2016-03-13 21:23:11 -04:00
|
|
|
<!DOCTYPE html>
|
|
|
|
|
<!--
|
|
|
|
|
Copyright (C) 2016 The Android Open Source Project
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
-->
|
|
|
|
|
|
|
|
|
|
<meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1.0, user-scalable=yes">
|
|
|
|
|
<title>gr-diff-group</title>
|
|
|
|
|
|
|
|
|
|
<script src="../../../bower_components/web-component-tester/browser.js"></script>
|
Polygerrit now loads polymer-resin
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.md
https://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
2017-05-08 14:07:13 -04:00
|
|
|
<link rel="import" href="../../../test/common-test-setup.html"/>
|
2016-03-13 21:23:11 -04:00
|
|
|
<script src="gr-diff-line.js"></script>
|
|
|
|
|
<script src="gr-diff-group.js"></script>
|
|
|
|
|
|
|
|
|
|
<script>
|
2017-05-16 13:33:41 -07:00
|
|
|
suite('gr-diff-group tests', () => {
|
|
|
|
|
test('delta line pairs', () => {
|
|
|
|
|
let group = new GrDiffGroup(GrDiffGroup.Type.DELTA);
|
|
|
|
|
const l1 = new GrDiffLine(GrDiffLine.Type.ADD);
|
|
|
|
|
const l2 = new GrDiffLine(GrDiffLine.Type.ADD);
|
|
|
|
|
const l3 = new GrDiffLine(GrDiffLine.Type.REMOVE);
|
2016-06-30 16:59:53 -07:00
|
|
|
l1.afterNumber = 128;
|
|
|
|
|
l2.afterNumber = 129;
|
|
|
|
|
l3.beforeNumber = 64;
|
2016-03-13 21:23:11 -04:00
|
|
|
group.addLine(l1);
|
|
|
|
|
group.addLine(l2);
|
|
|
|
|
group.addLine(l3);
|
|
|
|
|
assert.deepEqual(group.lines, [l1, l2, l3]);
|
|
|
|
|
assert.deepEqual(group.adds, [l1, l2]);
|
|
|
|
|
assert.deepEqual(group.removes, [l3]);
|
2016-06-30 16:59:53 -07:00
|
|
|
assert.deepEqual(group.lineRange, {
|
|
|
|
|
left: {start: 64, end: 64},
|
|
|
|
|
right: {start: 128, end: 129},
|
|
|
|
|
});
|
2016-03-13 21:23:11 -04:00
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
let pairs = group.getSideBySidePairs();
|
2016-03-13 21:23:11 -04:00
|
|
|
assert.deepEqual(pairs, [
|
|
|
|
|
{left: l3, right: l1},
|
|
|
|
|
{left: GrDiffLine.BLANK_LINE, right: l2},
|
|
|
|
|
]);
|
|
|
|
|
|
|
|
|
|
group = new GrDiffGroup(GrDiffGroup.Type.DELTA, [l1, l2, l3]);
|
|
|
|
|
assert.deepEqual(group.lines, [l1, l2, l3]);
|
|
|
|
|
assert.deepEqual(group.adds, [l1, l2]);
|
|
|
|
|
assert.deepEqual(group.removes, [l3]);
|
|
|
|
|
|
|
|
|
|
pairs = group.getSideBySidePairs();
|
|
|
|
|
assert.deepEqual(pairs, [
|
|
|
|
|
{left: l3, right: l1},
|
|
|
|
|
{left: GrDiffLine.BLANK_LINE, right: l2},
|
|
|
|
|
]);
|
|
|
|
|
});
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
test('group/header line pairs', () => {
|
|
|
|
|
const l1 = new GrDiffLine(GrDiffLine.Type.BOTH);
|
2016-06-30 16:59:53 -07:00
|
|
|
l1.beforeNumber = 64;
|
|
|
|
|
l1.afterNumber = 128;
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
const l2 = new GrDiffLine(GrDiffLine.Type.BOTH);
|
2016-06-30 16:59:53 -07:00
|
|
|
l2.beforeNumber = 65;
|
|
|
|
|
l2.afterNumber = 129;
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
const l3 = new GrDiffLine(GrDiffLine.Type.BOTH);
|
2016-06-30 16:59:53 -07:00
|
|
|
l3.beforeNumber = 66;
|
|
|
|
|
l3.afterNumber = 130;
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
let group = new GrDiffGroup(GrDiffGroup.Type.BOTH, [l1, l2, l3]);
|
2016-03-13 21:23:11 -04:00
|
|
|
|
|
|
|
|
assert.deepEqual(group.lines, [l1, l2, l3]);
|
|
|
|
|
assert.deepEqual(group.adds, []);
|
|
|
|
|
assert.deepEqual(group.removes, []);
|
|
|
|
|
|
2016-06-30 16:59:53 -07:00
|
|
|
assert.deepEqual(group.lineRange, {
|
|
|
|
|
left: {start: 64, end: 66},
|
|
|
|
|
right: {start: 128, end: 130},
|
|
|
|
|
});
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
let pairs = group.getSideBySidePairs();
|
2016-03-13 21:23:11 -04:00
|
|
|
assert.deepEqual(pairs, [
|
|
|
|
|
{left: l1, right: l1},
|
|
|
|
|
{left: l2, right: l2},
|
|
|
|
|
{left: l3, right: l3},
|
|
|
|
|
]);
|
|
|
|
|
|
2016-03-15 18:58:46 -04:00
|
|
|
group = new GrDiffGroup(GrDiffGroup.Type.CONTEXT_CONTROL, [l1, l2, l3]);
|
2016-03-13 21:23:11 -04:00
|
|
|
assert.deepEqual(group.lines, [l1, l2, l3]);
|
|
|
|
|
assert.deepEqual(group.adds, []);
|
|
|
|
|
assert.deepEqual(group.removes, []);
|
|
|
|
|
|
|
|
|
|
pairs = group.getSideBySidePairs();
|
|
|
|
|
assert.deepEqual(pairs, [
|
|
|
|
|
{left: l1, right: l1},
|
|
|
|
|
{left: l2, right: l2},
|
|
|
|
|
{left: l3, right: l3},
|
|
|
|
|
]);
|
|
|
|
|
});
|
|
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
test('adding delta lines to non-delta group', () => {
|
|
|
|
|
const l1 = new GrDiffLine(GrDiffLine.Type.ADD);
|
|
|
|
|
const l2 = new GrDiffLine(GrDiffLine.Type.REMOVE);
|
|
|
|
|
const l3 = new GrDiffLine(GrDiffLine.Type.BOTH);
|
2016-03-13 21:23:11 -04:00
|
|
|
|
2017-05-16 13:33:41 -07:00
|
|
|
let group = new GrDiffGroup(GrDiffGroup.Type.BOTH);
|
2016-03-13 21:23:11 -04:00
|
|
|
assert.throws(group.addLine.bind(group, l1));
|
|
|
|
|
assert.throws(group.addLine.bind(group, l2));
|
|
|
|
|
assert.doesNotThrow(group.addLine.bind(group, l3));
|
|
|
|
|
|
2016-03-15 18:58:46 -04:00
|
|
|
group = new GrDiffGroup(GrDiffGroup.Type.CONTEXT_CONTROL);
|
2016-03-13 21:23:11 -04:00
|
|
|
assert.throws(group.addLine.bind(group, l1));
|
|
|
|
|
assert.throws(group.addLine.bind(group, l2));
|
|
|
|
|
assert.doesNotThrow(group.addLine.bind(group, l3));
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
</script>
|