From 96efcc335bbd9f2ad098e694d6cff6c1c22b4ce8 Mon Sep 17 00:00:00 2001
From: Wojtek Kosior <koszko@koszko.org>
Date: Sat, 5 Mar 2022 15:54:53 +0100
Subject: improve script blocking in non-HTML documents (XML)

---
 .../data/pages/scripts_to_block_1.html             | 33 ++++++----
 .../data/pages/scripts_to_block_2.xml              | 71 ++++++++++++++++++++++
 test/haketilo_test/unit/test_policy_enforcing.py   | 66 ++++++++++++++++++--
 test/haketilo_test/unit/utils.py                   |  5 +-
 test/haketilo_test/world_wide_library.py           |  2 +
 5 files changed, 158 insertions(+), 19 deletions(-)
 create mode 100644 test/haketilo_test/data/pages/scripts_to_block_2.xml

(limited to 'test')

diff --git a/test/haketilo_test/data/pages/scripts_to_block_1.html b/test/haketilo_test/data/pages/scripts_to_block_1.html
index e7793ee..67bff5e 100644
--- a/test/haketilo_test/data/pages/scripts_to_block_1.html
+++ b/test/haketilo_test/data/pages/scripts_to_block_1.html
@@ -29,18 +29,25 @@
     </script>
   </head>
   <body>
-    <button id="clickme1"
-	    onclick="window.__run = [...(window.__run || []), 'on'];"
-	    blocked-onclick="some useful data">
-      Click Meee!
-    </button>
-    <a id="clickme2"
-       href="javascript:window.__run = [...(window.__run || []), 'href'];void(0);">
-      Click Meee!
-    </a>
-    <iframe src="javascript:void(window.parent.__run = [...(window.parent.__run || []), 'src']);">
-    </iframe>
-    <object data="javascript:window.__run = [...(window.__run || []), 'data'];">
-    </object>
+    <!--
+	Put all objects under a <div> to make sure the Mutation Observer does
+	indeed correctly report changes in subtrees (there are problems with
+	this in XML documents).
+      -->
+    <div>
+      <button id="clickme1"
+	      onclick="window.__run = [...(window.__run || []), 'on'];"
+	      blocked-onclick="some useful data">
+	Click Meee!
+      </button>
+      <a id="clickme2"
+	 href="javascript:window.__run = [...(window.__run || []), 'href'];void(0);">
+	Click Meee!
+      </a>
+      <iframe src="javascript:void(window.parent.__run = [...(window.parent.__run || []), 'src']);">
+      </iframe>
+      <object data="javascript:window.__run = [...(window.__run || []), 'data'];">
+      </object>
+    </div>
   </body>
 </html>
diff --git a/test/haketilo_test/data/pages/scripts_to_block_2.xml b/test/haketilo_test/data/pages/scripts_to_block_2.xml
new file mode 100644
index 0000000..6433a1d
--- /dev/null
+++ b/test/haketilo_test/data/pages/scripts_to_block_2.xml
@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    SPDX-License-Identifier: CC0-1.0
+
+    A testing XML document with various scripts that need to get blocked.
+
+    This file is part of Haketilo.
+
+    Copyright (C) 2021, 2022 Wojtek Kosior <koszko@koszko.org>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the CC0 1.0 Universal License as published by
+    the Creative Commons Corporation.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    CC0 1.0 Universal License for more details.
+  -->
+
+<fruits>
+
+  <!--
+      The following will not execute since it is not recognized as either HTML
+      or SVG script.
+  -->
+  <script>
+    window.__run = [...(window.__run || []), 'banana'];
+  </script>
+
+  <html:img xmlns:html="http://www.w3.org/1999/xhtml"
+	    src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg=="
+	    onload="window.__run = [...(window.__run || []), 'melon'];console.log('delme melon')">
+  </html:img>
+
+  <!-- Will execute -->
+  <html:script xmlns:html="http://www.w3.org/1999/xhtml">
+    window.__run = [...(window.__run || []), 'grape'];
+  </html:script>
+
+  <!-- Will also execute -->
+  <vector-graphics:script xmlns:vector-graphics="http://www.w3.org/2000/svg">
+    window.__run = [...(window.__run || []), 'raspberry'];
+  </vector-graphics:script>
+
+  <apple>
+    <svg viewBox="0 0 10 14" xmlns="http://www.w3.org/2000/svg">
+      <!-- Will run when clicked -->
+      <circle id="idaret_circle" cx="5" cy="5" r="4"
+	      onclick="window.__run = [...(window.__run || []), 'idaret'];" />
+      <!-- Will *NOT* run when clicked -->
+      <circle id="nowamak_circle" cx="5" cy="13" r="4"
+	      some-unknown:onclick="window.__run = [...(window.__run || []), 'nowamak'];"
+	      xmlns:some-unknown="https://example.org/blah/blah" />
+    </svg>
+  </apple>
+  <!--
+      In case of wrong namespace URI (or lack thereof), svg subtree will not
+      be recognized as SVG at all
+  -->
+  <svg>
+    <!-- Will neither run nor be drawn by the browser -->
+    <circle id="mango_circle" cx="5" cy="5" r="4"
+	    onclick="window.__run = [...(window.__run || []), 'mango'];" />
+  </svg>
+  <svg viewBox="0 0 10" xmlns="http://www.w3.org/2000/sv">
+    <!-- Will neither run nor be drawn by the browser -->
+    <circle id="annoying_circle" cx="5" cy="5" r="4"
+	    onclick="window.__run = [...(window.__run || []), 'orange'];" />
+  </svg>
+</fruits>
diff --git a/test/haketilo_test/unit/test_policy_enforcing.py b/test/haketilo_test/unit/test_policy_enforcing.py
index c5dd20e..98b5044 100644
--- a/test/haketilo_test/unit/test_policy_enforcing.py
+++ b/test/haketilo_test/unit/test_policy_enforcing.py
@@ -73,12 +73,15 @@ def get(driver, page, what_to_do):
 @pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}])
 def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
     """
-    A test case of sanitizing <script>s and intrinsic javascript in pages.
+    A test case of sanitizing <script>s and intrinsic JavaScript in HTML pages.
     """
-    def assert_properly_blocked():
+    def click_all():
         for i in range(1, 3):
             driver.find_element_by_id(f'clickme{i}').click()
 
+    def assert_properly_blocked():
+        click_all()
+
         assert set(driver.execute_script('return window.__run || [];')) == set()
         assert bool(csp_off_setting) == are_scripts_allowed(driver)
 
@@ -98,8 +101,7 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
         **csp_off_setting
     })
 
-    for i in range(1, 3):
-        driver.find_element_by_id(f'clickme{i}').click()
+    click_all()
 
     assert set(driver.execute_script('return window.__run || [];')) == \
         {'inline', 'on', 'href', 'src', 'data'}
@@ -121,3 +123,59 @@ def test_policy_enforcing_html(driver, execute_in_page, csp_off_setting):
 
     assert_properly_blocked()
     assert are_scripts_allowed(driver, nonce)
+
+# Test function analogous to that for HTML page.
+@pytest.mark.ext_data({'content_script': content_script})
+@pytest.mark.usefixtures('webextension')
+@pytest.mark.parametrize('csp_off_setting', [{}, {'csp_off': True}])
+def test_policy_enforcing_xml(driver, execute_in_page, csp_off_setting):
+    """
+    A test case of sanitizing <script>s and intrinsic JavaScript in XML
+    documents.
+    """
+    def click_all():
+        for name in ('idaret', 'nowamak', 'mango', 'annoying'):
+            elem = driver.find_element_by_id(f'{name}_circle')
+            try:
+                elem.click()
+            except:
+                pass
+
+    def assert_properly_blocked():
+        click_all()
+
+        try:
+            assert set(driver.execute_script('return window.__run || [];')) == set()
+        except:
+            from time import sleep
+            sleep(100000)
+        assert bool(csp_off_setting) == are_scripts_allowed(driver)
+
+    # First, see if scripts run when not blocked.
+    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {
+        'policy': allow_policy,
+        **csp_off_setting
+    })
+
+    click_all()
+
+    assert set(driver.execute_script('return window.__run || [];')) == \
+        {'grape', 'raspberry', 'idaret', 'melon'}
+    assert are_scripts_allowed(driver)
+
+    # Now, verify scripts don't run when blocked.
+    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {
+        'policy': block_policy,
+        **csp_off_setting
+    })
+
+    assert_properly_blocked()
+
+    # Now, verify only scripts with nonce can run when payload is injected.
+    get(driver, 'https://gotmyowndoma.in/scripts_to_block_2.xml', {
+        'policy': payload_policy,
+        **csp_off_setting
+    })
+
+    assert_properly_blocked()
+    assert are_scripts_allowed(driver, nonce)
diff --git a/test/haketilo_test/unit/utils.py b/test/haketilo_test/unit/utils.py
index b27a209..7ddf92a 100644
--- a/test/haketilo_test/unit/utils.py
+++ b/test/haketilo_test/unit/utils.py
@@ -228,11 +228,12 @@ def are_scripts_allowed(driver, nonce=None):
         return driver.execute_script(
             '''
             document.haketilo_scripts_allowed = false;
-            const script = document.createElement("script");
+            const html_ns = "http://www.w3.org/1999/xhtml";
+            const script = document.createElementNS(html_ns, "script");
             script.innerHTML = "document.haketilo_scripts_allowed = true;";
             if (arguments[0])
                 script.setAttribute("nonce", arguments[0]);
-            document.head.append(script);
+            (document.head || document.documentElement).append(script);
             return document.haketilo_scripts_allowed;
             ''',
             nonce)
diff --git a/test/haketilo_test/world_wide_library.py b/test/haketilo_test/world_wide_library.py
index fedfeb6..1a90c42 100644
--- a/test/haketilo_test/world_wide_library.py
+++ b/test/haketilo_test/world_wide_library.py
@@ -234,6 +234,8 @@ catalog = {
 
     'https://gotmyowndoma.in/scripts_to_block_1.html':
     (200, {}, here / 'data' / 'pages' / 'scripts_to_block_1.html'),
+    'https://gotmyowndoma.in/scripts_to_block_2.xml':
+    (200, {}, here / 'data' / 'pages' / 'scripts_to_block_2.xml'),
 
     'https://anotherdoma.in/resource/blocked/by/CORS.json':
     lambda command, get_params, post_params: (200, {}, some_data),
-- 
cgit v1.2.3