extensions/renderer/resources/binding.js - Issue 1902263006: Prevent module system from loading arbitrary modules - Code Review

Chromium Code Reviews

chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out

(703)

My Issues | Starred Open | Closed | All

Side by Side Diff: extensions/renderer/resources/binding.js

Issue 1902263006: Prevent module system from loading arbitrary modules (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Created 4 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 var Event = require('event_bindings').Event;	5 var Event = require('event_bindings').Event;

6 var forEach = require('utils').forEach;	6 var forEach = require('utils').forEach;

7 // Note: Beware sneaky getters/setters when using GetAvailbility(). Use safe/raw	7 // Note: Beware sneaky getters/setters when using GetAvailbility(). Use safe/raw

8 // variables as arguments.	8 // variables as arguments.

9 var GetAvailability = requireNative('v8_context').GetAvailability;	9 var GetAvailability = requireNative('v8_context').GetAvailability;

10 var exceptionHandler = require('uncaught_exception_handler');	10 var exceptionHandler = require('uncaught_exception_handler');

(...skipping 148 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
159	159

160 function isSchemaNodeSupported(schemaNode, platform, manifestVersion) {	160 function isSchemaNodeSupported(schemaNode, platform, manifestVersion) {

161 return isPlatformSupported(schemaNode, platform) &&	161 return isPlatformSupported(schemaNode, platform) &&

162 isManifestVersionSupported(schemaNode, manifestVersion);	162 isManifestVersionSupported(schemaNode, manifestVersion);

163 }	163 }

164	164

165 function createCustomType(type) {	165 function createCustomType(type) {

166 var jsModuleName = type.js_module;	166 var jsModuleName = type.js_module;

167 logging.CHECK(jsModuleName, 'Custom type ' + type.id +	167 logging.CHECK(jsModuleName, 'Custom type ' + type.id +

168 ' has no "js_module" property.');	168 ' has no "js_module" property.');

	169 // This list contains all types that has a js_module property. It is ugly to
	Devlin 2016/04/20 14:12:20 /sigh... I was trying to avoid doing this, because /sigh... I was trying to avoid doing this, because it seemed like any time we leak the schema object, we open the door to multiple attacks (not just here), so this seemed like it was only treating the very specific case. But, there've been enough of these that I'm convinced.
	170 // hard-code them here, but the number of APIs that use js_module has not

	171 // changed since the introduction of js_modules in crbug.com/222156.

	172 // This whitelist serves as an extra line of defence to avoid exposing

	173 // arbitrary extension modules when the \|type\| definition is poisoned.

	174 var whitelistedModules = [

	175 'ChromeDirectSetting',

	176 'ChromeSetting',

	177 'ContentSetting',

	178 'StorageArea',

	179 ];

	180 logging.CHECK($Array.indexOf(whitelistedModules, jsModuleName) !== -1,

	181 'Module ' + jsModuleName + ' does not define a custom type.');

169 var jsModule = require(jsModuleName);	182 var jsModule = require(jsModuleName);

170 logging.CHECK(jsModule, 'No module ' + jsModuleName + ' found for ' +	183 logging.CHECK(jsModule, 'No module ' + jsModuleName + ' found for ' +

171 type.id + '.');	184 type.id + '.');

172 var customType = jsModule[jsModuleName];	185 var customType = jsModule[jsModuleName];

173 logging.CHECK(customType, jsModuleName + ' must export itself.');	186 logging.CHECK(customType, jsModuleName + ' must export itself.');

174 customType.prototype = new CustomBindingsObject();	187 customType.prototype = new CustomBindingsObject();

175 customType.prototype.setSchema(type);	188 customType.prototype.setSchema(type);

176 return customType;	189 return customType;

177 }	190 }

178	191

(...skipping 373 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
552 availability.message);	565 availability.message);

553 return;	566 return;

554 }	567 }

555	568

556 this.runHooks_(mod, schema);	569 this.runHooks_(mod, schema);

557 return mod;	570 return mod;

558 }	571 }

559 };	572 };

560	573

561 exports.$set('Binding', Binding);	574 exports.$set('Binding', Binding);

OLD	NEW

« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine

This is Rietveld 408576698