Integrates polymer-resin into polygerrit-ui

This is attempt 3 at rolling-forward c/106190 New Dependency ============== This adds polymer-resin as a bower archive. See `bower info polymer-resin\#1.2.6-beta` for details. Polymer-resin is part of the larger polymer project so is license compatible. Integration =========== The main application element, app/elements/gr-app.html, now HTML imports polymer-resin per github.com/Polymer/polymer-resin/blob/master/getting-started.md#loading It uses the following configuration: 1. All dynamic IDs are allowed. 2. Policy violation reports are sent to the dev console. test/common-test-setup.html does the same so that tests are run in the same environment. Testing ======= 1. Running local tests gerrit $ ./polygerrit-ui/app/run_tests.sh With 1.2.6-beta tests run green on (Chrome, Firefox, Safari). 2. Testing for false positives I ran two servers. a. polygerrit-ui/run_server.sh b. gerrit.war per https://git.eclipse.org/r/Documentation/dev-readme.html I noticed that in both the dev console showed 'initResin' early and paging around showed no violation reports. 3. Testing for true negatives I patched in the diff at the end of this description, and reran both server environments. I noted that browsing to localhost:8081/#javascript:alert(1) and localhost:8080/#javascript:alert(1) both showed a violation report about javascript:alert(1) being rejected. Clicking Changes / XSS did not result in a popup. Differences =========== This loads the non-debug version but configured with a console reporter so should minimize code size and speed overhead. This loads via gr-app so the input is automatically vulcanized. --- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js +++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js @@ -56,6 +56,11 @@ url: '/q/status:abandoned', name: 'Abandoned', }, + { // HACK DO NOT SUBMIT + url: (location.hash && location.hash.replace(/^#/, '')) + || '/echoes_hash', + name: 'XSS', + }, ], }]; --- a/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js +++ b/polygerrit-ui/app/elements/shared/gr-dropdown/gr-dropdown.js @@ -93,6 +93,7 @@ }, _computeRelativeURL(path) { +if (path && /^\w+\:/.test(path)) { return path; } // HACK DO NOT SUBMIT const host = window.location.host; return this._computeURLHelper(host, path); }, Change-Id: I38bfa124abd4fb35972833f29fc1664ec2404e34
2017-06-15 22:51:00 -04:00 · 2017-06-15 22:51:00 -04:00 · 5ee6971a61
commit 5ee6971a61
parent 4759c64d5c
7 changed files with 58 additions and 1 deletions
--- a/7
+++ b/7
@ -1100,6 +1100,13 @@ bower_archive(
    version = "1.9.1",
 )

+bower_archive(
+    name = "polymer-resin",
+    package = "polymer/polymer-resin",
+    sha1 = "d759c8c09054a7ec04608a6cb586801c904f79a2",
+    version = "1.2.6-beta",
+)
+
 bower_archive(
    name = "promise-polyfill",
    package = "polymerlabs/promise-polyfill",
--- a/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
+++ b/gerrit-httpd/src/main/resources/com/google/gerrit/httpd/raw/PolyGerritIndexHtml.soy
@ -44,6 +44,12 @@
  <link rel="stylesheet" href="{$staticResourcePath}/styles/fonts.css">{\n}
  <link rel="stylesheet" href="{$staticResourcePath}/styles/main.css">{\n}
  <script src="{$staticResourcePath}/bower_components/webcomponentsjs/webcomponents-lite.js"></script>{\n}
+  // Content between webcomponents-lite and the load of the main app element
+  // run before polymer-resin is installed so may have security consequences.
+  // Contact your local security engineer if you have any questions, and
+  // CC them on any changes that load content before gr-app.html.
+  //
+  // github.com/Polymer/polymer-resin/blob/master/getting-started.md#integrating
  <link rel="preload" href="{$staticResourcePath}/elements/gr-app.js" as="script" crossorigin="anonymous">{\n}
  <link rel="import" href="{$staticResourcePath}/elements/gr-app.html">{\n}

--- a/lib/js/bower_components.bzl
+++ b/lib/js/bower_components.bzl
@ -173,6 +173,15 @@ def define_bower_components():
    deps = [ ":webcomponentsjs" ],
    seed = True,
  )
+  bower_component(
+    name = "polymer-resin",
+    license = "//lib:LICENSE-polymer",
+    deps = [
+      ":polymer",
+      ":webcomponentsjs",
+    ],
+    seed = True,
+  )
  bower_component(
    name = "promise-polyfill",
    license = "//lib:LICENSE-promise-polyfill",
--- a/polygerrit-ui/BUILD
+++ b/polygerrit-ui/BUILD
@ -21,6 +21,7 @@ bower_component_bundle(
        "//lib/js:moment",
        "//lib/js:page",
        "//lib/js:polymer",
+        "//lib/js:polymer-resin",
        "//lib/js:promise-polyfill",
    ],
 )
--- a/polygerrit-ui/app/elements/gr-app.html
+++ b/polygerrit-ui/app/elements/gr-app.html
@ -15,6 +15,13 @@ limitations under the License.
 -->

 <link rel="import" href="../bower_components/polymer/polymer.html">
+<link rel="import" href="../bower_components/polymer-resin/standalone/polymer-resin.html">
+<script>
+  security.polymer_resin.install({
+    allowedIdentifierPrefixes: [''],
+    reportHandler: security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER,
+  });
+</script>

 <link rel="import" href="./admin/gr-admin-view/gr-admin-view.html">
 <link rel="import" href="./change-list/gr-change-list-view/gr-change-list-view.html">
--- a/polygerrit-ui/app/index.html
+++ b/polygerrit-ui/app/index.html
@ -29,6 +29,14 @@ RobotoMono fonts are used in styles/fonts.css
 <link rel="stylesheet" href="/styles/fonts.css">
 <link rel="stylesheet" href="/styles/main.css">
 <script src="/bower_components/webcomponentsjs/webcomponents-lite.js"></script>
+<!--
+  - Content between webcomponents-lite and the load of the main app element
+  - run before polymer-resin is installed so may have security consequences.
+  - Contact your local security engineer if you have any questions, and
+  - CC them on any changes that load content before gr-app.html.
+  -
+  - github.com/Polymer/polymer-resin/blob/master/getting-started.md#integrating
+  -->
 <link rel="preload" href="/elements/gr-app.js" as="script" crossorigin="anonymous">
 <link rel="import" href="/elements/gr-app.html">

--- a/polygerrit-ui/app/test/common-test-setup.html
+++ b/polygerrit-ui/app/test/common-test-setup.html
@ -15,5 +15,24 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->

-<link rel="import" href="../bower_components/iron-test-helpers/iron-test-helpers.html" />
+<link rel="import"
+    href="../bower_components/polymer-resin/standalone/polymer-resin.html" />
+<script>
+  security.polymer_resin.install({
+    allowedIdentifierPrefixes: [''],
+    reportHandler(isViolation, fmt, ...args) {
+      const log = security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER;
+      log(isViolation, fmt, ...args);
+      if (isViolation) {
+        // This will cause the test to fail if there is a data binding
+        // violation.
+        throw new Error(
+            'polymer-resin violation: ' + fmt
+            + JSON.stringify(args));
+      }
+    },
+  });
+</script>
+<link rel="import"
+    href="../bower_components/iron-test-helpers/iron-test-helpers.html" />
 <link rel="import" href="test-router.html" />