Prevent module system from loading arbitrary modules

extensions/renderer/resources/binding.js

Index: extensions/renderer/resources/binding.js
diff --git a/extensions/renderer/resources/binding.js b/extensions/renderer/resources/binding.js
index 13ac7f960ccd89e28d61d7e52ca65baded2c8451..411f9f9d5d194debe58852e86d2d125623cd1df9 100644
--- a/extensions/renderer/resources/binding.js
+++ b/extensions/renderer/resources/binding.js
@@ -166,6 +166,19 @@ function createCustomType(type) {
   var jsModuleName = type.js_module;
   logging.CHECK(jsModuleName, 'Custom type ' + type.id +
                 ' has no "js_module" property.');
+  // This list contains all types that has a js_module property. It is ugly to

[Devlin, 2016/04/20 14:12:20]

/sigh... I was trying to avoid doing this, because it seemed like any time we
leak the schema object, we open the door to multiple attacks (not just here), so
this seemed like it was only treating the very specific case.  But, there've
been enough of these that I'm convinced.

+  // hard-code them here, but the number of APIs that use js_module has not
+  // changed since the introduction of js_modules in crbug.com/222156.
+  // This whitelist serves as an extra line of defence to avoid exposing
+  // arbitrary extension modules when the |type| definition is poisoned.
+  var whitelistedModules = [
+    'ChromeDirectSetting',
+    'ChromeSetting',
+    'ContentSetting',
+    'StorageArea',
+  ];
+  logging.CHECK($Array.indexOf(whitelistedModules, jsModuleName) !== -1,
+                'Module ' + jsModuleName + ' does not define a custom type.');
   var jsModule = require(jsModuleName);
   logging.CHECK(jsModule, 'No module ' + jsModuleName + ' found for ' +
                 type.id + '.');