Changeset 263628 in webkit


Ignore:
Timestamp:
Jun 27, 2020 3:14:05 PM (4 years ago)
Author:
mark.lam@apple.com
Message:

Fix missing exception check in createIDBKeyFromValue().
https://bugs.webkit.org/show_bug.cgi?id=213681
<rdar://problem/64804893>

Reviewed by Chris Dumez.

Source/WebCore:

Test: storage/indexeddb/missing-exception-check-in-IDBKey.html

Also fixed up miscellaneous other exception check related code to enable the
new test to run with exception check validation.

  • bindings/js/IDBBindingUtilities.cpp:

(WebCore::createIDBKeyFromValue):

  • bindings/js/JSDOMBindingSecurity.cpp:

(WebCore::BindingSecurity::shouldAllowAccessToDOMWindow):

  • bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::updateDocument):

  • bindings/js/JSDOMWindowCustom.cpp:

(WebCore::JSDOMWindow::put):
(WebCore::JSDOMWindow::defineOwnProperty):

  • bindings/js/ScriptController.cpp:

(WebCore::ScriptController::initScriptForWindowProxy):

  • bindings/scripts/CodeGeneratorJS.pm:

(GenerateAttributeGetterBodyDefinition):
(GenerateAttributeSetterBodyDefinition):
(GenerateOperationBodyDefinition):

  • bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:

(WebCore::jsTestActiveDOMObjectExcitingAttrGetter):
(WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunctionBody):
(WebCore::jsTestActiveDOMObjectPrototypeFunctionOverloadedMethodOverloadDispatcher):

  • bridge/objc/WebScriptObject.mm:

(-[WebScriptObject _isSafeScript]):

  • testing/js/WebCoreTestSupport.cpp:

(WebCoreTestSupport::injectInternalsObject):

LayoutTests:

  • storage/indexeddb/missing-exception-check-in-IDBKey-expected.txt: Added.
  • storage/indexeddb/missing-exception-check-in-IDBKey.html: Added.
Location:
trunk
Files:
2 added
11 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r263626 r263628  
     12020-06-27  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix missing exception check in createIDBKeyFromValue().
     4        https://bugs.webkit.org/show_bug.cgi?id=213681
     5        <rdar://problem/64804893>
     6
     7        Reviewed by Chris Dumez.
     8
     9        * storage/indexeddb/missing-exception-check-in-IDBKey-expected.txt: Added.
     10        * storage/indexeddb/missing-exception-check-in-IDBKey.html: Added.
     11
    1122020-06-27  Chris Dumez  <cdumez@apple.com>
    213

  • trunk/Source/WebCore/ChangeLog

    r263627 r263628  
     12020-06-27  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix missing exception check in createIDBKeyFromValue().
     4        https://bugs.webkit.org/show_bug.cgi?id=213681
     5        <rdar://problem/64804893>
     6
     7        Reviewed by Chris Dumez.
     8
     9        Test: storage/indexeddb/missing-exception-check-in-IDBKey.html
     10
     11        Also fixed up miscellaneous other exception check related code to enable the
     12        new test to run with exception check validation.
     13
     14        * bindings/js/IDBBindingUtilities.cpp:
     15        (WebCore::createIDBKeyFromValue):
     16        * bindings/js/JSDOMBindingSecurity.cpp:
     17        (WebCore::BindingSecurity::shouldAllowAccessToDOMWindow):
     18        * bindings/js/JSDOMWindowBase.cpp:
     19        (WebCore::JSDOMWindowBase::updateDocument):
     20        * bindings/js/JSDOMWindowCustom.cpp:
     21        (WebCore::JSDOMWindow::put):
     22        (WebCore::JSDOMWindow::defineOwnProperty):
     23        * bindings/js/ScriptController.cpp:
     24        (WebCore::ScriptController::initScriptForWindowProxy):
     25        * bindings/scripts/CodeGeneratorJS.pm:
     26        (GenerateAttributeGetterBodyDefinition):
     27        (GenerateAttributeSetterBodyDefinition):
     28        (GenerateOperationBodyDefinition):
     29        * bindings/scripts/test/JS/JSTestActiveDOMObject.cpp:
     30        (WebCore::jsTestActiveDOMObjectExcitingAttrGetter):
     31        (WebCore::jsTestActiveDOMObjectPrototypeFunctionExcitingFunctionBody):
     32        (WebCore::jsTestActiveDOMObjectPrototypeFunctionOverloadedMethodOverloadDispatcher):
     33        * bridge/objc/WebScriptObject.mm:
     34        (-[WebScriptObject _isSafeScript]):
     35        * testing/js/WebCoreTestSupport.cpp:
     36        (WebCoreTestSupport::injectInternalsObject):
     37
    1382020-06-27  Jer Noble  <jer.noble@apple.com>
    239

  • trunk/Source/WebCore/bindings/js/IDBBindingUtilities.cpp

    r261574 r263628  
    22 * Copyright (C) 2010 Google Inc. All rights reserved.
    33 * Copyright (C) 2012 Michael Pruett <michael@68k.org>
    4  * Copyright (C) 2014-2019 Apple Inc. All rights reserved.
     4 * Copyright (C) 2014-2020 Apple Inc. All rights reserved.
    55 *
    66 * Redistribution and use in source and binary forms, with or without
     
    188188{
    189189    VM& vm = lexicalGlobalObject.vm();
     190    auto scope = DECLARE_THROW_SCOPE(vm);
     191
    190192    if (value.isNumber() && !std::isnan(value.toNumber(&lexicalGlobalObject)))
    191193        return IDBKey::createNumber(value.toNumber(&lexicalGlobalObject));
     
    216218            for (size_t i = 0; i < length; i++) {
    217219                JSValue item = array->getIndex(&lexicalGlobalObject, i);
     220                RETURN_IF_EXCEPTION(scope, { });
    218221                RefPtr<IDBKey> subkey = createIDBKeyFromValue(lexicalGlobalObject, item, stack);
    219222                if (!subkey)

  • trunk/Source/WebCore/bindings/js/JSDOMBindingSecurity.cpp

    r251425 r263628  
    11/*
    22 *  Copyright (C) 1999-2001 Harri Porten (porten@kde.org)
    3  *  Copyright (C) 2004-2011, 2013, 2016 Apple Inc. All rights reserved.
     3 *  Copyright (C) 2004-2020 Apple Inc. All rights reserved.
    44 *  Copyright (C) 2007 Samuel Weinig <sam@webkit.org>
    55 *  Copyright (C) 2013 Michael Pruett <michael@68k.org>
     
    8888bool BindingSecurity::shouldAllowAccessToDOMWindow(JSGlobalObject& lexicalGlobalObject, DOMWindow& globalObject, String& message)
    8989{
    90     if (BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, globalObject, DoNotReportSecurityError))
     90    VM& vm = lexicalGlobalObject.vm();
     91    auto scope = DECLARE_CATCH_SCOPE(vm);
     92
     93    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, globalObject, DoNotReportSecurityError);
     94    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
     95    if (shouldAllowAccess)
    9196        return true;
    9297    message = globalObject.crossDomainAccessErrorMessage(activeDOMWindow(lexicalGlobalObject), IncludeTargetOrigin::No);

  • trunk/Source/WebCore/bindings/js/JSDOMWindowBase.cpp

    r261668 r263628  
    22 *  Copyright (C) 2000 Harri Porten (porten@kde.org)
    33 *  Copyright (C) 2006 Jon Shier (jshier@iastate.edu)
    4  *  Copyright (C) 2003-2017 Apple Inc. All rights reseved.
     4 *  Copyright (C) 2003-2020 Apple Inc. All rights reseved.
    55 *  Copyright (C) 2006 Alexey Proskuryakov (ap@webkit.org)
    66 *  Copyright (c) 2015 Canon Inc. All rights reserved.
     
    127127    ASSERT(m_wrapped->document());
    128128    JSGlobalObject* lexicalGlobalObject = this;
     129    VM& vm = lexicalGlobalObject->vm();
     130    auto scope = DECLARE_CATCH_SCOPE(vm);
     131
    129132    bool shouldThrowReadOnlyError = false;
    130133    bool ignoreReadOnlyErrors = true;
    131134    bool putResult = false;
    132     symbolTablePutTouchWatchpointSet(this, lexicalGlobalObject, static_cast<JSVMClientData*>(lexicalGlobalObject->vm().clientData)->builtinNames().documentPublicName(), toJS(lexicalGlobalObject, this, m_wrapped->document()), shouldThrowReadOnlyError, ignoreReadOnlyErrors, putResult);
     135    symbolTablePutTouchWatchpointSet(this, lexicalGlobalObject, static_cast<JSVMClientData*>(vm.clientData)->builtinNames().documentPublicName(), toJS(lexicalGlobalObject, this, m_wrapped->document()), shouldThrowReadOnlyError, ignoreReadOnlyErrors, putResult);
     136    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
    133137}
    134138

  • trunk/Source/WebCore/bindings/js/JSDOMWindowCustom.cpp

    r261668 r263628  
    11/*
    2  * Copyright (C) 2007-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2007-2020 Apple Inc. All rights reserved.
    33 * Copyright (C) 2011 Google Inc. All rights reserved.
    44 *
     
    300300    }
    301301
    302     return Base::put(thisObject, lexicalGlobalObject, propertyName, value, slot);
     302    RELEASE_AND_RETURN(scope, Base::put(thisObject, lexicalGlobalObject, propertyName, value, slot));
    303303}
    304304
     
    419419{
    420420    JSC::VM& vm = lexicalGlobalObject->vm();
     421    auto scope = DECLARE_THROW_SCOPE(vm);
     422
    421423    JSDOMWindow* thisObject = jsCast<JSDOMWindow*>(object);
    422424    // Only allow defining properties in this way by frames in the same origin, as it allows setters to be introduced.
    423425    if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, thisObject->wrapped(), ThrowSecurityError))
    424         return false;
    425 
     426        RELEASE_AND_RETURN(scope, false);
     427
     428    EXCEPTION_ASSERT(!scope.exception());
    426429    // Don't allow shadowing location using accessor properties.
    427430    if (descriptor.isAccessorDescriptor() && propertyName == Identifier::fromString(vm, "location"))
    428431        return false;
    429432
    430     return Base::defineOwnProperty(thisObject, lexicalGlobalObject, propertyName, descriptor, shouldThrow);
     433    RELEASE_AND_RETURN(scope, Base::defineOwnProperty(thisObject, lexicalGlobalObject, propertyName, descriptor, shouldThrow));
    431434}
    432435

  • trunk/Source/WebCore/bindings/js/ScriptController.cpp

    r263422 r263628  
    265265{
    266266    auto& world = windowProxy.world();
     267    JSC::VM& vm = world.vm();
     268    auto scope = DECLARE_CATCH_SCOPE(vm);
    267269
    268270    jsCast<JSDOMWindow*>(windowProxy.window())->updateDocument();
     271    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
    269272
    270273    if (Document* document = m_frame.document())

  • trunk/Source/WebCore/bindings/scripts/CodeGeneratorJS.pm

    r263450 r263628  
    49754975        AddToImplIncludes("JSDOMBindingSecurity.h", $conditional);
    49764976        if ($interface->type->name eq "DOMWindow") {
    4977             push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped(), ThrowSecurityError))\n");
     4977            push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped(), ThrowSecurityError);\n");
    49784978        } else {
    4979             push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError))\n");
    4980         }
     4979            push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError);\n");
     4980        }
     4981        push(@$outputArray, "    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);\n");
     4982        push(@$outputArray, "    if (!shouldAllowAccess)\n");
    49814983        push(@$outputArray, "        return jsUndefined();\n");
    49824984    }
     
    51085110        AddToImplIncludes("JSDOMBindingSecurity.h", $conditional);
    51095111        if ($interface->type->name eq "DOMWindow") {
    5110             push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped(), ThrowSecurityError))\n");
     5112            push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped(), ThrowSecurityError);\n");
    51115113        } else {
    5112             push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError))\n");
    5113         }
     5114            push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError);\n");
     5115        }
     5116        push(@$outputArray, "    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);\n");
     5117        push(@$outputArray, "    if (!shouldAllowAccess)\n");
    51145118        push(@$outputArray, "        return false;\n");
    51155119    }
     
    53295333            AddToImplIncludes("JSDOMBindingSecurity.h", $conditional);
    53305334            if ($interface->type->name eq "DOMWindow") {
    5331                 push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped(), ThrowSecurityError))\n");
    5332                 push(@$outputArray, "        return JSValue::encode(jsUndefined());\n");
     5335                push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped(), ThrowSecurityError);\n");
    53335336            } else {
    5334                 push(@$outputArray, "    if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError))\n");
    5335                 push(@$outputArray, "        return JSValue::encode(jsUndefined());\n");
     5337                push(@$outputArray, "    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError);\n");
    53365338            }
     5339            push(@$outputArray, "    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);\n");
     5340            push(@$outputArray, "    if (!shouldAllowAccess)\n");
     5341            push(@$outputArray, "        return JSValue::encode(jsUndefined());\n");
    53375342        }
    53385343    }

  • trunk/Source/WebCore/bindings/scripts/test/JS/JSTestActiveDOMObject.cpp

    r260992 r263628  
    219219    UNUSED_PARAM(throwScope);
    220220    UNUSED_PARAM(lexicalGlobalObject);
    221     if (!BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError))
     221    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(&lexicalGlobalObject, thisObject.wrapped().window(), ThrowSecurityError);
     222    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);
     223    if (!shouldAllowAccess)
    222224        return jsUndefined();
    223225    auto& impl = thisObject.wrapped();
     
    236238    UNUSED_PARAM(callFrame);
    237239    UNUSED_PARAM(throwScope);
    238     if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError))
     240    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError);
     241    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);
     242    if (!shouldAllowAccess)
    239243        return JSValue::encode(jsUndefined());
    240244    auto& impl = castedThis->wrapped();
     
    308312    UNUSED_PARAM(callFrame);
    309313    UNUSED_PARAM(throwScope);
    310     if (!BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError))
     314    bool shouldAllowAccess = BindingSecurity::shouldAllowAccessToDOMWindow(lexicalGlobalObject, castedThis->wrapped().window(), ThrowSecurityError);
     315    EXCEPTION_ASSERT(!throwScope.exception() || !shouldAllowAccess);
     316    if (!shouldAllowAccess)
    311317        return JSValue::encode(jsUndefined());
    312318    VM& vm = JSC::getVM(lexicalGlobalObject);

  • trunk/Source/WebCore/bridge/objc/WebScriptObject.mm

    r261070 r263628  
    11/*
    2  * Copyright (C) 2004-2019 Apple Inc. All rights reserved.
     2 * Copyright (C) 2004-2020 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    276276    // JSDOMWindowBase* isn't the right object to represent the currently executing
    277277    // JavaScript. Instead, we should use JSGlobalObject, like we do elsewhere.
    278     auto* target = JSC::jsDynamicCast<JSDOMWindowBase*>(root->globalObject()->vm(), root->globalObject());
     278    JSC::JSGlobalObject* globalObject = root->globalObject();
     279    JSC::VM& vm = globalObject->vm();
     280    auto scope = DECLARE_CATCH_SCOPE(vm);
     281
     282    auto* target = JSC::jsDynamicCast<JSDOMWindowBase*>(vm, globalObject);
    279283    if (!target)
    280284        return false;
    281     return BindingSecurity::shouldAllowAccessToDOMWindow(_private->originRootObject->globalObject(), target->wrapped());
     285   
     286    bool isSafe = BindingSecurity::shouldAllowAccessToDOMWindow(_private->originRootObject->globalObject(), target->wrapped());
     287    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
     288    return isSafe;
    282289}
    283290

  • trunk/Source/WebCore/testing/js/WebCoreTestSupport.cpp

    r261539 r263628  
    11/*
    22 * Copyright (C) 2011, 2015 Google Inc. All rights reserved.
    3  * Copyright (C) 2016-2019 Apple Inc. All rights reserved.
     3 * Copyright (C) 2016-2020 Apple Inc. All rights reserved.
    44 *
    55 * Redistribution and use in source and binary forms, with or without
     
    5959    JSGlobalObject* lexicalGlobalObject = toJS(context);
    6060    VM& vm = lexicalGlobalObject->vm();
     61    auto scope = DECLARE_CATCH_SCOPE(vm);
    6162    JSLockHolder lock(vm);
    6263    JSDOMGlobalObject* globalObject = jsCast<JSDOMGlobalObject*>(lexicalGlobalObject);
     
    6768        globalObject->exposeDollarVM(vm);
    6869    }
     70    EXCEPTION_ASSERT_UNUSED(scope, !scope.exception());
    6971}
    7072
Note: See TracChangeset for help on using the changeset viewer.