossOriginPreflightResultCacheItem::create):
+        (WebCore::CrossOriginPreflightResultCacheItem::validateMethodAndHeaders const):
+        * loader/CrossOriginPreflightResultCache.h:
+        (WebCore::CrossOriginPreflightResultCacheItem::CrossOriginPreflightResultCacheItem):
+        * platform/network/HTTPParsers.h:
+        (WebCore::parseAccessControlAllowList):
+        * platform/network/ResourceResponseBase.cpp:
+        (WebCore::ResourceResponseBase::filter):
+        (WebCore::ResourceResponseBase::sanitizeHTTPHeaderFieldsAccordingToTainting):
+
 2020-03-18  Joonghun Park  <jh718.park@samsung.com>
 

trunk/Source/WebCore/loader/CrossOriginAccessControl.cpp

@@ -265 +265 @@
         return accessControlCheckResult;
 
-    auto result = makeUnique<CrossOriginPreflightResultCacheItem>(storedCredentialsPolicy);
-    String errorDescription;
-    // FIXME: allowsCrossOriginMethod and allowsCrossOriginHeaders should return Expected<void, String> to avoid having an out parameter.
-    if (!result->parse(response)
-        || !result->allowsCrossOriginMethod(request.httpMethod(), storedCredentialsPolicy, errorDescription)
-        || !result->allowsCrossOriginHeaders(request.httpHeaderFields(), storedCredentialsPolicy, errorDescription)) {
-        return makeUnexpected(errorDescription);
-    }
-
-    CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), WTFMove(result));
+    auto result = CrossOriginPreflightResultCacheItem::create(storedCredentialsPolicy, response);
+    if (!result.has_value())
+        return makeUnexpected(WTFMove(result.error()));
+
+    auto entry = WTFMove(result.value());
+    auto errorDescription = entry->validateMethodAndHeaders(request.httpMethod(), request.httpHeaderFields());
+    CrossOriginPreflightResultCache::singleton().appendEntry(securityOrigin.toString(), request.url(), entry.moveToUniquePtr());
+
+    if (errorDescription)
+        return makeUnexpected(WTFMove(*errorDescription));
+
     return { };
 }

trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.cpp

@@ -53 +53 @@
 }
 
-bool CrossOriginPreflightResultCacheItem::parse(const ResourceResponse& response)
+Expected<UniqueRef<CrossOriginPreflightResultCacheItem>, String> CrossOriginPreflightResultCacheItem::create(StoredCredentialsPolicy policy, const ResourceResponse& response)
 {
-    m_methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods));
-    m_headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders));
+    auto methods = parseAccessControlAllowList(response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods));
+    if (!methods)
+        return makeUnexpected(makeString("Header Access-Control-Allow-Methods has an invalid value: ", response.httpHeaderField(HTTPHeaderName::AccessControlAllowMethods)));
+
+    auto headers = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders));
+    if (!headers)
+        return makeUnexpected(makeString("Header Access-Control-Allow-Headers has an invalid value: ", response.httpHeaderField(HTTPHeaderName::AccessControlAllowHeaders)));
 
     Seconds expiryDelta = 0_s;
@@ -65 +70 @@
         expiryDelta = defaultPreflightCacheTimeout;
 
-    m_absoluteExpiryTime = MonotonicTime::now() + expiryDelta;
-    return true;
+    return makeUniqueRef<CrossOriginPreflightResultCacheItem>(MonotonicTime::now() + expiryDelta, policy, WTFMove(*methods), WTFMove(*headers));
+}
+
+Optional<String> CrossOriginPreflightResultCacheItem::validateMethodAndHeaders(const String& method, const HTTPHeaderMap& requestHeaders) const
+{
+    String errorDescription;
+    if (!allowsCrossOriginMethod(method, m_storedCredentialsPolicy, errorDescription))
+        return WTFMove(errorDescription);
+    if (!allowsCrossOriginHeaders(requestHeaders, m_storedCredentialsPolicy, errorDescription))
+        return WTFMove(errorDescription);
+    return { };
 }
 

trunk/Source/WebCore/loader/CrossOriginPreflightResultCache.h

@@ -28 +28 @@
 
 #include "StoredCredentialsPolicy.h"
+#include <wtf/Expected.h>
 #include <wtf/HashMap.h>
 #include <wtf/HashSet.h>
 #include <wtf/MonotonicTime.h>
 #include <wtf/URLHash.h>
+#include <wtf/UniqueRef.h>
 
 namespace WebCore {
@@ -41 +43 @@
     WTF_MAKE_NONCOPYABLE(CrossOriginPreflightResultCacheItem); WTF_MAKE_FAST_ALLOCATED;
 public:
-    explicit CrossOriginPreflightResultCacheItem(StoredCredentialsPolicy storedCredentialsPolicy)
-        : m_storedCredentialsPolicy(storedCredentialsPolicy)
-    {
-    }
+    static Expected<UniqueRef<CrossOriginPreflightResultCacheItem>, String> create(StoredCredentialsPolicy, const ResourceResponse&);
 
-    WEBCORE_EXPORT bool parse(const ResourceResponse&);
-    WEBCORE_EXPORT bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
-    WEBCORE_EXPORT bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;
-    bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap& requestHeaders) const;
+    CrossOriginPreflightResultCacheItem(MonotonicTime, StoredCredentialsPolicy, HashSet<String>&&, HashSet<String, ASCIICaseInsensitiveHash>&&);
+
+    Optional<String> validateMethodAndHeaders(const String& method, const HTTPHeaderMap&) const;
+    bool allowsRequest(StoredCredentialsPolicy, const String& method, const HTTPHeaderMap&) const;
 
 private:
+    bool allowsCrossOriginMethod(const String&, StoredCredentialsPolicy, String& errorDescription) const;
+    bool allowsCrossOriginHeaders(const HTTPHeaderMap&, StoredCredentialsPolicy, String& errorDescription) const;
+
     // FIXME: A better solution to holding onto the absolute expiration time might be
     // to start a timer for the expiration delta that removes this from the cache when
@@ -76 +78 @@
 };
 
+inline CrossOriginPreflightResultCacheItem::CrossOriginPreflightResultCacheItem(MonotonicTime absoluteExpiryTime, StoredCredentialsPolicy  storedCredentialsPolicy, HashSet<String>&& methods, HashSet<String, ASCIICaseInsensitiveHash>&& headers)
+    : m_absoluteExpiryTime(absoluteExpiryTime)
+    , m_storedCredentialsPolicy(storedCredentialsPolicy)
+    , m_methods(WTFMove(methods))
+    , m_headers(WTFMove(headers))
+{
+}
+
 } // namespace WebCore

trunk/Source/WebCore/platform/network/HTTPParsers.h

@@ -157 +157 @@
 
 template<class HashType = DefaultHash<String>::Hash>
-HashSet<String, HashType> parseAccessControlAllowList(const String& string)
+Optional<HashSet<String, HashType>> parseAccessControlAllowList(const String& string)
 {
     HashSet<String, HashType> set;
@@ -173 +173 @@
             return { };
     }
-    return set;
+    return WTFMove(set);
 }
 

trunk/Source/WebCore/platform/network/ResourceResponseBase.cpp

@@ -181 +181 @@
     filteredResponse.setType(Type::Cors);
 
-    auto accessControlExposeHeaderSet = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders));
+    auto accessControlExposeHeaderSet = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(response.httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders)).valueOr(HashSet<String, ASCIICaseInsensitiveHash> { });
     if (performCheck == PerformExposeAllHeadersCheck::Yes && accessControlExposeHeaderSet.contains("*"))
         return filteredResponse;
@@ -447 +447 @@
         return;
     case ResourceResponse::Tainting::Cors: {
-        auto corsSafeHeaderSet = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders));
+        auto corsSafeHeaderSet = parseAccessControlAllowList<ASCIICaseInsensitiveHash>(httpHeaderField(HTTPHeaderName::AccessControlExposeHeaders)).valueOr(HashSet<String, ASCIICaseInsensitiveHash> { });
         if (corsSafeHeaderSet.contains("*"))
             return;