Implementation of script hashes for CSP.

Source/core/frame/ContentSecurityPolicy.cpp

 /*
  * Copyright (C) 2011 Google, Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 31 matching lines @@
 #include "core/page/UseCounter.h"
 #include "core/platform/ParsingUtilities.h"
 #include "core/platform/network/FormData.h"
 #include "core/platform/network/ResourceResponse.h"
 #include "platform/JSONValues.h"
 #include "weborigin/KURL.h"
 #include "weborigin/KnownPorts.h"
 #include "weborigin/SchemeRegistry.h"
 #include "weborigin/SecurityOrigin.h"
 #include "wtf/HashSet.h"
+#include "wtf/SHA1.h"
+#include "wtf/text/Base64.h"
 #include "wtf/text/TextPosition.h"
 #include "wtf/text/WTFString.h"
 
 namespace WebCore {
 
 // Normally WebKit uses "static" for internal linkage, but using "static" for
 // these functions causes a compile error because these functions are used as
 // template parameters.
 namespace {
 
 bool isDirectiveNameCharacter(UChar c)
 {
     return isASCIIAlphanumeric(c) || c == '-';
 }
 
 bool isDirectiveValueCharacter(UChar c)
 {
     return isASCIISpace(c) || (c >= 0x21 && c <= 0x7e); // Whitespace + VCHAR
 }
 
 bool isNonceCharacter(UChar c)
 {
     return isASCIIAlphanumeric(c) || c == '+' || c == '/';
 }
 
+bool isHashCharacter(UChar c)
+{
+    return isASCIIAlphanumeric(c) || c == '+' || c == '/' || c == '=';

[Mike West, 2013/10/16 14:53:02]

It seems that we should be able to get away with combining isNonceCharacter and
isHashCharacter via an isBase64EncodingCharacter implementation.

[jww, 2013/10/16 21:49:21]

Good point, and it actually brings up a more interesting point that the current
check for hashes is too permissive; it allows '=' anywhere in the hash.

+}
+
 bool isSourceCharacter(UChar c)
 {
     return !isASCIISpace(c);
 }
 
 bool isPathComponentCharacter(UChar c)
 {
     return c != '?' && c != '#';
 }
 
@@ skipping 185 matching lines @@
 class CSPSourceList {
 public:
     CSPSourceList(ContentSecurityPolicy*, const String& directiveName);
 
     void parse(const UChar* begin, const UChar* end);
 
     bool matches(const KURL&);
     bool allowInline() const { return m_allowInline; }
     bool allowEval() const { return m_allowEval; }
     bool allowNonce(const String& nonce) const { return !nonce.isNull() && m_nonces.contains(nonce); }
+    bool allowHash(const String& hash) const { return !hash.isNull() && m_hashes.contains(hash); }
 
 private:
     bool parseSource(const UChar* begin, const UChar* end, String& scheme, String& host, int& port, String& path, bool& hostHasWildcard, bool& portHasWildcard);
     bool parseScheme(const UChar* begin, const UChar* end, String& scheme);
     bool parseHost(const UChar* begin, const UChar* end, String& host, bool& hostHasWildcard);
     bool parsePort(const UChar* begin, const UChar* end, int& port, bool& portHasWildcard);
     bool parsePath(const UChar* begin, const UChar* end, String& path);
     bool parseNonce(const UChar* begin, const UChar* end, String& nonce);
+    bool parseHash(const UChar* begin, const UChar* end, String& hash);
 
     void addSourceSelf();
     void addSourceStar();
     void addSourceUnsafeInline();
     void addSourceUnsafeEval();
     void addSourceNonce(const String& nonce);
+    void addSourceHash(const String& hash);
 
     ContentSecurityPolicy* m_policy;
     Vector<CSPSource> m_list;
     String m_directiveName;
     bool m_allowStar;
     bool m_allowInline;
     bool m_allowEval;
     HashSet<String> m_nonces;
+    HashSet<String> m_hashes;
 };
 
 CSPSourceList::CSPSourceList(ContentSecurityPolicy* policy, const String& directiveName)
     : m_policy(policy)
     , m_directiveName(directiveName)
     , m_allowStar(false)
     , m_allowInline(false)
     , m_allowEval(false)
 {
 }
@@ skipping 88 matching lines @@
 
     if (m_policy->experimentalFeaturesEnabled()) {
         String nonce;
         if (!parseNonce(begin, end, nonce))
             return false;
 
         if (!nonce.isNull()) {
             addSourceNonce(nonce);
             return true;
         }
+
+        String hash;
+        if (!parseHash(begin, end, hash))
+            return false;
+
+        if (!hash.isNull()) {
+            addSourceHash(hash);
+            return true;
+        }
     }
 
     const UChar* position = begin;
     const UChar* beginHost = begin;
     const UChar* beginPath = end;
     const UChar* beginPort = 0;
 
     skipWhile<UChar, isNotColonOrSlash>(position, end);
 
     if (position == end) {
@@ skipping 79 matching lines @@
     skipWhile<UChar, isNonceCharacter>(position, end);
     ASSERT(nonceBegin <= position);
 
     if (((position + 1) != end  && *position != '\'') || !(position - nonceBegin))
         return false;
 
     nonce = String(nonceBegin, position - nonceBegin);
     return true;
 }
 
+// hash-source       = "'" hash-algorithm "-" hash-value "'"
+// hash-algorithm    = "sha1" / "sha256"
+// hash-value        = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
+//
+bool CSPSourceList::parseHash(const UChar* begin, const UChar* end, String& hash)
+{
+    DEFINE_STATIC_LOCAL(const String, sha1Prefix, ("'sha1-"));
+    DEFINE_STATIC_LOCAL(const String, sha256Prefix, ("'sha256-"));
+
+    bool isSha1 = equalIgnoringCase(sha1Prefix.characters8(), begin, sha1Prefix.length());
+    bool isSha256 = equalIgnoringCase(sha256Prefix.characters8(), begin, sha256Prefix.length());
+
+    if (!isSha1 && !isSha256)
+        return true;

[Mike West, 2013/10/16 14:53:02]

We might want to be more clever about this to warn folks about unsupported hash
functions. Probably something for a future patch, but keep it in mind.

[jww, 2013/10/16 21:49:21]

Yeah, I'll put in a todo to make a warning message.

+
+    const String& prefix = (isSha1 ? sha1Prefix : sha256Prefix);

[Mike West, 2013/10/16 14:53:02]

You're only using this to determine the initial position, right? Perhaps 'const
UChar* position = begin + (isSha1 ? sha1Prefix.length() :
sha256Prefix.length());" would be more straightforward.

[jww, 2013/10/16 21:49:21]

Ah, yes, good call. Remnants from an earlier version :-)

+    const UChar* position = begin + prefix.length();
+    const UChar* hashBegin = position;
+
+    skipWhile<UChar, isHashCharacter>(position, end);
+    ASSERT(hashBegin <= position);
+
+    if (((position + 1) != end  && *position != '\'') || !(position - hashBegin))
+        return false;
+
+    hash = String(begin + 1, position - begin - 1);

[Mike West, 2013/10/16 14:53:02]

You need to pass the hash type back to the caller too, right? Otherwise you have
the hash, but don't know what function to call to reproduce it.

[jww, 2013/10/16 21:49:21]

This actually leaves the prefix on the beginning of the hash. That is, the
return string will be on the form: 'sha1-thehashofthescript'. It seemed like
this would be the easiest way to store and look up the hashes.

+    return true;
+}
+
 //                     ; <scheme> production from RFC 3986
 // scheme      = ALPHA *( ALPHA / DIGIT / "+" / "-" / "." )
 //
 bool CSPSourceList::parseScheme(const UChar* begin, const UChar* end, String& scheme)
 {
     ASSERT(begin <= end);
     ASSERT(scheme.isEmpty());
 
     if (begin == end)
         return false;
@@ skipping 122 matching lines @@
 void CSPSourceList::addSourceUnsafeEval()
 {
     m_allowEval = true;
 }
 
 void CSPSourceList::addSourceNonce(const String& nonce)
 {
     m_nonces.add(nonce);
 }
 
+void CSPSourceList::addSourceHash(const String& hash)
+{
+    m_hashes.add(hash);

[Mike West, 2013/10/16 14:53:02]

Again, I think you'll need the type as well.

[jww, 2013/10/16 21:49:21]

See above reply. The hash string actually includes the prefix.

+}
+
 class CSPDirective {
 public:
     CSPDirective(const String& name, const String& value, ContentSecurityPolicy* policy)
         : m_name(name)
         , m_text(name + ' ' + value)
         , m_policy(policy)
     {
     }
 
     const String& text() const { return m_text; }
@@ skipping 96 matching lines @@
     }
 
     bool allows(const KURL& url)
     {
         return m_sourceList.matches(url.isEmpty() ? policy()->url() : url);
     }
 
     bool allowInline() const { return m_sourceList.allowInline(); }
     bool allowEval() const { return m_sourceList.allowEval(); }
     bool allowNonce(const String& nonce) const { return m_sourceList.allowNonce(nonce.stripWhiteSpace()); }
+    bool allowHash(const String& hash) const { return m_sourceList.allowHash(hash); }
 
 private:
     CSPSourceList m_sourceList;
 };
 
 class CSPDirectiveList {
     WTF_MAKE_FAST_ALLOCATED;
 public:
     static PassOwnPtr<CSPDirectiveList> create(ContentSecurityPolicy*, const UChar* begin, const UChar* end, ContentSecurityPolicy::HeaderType);
 
@@ skipping 14 matching lines @@
     bool allowChildFrameFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowImageFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowStyleFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFontFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowMediaFromSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowConnectToSource(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowFormAction(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowBaseURI(const KURL&, ContentSecurityPolicy::ReportingStatus) const;
     bool allowScriptNonce(const String&) const;
     bool allowStyleNonce(const String&) const;
+    bool allowScriptHash(const String&) const;
+    bool allowStyleHash(const String&) const;
 
     void gatherReportURIs(DOMStringList&) const;
     const String& evalDisabledErrorMessage() const { return m_evalDisabledErrorMessage; }
     ReflectedXSSDisposition reflectedXSSDisposition() const { return m_reflectedXSSDisposition; }
     bool isReportOnly() const { return m_reportOnly; }
     const Vector<KURL>& reportURIs() const { return m_reportURIs; }
 
 private:
     CSPDirectiveList(ContentSecurityPolicy*, ContentSecurityPolicy::HeaderType);
 
     bool parseDirective(const UChar* begin, const UChar* end, String& name, String& value);
     void parseReportURI(const String& name, const String& value);
     void parsePluginTypes(const String& name, const String& value);
     void parseReflectedXSS(const String& name, const String& value);
     void addDirective(const String& name, const String& value);
     void applySandboxPolicy(const String& name, const String& sandboxPolicy);
 
     template <class CSPDirectiveType>
     void setCSPDirective(const String& name, const String& value, OwnPtr<CSPDirectiveType>&);
 
     SourceListDirective* operativeDirective(SourceListDirective*) const;
     void reportViolation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL) const;
     void reportViolationWithLocation(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, const String& contextURL, const WTF::OrdinalNumber& contextLine) const;
     void reportViolationWithState(const String& directiveText, const String& effectiveDirective, const String& consoleMessage, const KURL& blockedURL, ScriptState*) const;
 
     bool checkEval(SourceListDirective*) const;
     bool checkInline(SourceListDirective*) const;
     bool checkNonce(SourceListDirective*, const String&) const;
+    bool checkHash(SourceListDirective*, const String&) const;
     bool checkSource(SourceListDirective*, const KURL&) const;
     bool checkMediaType(MediaListDirective*, const String& type, const String& typeAttribute) const;
 
     void setEvalDisabledErrorMessage(const String& errorMessage) { m_evalDisabledErrorMessage = errorMessage; }
 
     bool checkEvalAndReportViolation(SourceListDirective*, const String& consoleMessage, ScriptState*) const;
     bool checkInlineAndReportViolation(SourceListDirective*, const String& consoleMessage, const String& contextURL, const WTF::OrdinalNumber& contextLine, bool isScript) const;
 
     bool checkSourceAndReportViolation(SourceListDirective*, const KURL&, const String& effectiveDirective) const;
     bool checkMediaTypeAndReportViolation(MediaListDirective*, const String& type, const String& typeAttribute, const String& consoleMessage) const;
@@ skipping 82 matching lines @@
 bool CSPDirectiveList::checkInline(SourceListDirective* directive) const
 {
     return !directive || directive->allowInline();
 }
 
 bool CSPDirectiveList::checkNonce(SourceListDirective* directive, const String& nonce) const
 {
     return !directive || directive->allowNonce(nonce);
 }
 
+bool CSPDirectiveList::checkHash(SourceListDirective* directive, const String& hash) const
+{
+    return !directive || directive->allowHash(hash);
+}
+
 bool CSPDirectiveList::checkSource(SourceListDirective* directive, const KURL& url) const
 {
     return !directive || directive->allows(url);
 }
 
 bool CSPDirectiveList::checkMediaType(MediaListDirective* directive, const String& type, const String& typeAttribute) const
 {
     if (!directive)
         return true;
     if (typeAttribute.isEmpty() || typeAttribute.stripWhiteSpace() != type)
@@ skipping 225 matching lines @@
 bool CSPDirectiveList::allowScriptNonce(const String& nonce) const
 {
     return checkNonce(operativeDirective(m_scriptSrc.get()), nonce);
 }
 
 bool CSPDirectiveList::allowStyleNonce(const String& nonce) const
 {
     return checkNonce(operativeDirective(m_styleSrc.get()), nonce);
 }
 
+bool CSPDirectiveList::allowScriptHash(const String& hash) const
+{
+    return checkHash(operativeDirective(m_scriptSrc.get()), hash);
+}
+
+bool CSPDirectiveList::allowStyleHash(const String& hash) const
+{
+    return checkHash(operativeDirective(m_styleSrc.get()), hash);
+}
+
 // policy            = directive-list
 // directive-list    = [ directive *( ";" [ directive ] ) ]
 //
 void CSPDirectiveList::parse(const UChar* begin, const UChar* end)
 {
     m_header = String(begin, end - begin);
 
     if (begin == end)
         return;
 
@@ skipping 329 matching lines @@
 
 template<bool (CSPDirectiveList::*allowed)(const String&) const>
 bool isAllowedByAllWithNonce(const CSPDirectiveListVector& policies, const String& nonce)
 {
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowed)(nonce))
             return false;
     }
     return true;
 }
+
+template<bool (CSPDirectiveList::*allowed)(const String&) const>
+bool isAllowedByAllWithHash(const CSPDirectiveListVector& policies, const String& hash)
+{
+    for (size_t i = 0; i < policies.size(); ++i) {
+        if (!(policies[i].get()->*allowed)(hash))
+            return false;
+    }
+    return true;
+}
+
 template<bool (CSPDirectiveList::*allowFromURL)(const KURL&, ContentSecurityPolicy::ReportingStatus) const>
 bool isAllowedByAllWithURL(const CSPDirectiveListVector& policies, const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus)
 {
     if (SchemeRegistry::schemeShouldBypassContentSecurityPolicy(url.protocol()))
         return true;
 
     for (size_t i = 0; i < policies.size(); ++i) {
         if (!(policies[i].get()->*allowFromURL)(url, reportingStatus))
             return false;
     }
@@ skipping 53 matching lines @@
 bool ContentSecurityPolicy::allowScriptNonce(const String& nonce) const
 {
     return isAllowedByAllWithNonce<&CSPDirectiveList::allowScriptNonce>(m_policies, nonce);
 }
 
 bool ContentSecurityPolicy::allowStyleNonce(const String& nonce) const
 {
     return isAllowedByAllWithNonce<&CSPDirectiveList::allowStyleNonce>(m_policies, nonce);
 }
 
+bool ContentSecurityPolicy::allowScriptHash(const String& source) const
+{
+    DEFINE_STATIC_LOCAL(const String, sha1Prefix, ("sha1-"));

[Mike West, 2013/10/16 14:53:02]

If you're using this string in two places, extract it somewhere. Top of the
document with the other constants seems reasonable.

[jww, 2013/10/16 21:49:21]

Done.

+    DEFINE_STATIC_LOCAL(const String, sha256Prefix, ("sha256-"));
+
+    // TODO(jww) We don't currently have a WTF SHA256 implementation. Once we
+    // have that, we should implement a proper check for sha256 hash values here.
+    SHA1 sourceSha1;
+    sourceSha1.addBytes(source.utf8());
+    String sha1Hash(sourceSha1.computeHexDigest().data());
+
+    String lowerHash = sha1Hash.lower();
+    String hash = sha1Prefix + base64Encode(lowerHash.utf8());
+    return isAllowedByAllWithHash<&CSPDirectiveList::allowScriptHash>(m_policies, hash);

[Mike West, 2013/10/16 14:53:02]

Ah, I see. You're storing the whole string.

I think it would be more efficient to determine which hash functions you
actually _need_ to run based on the hashes provided in the policy. If it only
provides sha1 hash, running sha256 is a waste of time, and vice-versa.

[jww, 2013/10/16 21:49:21]

Good idea. What about just storing some bits that say which hash functions are
in the policy, but leaving the prefixes on? That is, during parsing, if we come
across a SHA1 and a SHA256 hash, we keep that information around, and we
calculate hashes of scripts only for the hash functions used.

That means we can still do quick look ups on sets of strings without worrying
about collisions, but still only calculate hashes for algorithms that are
present in the policy.

+}
+
+bool ContentSecurityPolicy::allowStyleHash(const String& hash) const
+{
+    return isAllowedByAllWithHash<&CSPDirectiveList::allowStyleHash>(m_policies, hash);
+}
+
 bool ContentSecurityPolicy::allowObjectFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowObjectFromSource>(m_policies, url, reportingStatus);
 }
 
 bool ContentSecurityPolicy::allowChildFrameFromSource(const KURL& url, ContentSecurityPolicy::ReportingStatus reportingStatus) const
 {
     return isAllowedByAllWithURL<&CSPDirectiveList::allowChildFrameFromSource>(m_policies, url, reportingStatus);
 }
 
@@ skipping 240 matching lines @@
     String message = "The source list for Content Security Policy directive '" + directiveName + "' contains a source with an invalid path: '" + value + "'. " + ignoring;
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportInvalidNonce(const String& nonce) const
 {
     String message = "Ignoring invalid Content Security Policy script nonce: '" + nonce + "'.\n";
     logToConsole(message);
 }
 
+void ContentSecurityPolicy::reportInvalidHash(const String& hash) const
+{
+    String message = "Ignoring invalid Content Security Policy script hash: '" + hash + "'.\n";

[Mike West, 2013/10/16 14:53:02]

I'd suggest changing both this and reportInvalidNonce to something similar to
reportInvalidSourceExpression directly below. "The source list for CSP directive
XXX contains an invalid [nonce|hash]: YYY. It will be ignored."

[jww, 2013/10/16 21:49:21]

Hmmm, not that you point this out, I believe this is dead code anyway :-) Both
nonces and hashes are source expressions, and these functions never get called
because the error message comes from reportInvalidSourceExperssion.

+    logToConsole(message);
+}
+
 void ContentSecurityPolicy::reportInvalidSourceExpression(const String& directiveName, const String& source) const
 {
     String message = "The source list for Content Security Policy directive '" + directiveName + "' contains an invalid source: '" + source + "'. It will be ignored.";
     if (equalIgnoringCase(source, "'none'"))
         message = message + " Note that 'none' has no effect unless it is the only expression in the source list.";
     logToConsole(message);
 }
 
 void ContentSecurityPolicy::reportMissingReportURI(const String& policy) const
 {
@@ skipping 30 matching lines @@
     // Collisions have no security impact, so we can save space by storing only the string's hash rather than the whole report.
     return !m_violationReportsSent.contains(report.impl()->hash());
 }
 
 void ContentSecurityPolicy::didSendViolationReport(const String& report)
 {
     m_violationReportsSent.add(report.impl()->hash());
 }
 
 } // namespace WebCore