2016-09-12 14:19:22 -07:00
|
|
|
<!DOCTYPE html>
|
|
|
|
|
<!--
|
|
|
|
|
Copyright (C) 2016 The Android Open Source Project
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
-->
|
|
|
|
|
|
|
|
|
|
<meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1.0, user-scalable=yes">
|
|
|
|
|
<title>gr-syntax-lib-loader</title>
|
|
|
|
|
|
2017-03-28 17:02:44 -07:00
|
|
|
<script src="../../../bower_components/webcomponentsjs/webcomponents-lite.min.js"></script>
|
2016-09-12 14:19:22 -07:00
|
|
|
<script src="../../../bower_components/web-component-tester/browser.js"></script>
|
Polygerrit now loads polymer-resin
polymer-resin intercepts polymer property assignments
before they reach XSS-vulnerable sinks like `href="..."`
and text nodes in `<script>` elements.
This follows the instructions in WORKSPACE for adding a new bower
dependency with kaspern's tweak to use the dependency in a rule so
that it's found. //lib/js/bower_components.bzl has already been
rolled-back per those instructions.
The license is the polymer license as can be seen at
https://github.com/Polymer/polymer-resin/blob/master/LICENSE though
I'm not sure that //tools/js/bower2bazel.py recognizes it as such.
Docs for the added component are available at
https://github.com/Polymer/polymer-resin/blob/master/README.md
https://github.com/Polymer/polymer-resin/blob/master/getting-started.md
With this change, when I introduce an XSS vulnerability as below,
polymer-resin intercepts and stops it.
Patch that introduces a strawman vulnerability.
--- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
+++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js
@@ -55,6 +55,10 @@
url: '/q/status:abandoned',
name: 'Abandoned',
},
+ {
+ url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here',
+ name: 'XSS Me',
+ },
],
}];
---
Address kaspern's and paladox's comments.
---
Undo version bumps for bower dependencies.
---
Change Soy index template to parallel app/index.html.
---
update polymer-resin to version 1.1.1-beta
----
Load polymer-resin into polygerrit-ui/**/*_test.html
After this, I ran the tests with
-l chrome
-l firefox
I ran a handful of tests with -p and observed that the
console shows "initResin" is called before test cases start
executing.
These changes were done programmaticly by running the script below
(approximately) thus:
```
gerrit/ $ cd polygerrit-ui/app
app/ $ find . -name \*test.html | xargs perl hack-tests.pl
```
```
use strict;
sub removeResin($) {
my $s = $_[0];
$s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@;
$s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@;
$s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s;
return $s;
}
for my $f (@ARGV) {
next if $f =~ m@/bower_components/|/node_modules/@;
system('git', 'checkout', $f);
print "$f\n";
my @lines = ();
open(IN, "<$f") or die "$f: $!";
my $maxLineOfMatch = 0;
while (<IN>) {
push(@lines, $_);
# Put a marker after core loading directives.
$maxLineOfMatch = scalar(@lines)
if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@;
}
close(IN) or die "$f: $!";
die "$f missing loading directives" unless $maxLineOfMatch;
# Given ./a/b/c/my_test.html, $pathToRoot is "../../.."
# assuming no non-leading . or .. components in the path from find.
my $pathToRoot = $f;
$pathToRoot =~ s@^\.\/@@;
$pathToRoot =~ s@^(.*?/)?app/@@;
$pathToRoot =~ s@\/[^\/]*$@@;
$pathToRoot =~ s@[^/]+@..@g;
my $nLines = scalar(@lines);
open(OUT, ">$f") or die "$f: $!";
# Output the lines up to the last polymer-resin dependency
# loaded explicitly by this test.
my $before = join '', @lines[0..($maxLineOfMatch - 1)];
$before = removeResin($before);
print OUT "$before";
# Dump out the lines that load polymer-resin and configure it for
# polygerrit.
if (1) {
print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/>
<script>
security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']});
</script>
';
}
# Emit any remaining lines.
my $after = join '', @lines[$maxLineOfMatch..$#lines];
$after = removeResin($after);
$after =~ s/^\n*//;
print OUT "$after";
close(OUT) or die "$f: $!";
}
```
---
update polymer-resin to version 1.2.1-beta
---
update Soy index template to new style polymer-resin initialization
----
fix lint warnings
----
Load test/common-test-setup.html into *_test.html
Instead of inserting instructions to load and initialize polymer-resin into
every test file, add a common-test-setup.html that does that and also fold
iron-test-helpers loading into it.
----
imported files do not need to load webcomponentsjs
Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
2017-05-08 14:07:13 -04:00
|
|
|
<link rel="import" href="../../../test/common-test-setup.html"/>
|
2016-09-12 14:19:22 -07:00
|
|
|
<link rel="import" href="gr-syntax-lib-loader.html">
|
|
|
|
|
|
2017-03-28 17:02:44 -07:00
|
|
|
<script>void(0);</script>
|
|
|
|
|
|
2016-09-12 14:19:22 -07:00
|
|
|
<test-fixture id="basic">
|
|
|
|
|
<template>
|
|
|
|
|
<gr-syntax-lib-loader></gr-syntax-lib-loader>
|
|
|
|
|
</template>
|
|
|
|
|
</test-fixture>
|
|
|
|
|
|
|
|
|
|
<script>
|
2017-05-16 16:23:32 -07:00
|
|
|
suite('gr-syntax-lib-loader tests', () => {
|
|
|
|
|
let element;
|
|
|
|
|
let resolveLoad;
|
|
|
|
|
let loadStub;
|
2016-09-12 14:19:22 -07:00
|
|
|
|
2017-05-16 16:23:32 -07:00
|
|
|
setup(() => {
|
2016-09-12 14:19:22 -07:00
|
|
|
element = fixture('basic');
|
|
|
|
|
|
2017-05-16 16:23:32 -07:00
|
|
|
loadStub = sinon.stub(element, '_loadHLJS', () =>
|
|
|
|
|
new Promise(resolve => resolveLoad = resolve)
|
|
|
|
|
);
|
2016-09-12 14:19:22 -07:00
|
|
|
|
|
|
|
|
// Assert preconditions:
|
|
|
|
|
assert.isFalse(element._state.loaded);
|
|
|
|
|
assert.isFalse(element._state.loading);
|
|
|
|
|
});
|
|
|
|
|
|
2017-05-16 16:23:32 -07:00
|
|
|
teardown(() => {
|
2016-09-12 14:19:22 -07:00
|
|
|
if (window.hljs) {
|
|
|
|
|
delete window.hljs;
|
|
|
|
|
}
|
|
|
|
|
loadStub.restore();
|
|
|
|
|
|
|
|
|
|
// Because the element state is a singleton, clean it up.
|
|
|
|
|
element._state.loading = false;
|
|
|
|
|
element._state.loaded = false;
|
|
|
|
|
element._state.callbacks = [];
|
|
|
|
|
});
|
|
|
|
|
|
2017-05-16 16:23:32 -07:00
|
|
|
test('only load once', done => {
|
|
|
|
|
const firstCallHandler = sinon.stub();
|
2016-09-12 14:19:22 -07:00
|
|
|
element.get().then(firstCallHandler);
|
|
|
|
|
|
|
|
|
|
// It should now be in the loading state.
|
|
|
|
|
assert.isTrue(loadStub.called);
|
|
|
|
|
assert.isTrue(element._state.loading);
|
|
|
|
|
assert.isFalse(element._state.loaded);
|
|
|
|
|
assert.isFalse(firstCallHandler.called);
|
|
|
|
|
|
2017-05-16 16:23:32 -07:00
|
|
|
const secondCallHandler = sinon.stub();
|
2016-09-12 14:19:22 -07:00
|
|
|
element.get().then(secondCallHandler);
|
|
|
|
|
|
|
|
|
|
// No change in state.
|
|
|
|
|
assert.isTrue(element._state.loading);
|
|
|
|
|
assert.isFalse(element._state.loaded);
|
|
|
|
|
assert.isFalse(firstCallHandler.called);
|
|
|
|
|
assert.isFalse(secondCallHandler.called);
|
|
|
|
|
|
|
|
|
|
// Now load the library.
|
|
|
|
|
resolveLoad();
|
2017-05-16 16:23:32 -07:00
|
|
|
flush(() => {
|
2016-09-12 14:19:22 -07:00
|
|
|
// The state should be loaded and both handlers called.
|
|
|
|
|
assert.isFalse(element._state.loading);
|
|
|
|
|
assert.isTrue(element._state.loaded);
|
|
|
|
|
assert.isTrue(firstCallHandler.called);
|
|
|
|
|
assert.isTrue(secondCallHandler.called);
|
|
|
|
|
done();
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
</script>
|