Blink bindings: use v8 to enforce method call access checks

third_party/WebKit/Source/bindings/templates/methods.cpp.tmpl

 {% from 'utilities.cpp.tmpl' import declare_enum_validation_variable, v8_value_to_local_cpp_value %}
 
 {##############################################################################}
 {% macro generate_method(method, world_suffix) %}
 static void {{method.name}}{{method.overload_index}}Method{{world_suffix}}(const v8::FunctionCallbackInfo<v8::Value>& info) {
   {% filter format_remove_duplicates([
       'ExceptionState exceptionState',
       'ScriptState* scriptState = ']) %}
   {% set define_exception_state -%}
   ExceptionState exceptionState(info.GetIsolate(), ExceptionState::ExecutionContext, "{{interface_name}}", "{{method.name}}");
@@ skipping 11 matching lines @@
 
   {% if not method.is_static %}
   {% if method.returns_promise %}
   // V8DOMConfiguration::DoNotCheckHolder
   // Make sure that info.Holder() really points to an instance of the type.
   if (!{{v8_class}}::hasInstance(info.Holder(), info.GetIsolate())) {
     {{throw_type_error(method, '"Illegal invocation"')}}
     return;
   }
   {% endif %}
-  {% set local_dom_window_only = interface_name == 'Window' and not method.is_cross_origin %}
-  {% if local_dom_window_only %}
-  {% if method.is_check_security_for_receiver %}
-  {{cpp_class}}* uncheckedImpl = {{v8_class}}::toImpl(info.Holder());
-  {% else %}
+  {% if interface_name == 'Window' and not method.is_cross_origin %}
   // Same-origin methods are never exposed via the cross-origin interceptors.
   // Since same-origin access requires a LocalDOMWindow, it is safe to downcast
   // here.
   LocalDOMWindow* impl = toLocalDOMWindow({{v8_class}}::toImpl(info.Holder()));
-  {% endif %}{# method.is_check_security_for_receiver #}
   {% else %}
   {{cpp_class}}* impl = {{v8_class}}::toImpl(info.Holder());
-  {% endif %}{# local_dom_window_only #}
+  {% endif %}{# interface_name == 'Window' and not method.is_cross_origin #}
   {% endif %}{# not method.is_static #}
 
-  {# Security checks #}
-  {% if method.is_check_security_for_receiver %}
-  {{define_exception_state}}
-  {% if interface_name == 'EventTarget' %}
-  // Performance hack for EventTarget.  Checking whether it's a Window or not

[dcheng, 2017/02/27 05:34:19]

I think this shouldn't be needed anymore, as the common fast path for security
token checks is quick (it's just a pointer comparison). But if there are some
steps of how to confirm this, that would be helpful.

-  // prior to the call to BindingSecurity::shouldAllowAccessTo increases 30%
-  // of speed performance on Android Nexus 7 as of Dec 2015.  ALWAYS_INLINE
-  // didn't work in this case.
-  if (const DOMWindow* window = impl->toDOMWindow()) {
-    if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), window, exceptionState)) {
-      return;
-    }
-  }
-  {% else %}{# interface_name == 'EventTarget' #}
-  {% if local_dom_window_only %}
-  if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), uncheckedImpl, exceptionState)) {
-  {% else %}
-  if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), impl, exceptionState)) {
-  {% endif %}{# local_dom_window_only #}
-    return;
-  }
-  {% if local_dom_window_only %}
-  LocalDOMWindow* impl = toLocalDOMWindow(uncheckedImpl);
-  {% endif %}{# local_dom_window_only #}
-  {% endif %}{# interface_name == 'EventTarget' #}
-  {% endif %}{# method.is_check_security_for_receiver #}
   {% if method.is_check_security_for_return_value %}
   {{define_exception_state}}
   if (!BindingSecurity::shouldAllowAccessTo(currentDOMWindow(info.GetIsolate()), {{method.cpp_value}}, exceptionState)) {
     v8SetReturnValueNull(info);
     return;
   }
   {% endif %}
 
-  {% set log_activity = world_suffix in method.activity_logging_world_list %}
-  {% if 'scriptState' in function_call or log_activity %}
+  {% if 'scriptState' in function_call %}
   {% if method.is_static %}
   ScriptState* scriptState = ScriptState::forFunctionObject(info);
   {% else %}
   ScriptState* scriptState = ScriptState::forReceiverObject(info);
   {% endif %}
   {% endif %}
 
-  {% if log_activity %}
-  V8PerContextData* contextData = scriptState->perContextData();
-  if (contextData && contextData->activityLogger()) {
-    ExceptionState exceptionState(info.GetIsolate(), ExceptionState::ExecutionContext, "{{interface_name}}", "{{method.name}}");
-    Vector<v8::Local<v8::Value>> loggerArgs = toImplArguments<Vector<v8::Local<v8::Value>>>(info, 0, exceptionState);
-    contextData->activityLogger()->logMethod("{{interface_name}}.{{method.name}}", info.Length(), loggerArgs.data());
-  }
-  {% endif %}
-
   {% if method.is_custom_element_callbacks %}
   V0CustomElementProcessingStack::CallbackDeliveryScope deliveryScope;
   {% endif %}
 
   {{function_call | indent(2)}}
 }
 {% endfilter %}
 {% endmacro %}
 
 
@@ skipping 405 matching lines @@
 {% macro method_callback(method, world_suffix) %}
 void {{v8_class_or_partial}}::{{method.name}}MethodCallback{{world_suffix}}(const v8::FunctionCallbackInfo<v8::Value>& info) {
   {% if not method.overloads %}{# Overloaded methods are measured in overload_resolution_method() #}
   {% if method.measure_as %}
   UseCounter::count(currentExecutionContext(info.GetIsolate()), UseCounter::{{method.measure_as('Method')}});
   {% endif %}
   {% if method.deprecate_as %}
   Deprecation::countDeprecation(currentExecutionContext(info.GetIsolate()), UseCounter::{{method.deprecate_as}});
   {% endif %}
   {% endif %}{# not method.overloads #}
+  {% if world_suffix in method.activity_logging_world_list %}

[dcheng, 2017/02/27 05:34:19]

Restoring the activity logger back to the original location.

+  {% if method.is_static %}
+  ScriptState* scriptState = ScriptState::forFunctionObject(info);
+  {% else %}
+  ScriptState* scriptState = ScriptState::forReceiverObject(info);
+  {% endif %}
+  V8PerContextData* contextData = scriptState->perContextData();
+  if (contextData && contextData->activityLogger()) {
+    ExceptionState exceptionState(info.GetIsolate(), ExceptionState::ExecutionContext, "{{interface_name}}", "{{method.name}}");
+    Vector<v8::Local<v8::Value>> loggerArgs = toImplArguments<Vector<v8::Local<v8::Value>>>(info, 0, exceptionState);
+    contextData->activityLogger()->logMethod("{{interface_name}}.{{method.name}}", info.Length(), loggerArgs.data());
+  }
+  {% endif %}
   {% if method.is_ce_reactions %}
   CEReactionsScope ceReactionsScope;
   {% endif %}
   {% if method.is_custom %}
   {{v8_class}}::{{method.name}}MethodCustom(info);
   {% elif method.is_post_message %}
   {{cpp_class_or_partial}}V8Internal::postMessageImpl("{{interface_name}}", {{v8_class}}::toImpl(info.Holder()), info);
   {% else %}
   {{cpp_class_or_partial}}V8Internal::{{method.name}}Method{{world_suffix}}(info);
   {% endif %}
@@ skipping 85 matching lines @@
 {% set method_callback =
        '%s::%sMethodCallback' % (v8_class_or_partial, method.name) %}
 {% set method_callback_for_main_world =
        '%s::%sMethodCallbackForMainWorld' % (v8_class_or_partial, method.name)
        if method.is_per_world_bindings else 'nullptr' %}
 {% set property_attribute =
        'static_cast<v8::PropertyAttribute>(%s)' % ' | '.join(method.property_attributes)
        if method.property_attributes else 'v8::None' %}
 {% set holder_check = 'V8DOMConfiguration::DoNotCheckHolder'
        if method.returns_promise else 'V8DOMConfiguration::CheckHolder' %}
-{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{property_location(method)}}, {{holder_check}}}
+{% set access_check = 'V8DOMConfiguration::CheckAccess'
+       if method.is_check_security_for_receiver else 'V8DOMConfiguration::DoNotCheckAccess' %}
+{"{{method.name}}", {{method_callback}}, {{method_callback_for_main_world}}, {{method.length}}, {{property_attribute}}, {{property_location(method)}}, {{holder_check}}, {{access_check}}}
 {%- endmacro %}
 
 
 {######################################}
 {% macro install_custom_signature(method, instance_template, prototype_template, interface_template, signature) %}
 const V8DOMConfiguration::MethodConfiguration {{method.name}}MethodConfiguration = {{method_configuration(method)}};
 V8DOMConfiguration::installMethod(isolate, world, {{instance_template}}, {{prototype_template}}, {{interface_template}}, {{signature}}, {{method.name}}MethodConfiguration);
 {%- endmacro %}
 
 
@@ skipping 11 matching lines @@
                           if method.overloads else
                           method.runtime_enabled_feature_name) %}
 const V8DOMConfiguration::MethodConfiguration {{method.name}}MethodConfiguration = {{method_configuration(method)}};
 V8DOMConfiguration::installMethod(isolate, world, v8::Local<v8::Object>(), prototypeObject, interfaceObject, signature, {{method.name}}MethodConfiguration);
 {% endfilter %}{# runtime_enabled() #}
 {% endfilter %}{# exposed() #}
 {% endfilter %}{# secure_context() #}
 {% endfor %}
 {% endif %}
 {%- endmacro %}