Check the format of an applicationServerKey when used to register a push subscription.

third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp

Index: third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp
diff --git a/third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp b/third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp
index c86b1683cb63b5019f479e7b0bd5b4fe82f92206..cb3a3a4d01e76007b62711a2647d1cac83b898bf 100644
--- a/third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp
+++ b/third_party/WebKit/Source/modules/push_messaging/PushSubscriptionOptions.cpp
@@ -10,6 +10,7 @@
 #include "modules/push_messaging/PushSubscriptionOptionsInit.h"
 #include "public/platform/WebString.h"
 #include "public/platform/modules/push_messaging/WebPushSubscriptionOptions.h"
+#include "third_party/WebKit/Source/wtf/ASCIICType.h"
 #include "wtf/Assertions.h"
 #include "wtf/text/WTFString.h"
 
@@ -18,13 +19,16 @@ namespace {
 
 const int kMaxApplicationServerKeyLength = 255;
 
+bool IsNotDigit(char c) {
+  return !WTF::isASCIIDigit(c);
+}
+
 String bufferSourceToString(
     const ArrayBufferOrArrayBufferView& applicationServerKey,
     ExceptionState& exceptionState) {
-  // Check the validity of the sender info. It must be a 65-byte uncompressed
-  // key, which has the byte 0x04 as the first byte as a marker.
   unsigned char* input;
   int length;
+  // Convert the input array into a string of bytes.
   if (applicationServerKey.isArrayBuffer()) {
     input = static_cast<unsigned char*>(
         applicationServerKey.getAsArrayBuffer()->data());
@@ -39,10 +43,23 @@ String bufferSourceToString(
     return String();
   }
 
-  // If the key is valid, just treat it as a string of bytes and pass it to
-  // the push service.
-  if (length <= kMaxApplicationServerKeyLength)
-    return WebString::fromLatin1(input, length);
+  // Check the validity of the sender info. It must either be a 65-byte
+  // uncompressed key, which has the byte 0x04 as the first byte as a marker or
+  // a numeric sender ID.
+  WebString inputWebString = WebString::fromLatin1(input, length);

[Peter Beverloo, 2016/10/11 15:10:41]

Could we validate the input before converting it to a WebString? It seems to me
that something like the following would do the trick:

=========================
const bool isVapid = length == 65 && input[0] == 0x04;
const bool isSenderId =
    std::find_if_not(input, input + length,
                     &WTF::isASCIIDigit<unsigned char>) == input + length;

if (length > 0 && (isVapid || isSenderId))
  return WebString::fromLatin1(input, length);

// create exception
=========================

That avoids unnecessarily creating the WebString, as well as usage of
std::string and the third copy of the same data you have on line 57. It also
avoids needing the IsNotDigit function.

(We can't use std::string here anyway.)

[harkness, 2016/10/14 13:53:55]

Done.

+  if (length == 65 && input && *input == 0x04) {
+    // This could be a valid applicationServerKey. Just pass the bytes through.
+    return inputWebString;
+  }
+
+  if (length > 0 && length <= kMaxApplicationServerKeyLength) {
+    // Check that the provided string is numeric.
+    std::string inputStr = inputWebString.utf8();
+    if (std::find_if(inputStr.begin(), inputStr.end(), IsNotDigit) ==
+        inputStr.end()) {
+      return inputWebString;
+    }
+  }
 
   exceptionState.throwDOMException(
       InvalidAccessError, "The provided applicationServerKey is not valid.");