diff options
| author | Wojtek Kosior <koszko@koszko.org> | 2022-06-01 18:14:09 +0200 |
|---|---|---|
| committer | Wojtek Kosior <koszko@koszko.org> | 2022-06-10 14:13:57 +0200 |
| commit | f8dedf60638bffde3f92116db3f418d2e6260e80 (patch) | |
| tree | aa6da7b69f0db5c17c643505eaf9f2d8053d2daf /common | |
| parent | 9bee4afaab8b89613e5e504829bdd4fae204e134 (diff) | |
| download | browser-extension-f8dedf60638bffde3f92116db3f418d2e6260e80.tar.gz browser-extension-f8dedf60638bffde3f92116db3f418d2e6260e80.zip | |
allow eval() in injected scripts
Diffstat (limited to 'common')
| -rw-r--r-- | common/entities.js | 22 | ||||
| -rw-r--r-- | common/jsonschema.js | 12 | ||||
| -rw-r--r-- | common/policy.js | 43 |
3 files changed, 60 insertions, 17 deletions
diff --git a/common/entities.js b/common/entities.js index 74cad20..41d6e3b 100644 --- a/common/entities.js +++ b/common/entities.js @@ -116,6 +116,28 @@ function* get_used_files(item) } #EXPORT get_used_files AS get_files +/* + * Regex to parse URIs like: + * https://hydrilla.koszko.org/schemas/api_mapping_description-2.schema.json + */ +const name_base_re = "(?<name_base>[^/]*)"; +const major_number_re = "(?<major>[1-9][0-9]*)"; +const minor_number_re = "(?:[1-9][0-9]*|0)"; +const numbers_rest_re = `(?:\\.${minor_number_re})*`; +const version_re = `(?<ver>${major_number_re}${numbers_rest_re})`; +const schema_name_re = `${name_base_re}-${version_re}\\.schema\\.json`; + +const haketilo_schema_name_regex = new RegExp(schema_name_re); +#EXPORT haketilo_schema_name_regex + +/* Extract the number that indicates entity's compatibility mode. */ +function get_schema_major_version(instance) { + const match = haketilo_schema_name_regex.exec(instance.$schema); + + return parseInt(match.groups.major); +} +#EXPORT get_schema_major_version + #IF NEVER /* diff --git a/common/jsonschema.js b/common/jsonschema.js index 3e99cd6..9c4a70c 100644 --- a/common/jsonschema.js +++ b/common/jsonschema.js @@ -57,6 +57,8 @@ #FROM common/jsonschema/scan.js IMPORT SchemaScanResult, scan +#FROM common/entities.js IMPORT haketilo_schema_name_regex + #EXPORT scan #EXPORT SchemaScanResult @@ -86,15 +88,6 @@ const haketilo_schemas = [ #INCLUDE schemas/2.x/common_definitions-2.schema.json ].reduce((ac, s) => Object.assign(ac, {[s.$id]: s}), {}); -const name_base_re = "(?<name_base>[^/]*)"; -const major_number_re = "(?<major>[1-9][0-9]*)"; -const minor_number_re = "(?:[1-9][0-9]*|0)"; -const numbers_rest_re = `(?:\\.${minor_number_re})*`; -const version_re = `(?<ver>${major_number_re}${numbers_rest_re})`; -const schema_name_re = `${name_base_re}-${version_re}\\.schema\\.json`; - -const haketilo_schema_name_regex = new RegExp(schema_name_re); - for (const [$id, schema] of [...Object.entries(haketilo_schemas)]) { const match = haketilo_schema_name_regex.exec($id); const schema_name = @@ -103,7 +96,6 @@ for (const [$id, schema] of [...Object.entries(haketilo_schemas)]) { } #EXPORT haketilo_schemas -#EXPORT haketilo_schema_name_regex const haketilo_validator = new Validator(); Object.values(haketilo_schemas) diff --git a/common/policy.js b/common/policy.js index e14d8cd..6bcb54b 100644 --- a/common/policy.js +++ b/common/policy.js @@ -49,16 +49,15 @@ * CSP rule that either blocks all scripts or only allows scripts with specified * nonce attached. */ -function make_csp(nonce) -{ - const rule = nonce ? `nonce-${nonce}` : "none"; +function make_csp(nonce) { + const rule = nonce ? `'nonce-${nonce}'` : "'none'"; const csp_list = [ - ["prefetch-src", "none"], - ["script-src-attr", "none"], - ["script-src", rule], + ["prefetch-src", "'none'"], + ["script-src-attr", "'none'"], + ["script-src", rule, "'unsafe-eval'"], ["script-src-elem", rule] ]; - return csp_list.map(([a, b]) => `${a} '${b}';`).join(" "); + return csp_list.map(words => `${words.join(" ")};`).join(" "); } function decide_policy(patterns_tree, url, default_allow, secret) @@ -113,3 +112,33 @@ function decide_policy(patterns_tree, url, default_allow, secret) #EXPORT decide_policy #EXPORT () => ({allow: false, csp: make_csp()}) AS fallback_policy + +#IF NEVER + +/* + * Note: the functions below were overeagerly written and are not used now but + * might prove useful to once we add more functionalities and are hence kept... + */ + +function relaxed_csp_eval(csp) { + const new_csp_list = []; + + for (const directive of csp.split(";")) { + const directive_words = directive.trim().split(" "); + if (directive_words[0] === "script-src") + directive_words.push("'unsafe-eval'"); + + new_csp_list.push(directive_words); + } + + new_policy.csp = new_csp_list.map(d => `${d.join(" ")}';`).join(" "); +} + +function relax_policy_eval(policy) { + const new_policy = Object.assign({}, policy); + + return Object.assign(new_policy, {csp: relaxed_csp_eval(policy.csp)}); +} +#EXPORT relax_policy_eval + +#ENDIF |