0895052c01
polymer-resin intercepts polymer property assignments before they reach XSS-vulnerable sinks like `href="..."` and text nodes in `<script>` elements. This follows the instructions in WORKSPACE for adding a new bower dependency with kaspern's tweak to use the dependency in a rule so that it's found. //lib/js/bower_components.bzl has already been rolled-back per those instructions. The license is the polymer license as can be seen at https://github.com/Polymer/polymer-resin/blob/master/LICENSE though I'm not sure that //tools/js/bower2bazel.py recognizes it as such. Docs for the added component are available at https://github.com/Polymer/polymer-resin/blob/master/README.md https://github.com/Polymer/polymer-resin/blob/master/getting-started.md With this change, when I introduce an XSS vulnerability as below, polymer-resin intercepts and stops it. Patch that introduces a strawman vulnerability. --- a/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js +++ b/polygerrit-ui/app/elements/core/gr-main-header/gr-main-header.js @@ -55,6 +55,10 @@ url: '/q/status:abandoned', name: 'Abandoned', }, + { + url: location.hash.replace(/^#/, '') || 'http://example.com/#fragment_echoed_here', + name: 'XSS Me', + }, ], }]; --- Address kaspern's and paladox's comments. --- Undo version bumps for bower dependencies. --- Change Soy index template to parallel app/index.html. --- update polymer-resin to version 1.1.1-beta ---- Load polymer-resin into polygerrit-ui/**/*_test.html After this, I ran the tests with -l chrome -l firefox I ran a handful of tests with -p and observed that the console shows "initResin" is called before test cases start executing. These changes were done programmaticly by running the script below (approximately) thus: ``` gerrit/ $ cd polygerrit-ui/app app/ $ find . -name \*test.html | xargs perl hack-tests.pl ``` ``` use strict; sub removeResin($) { my $s = $_[0]; $s =~ s@<link rel="import" href="[^"]*/polymer-resin/[^"]*"[^>]*>\n?@@; $s =~ s@<script src="[^"]*/polymer-resin/[^"]*"></script>\n?@@; $s =~ s@<script>\s*security\.polymer_resin.*?</script>\n?@@s; return $s; } for my $f (@ARGV) { next if $f =~ m@/bower_components/|/node_modules/@; system('git', 'checkout', $f); print "$f\n"; my @lines = (); open(IN, "<$f") or die "$f: $!"; my $maxLineOfMatch = 0; while (<IN>) { push(@lines, $_); # Put a marker after core loading directives. $maxLineOfMatch = scalar(@lines) if m@/webcomponentsjs/|/polymer[.]html\b|/browser[.]js@; } close(IN) or die "$f: $!"; die "$f missing loading directives" unless $maxLineOfMatch; # Given ./a/b/c/my_test.html, $pathToRoot is "../../.." # assuming no non-leading . or .. components in the path from find. my $pathToRoot = $f; $pathToRoot =~ s@^\.\/@@; $pathToRoot =~ s@^(.*?/)?app/@@; $pathToRoot =~ s@\/[^\/]*$@@; $pathToRoot =~ s@[^/]+@..@g; my $nLines = scalar(@lines); open(OUT, ">$f") or die "$f: $!"; # Output the lines up to the last polymer-resin dependency # loaded explicitly by this test. my $before = join '', @lines[0..($maxLineOfMatch - 1)]; $before = removeResin($before); print OUT "$before"; # Dump out the lines that load polymer-resin and configure it for # polygerrit. if (1) { print OUT qq'<link rel="import" href="$pathToRoot/bower_components/polymer-resin/standalone/polymer-resin-debug.html"/> <script> security.polymer_resin.install({allowedIdentifierPrefixes: [\'\']}); </script> '; } # Emit any remaining lines. my $after = join '', @lines[$maxLineOfMatch..$#lines]; $after = removeResin($after); $after =~ s/^\n*//; print OUT "$after"; close(OUT) or die "$f: $!"; } ``` --- update polymer-resin to version 1.2.1-beta --- update Soy index template to new style polymer-resin initialization ---- fix lint warnings ---- Load test/common-test-setup.html into *_test.html Instead of inserting instructions to load and initialize polymer-resin into every test file, add a common-test-setup.html that does that and also fold iron-test-helpers loading into it. ---- imported files do not need to load webcomponentsjs Change-Id: I71221c36ed8a0fe7f8720c1064a2fcc9555bb8df
125 lines
4.0 KiB
HTML
125 lines
4.0 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
Copyright (C) 2015 The Android Open Source Project
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
-->
|
|
|
|
<meta name="viewport" content="width=device-width, minimum-scale=1.0, initial-scale=1.0, user-scalable=yes">
|
|
<title>gr-patch-range-select</title>
|
|
|
|
<script src="../../../bower_components/webcomponentsjs/webcomponents-lite.min.js"></script>
|
|
<script src="../../../bower_components/web-component-tester/browser.js"></script>
|
|
<link rel="import" href="../../../test/common-test-setup.html"/>
|
|
<script src="../../../bower_components/page/page.js"></script>
|
|
|
|
<link rel="import" href="gr-patch-range-select.html">
|
|
|
|
<script>void(0);</script>
|
|
|
|
<test-fixture id="basic">
|
|
<template>
|
|
<gr-patch-range-select auto></gr-patch-range-select>
|
|
</template>
|
|
</test-fixture>
|
|
|
|
<script>
|
|
suite('gr-patch-range-select tests', () => {
|
|
let element;
|
|
|
|
setup(() => {
|
|
element = fixture('basic');
|
|
});
|
|
|
|
test('enabled/disabled options', () => {
|
|
const patchRange = {
|
|
basePatchNum: 'PARENT',
|
|
patchNum: '3',
|
|
};
|
|
for (const patchNum of ['1', '2', '3']) {
|
|
assert.isFalse(element._computeRightDisabled(patchNum, patchRange));
|
|
}
|
|
for (const patchNum of ['PARENT', '1', '2']) {
|
|
assert.isFalse(element._computeLeftDisabled(patchNum, patchRange));
|
|
}
|
|
assert.isTrue(element._computeLeftDisabled('3', patchRange));
|
|
|
|
patchRange.basePatchNum = '2';
|
|
assert.isTrue(element._computeLeftDisabled('3', patchRange));
|
|
assert.isTrue(element._computeRightDisabled('1', patchRange));
|
|
assert.isTrue(element._computeRightDisabled('2', patchRange));
|
|
assert.isFalse(element._computeRightDisabled('3', patchRange));
|
|
});
|
|
|
|
test('navigation', done => {
|
|
const showStub = sinon.stub(page, 'show');
|
|
const leftSelectEl = element.$.leftPatchSelect;
|
|
const rightSelectEl = element.$.rightPatchSelect;
|
|
const blurSpy = sinon.spy(leftSelectEl, 'blur');
|
|
element.changeNum = '42';
|
|
element.path = 'path/to/file.txt';
|
|
element.availablePatches = ['1', '2', '3'];
|
|
element.patchRange = {
|
|
basePatchNum: 'PARENT',
|
|
patchNum: '3',
|
|
};
|
|
flushAsynchronousOperations();
|
|
|
|
let numEvents = 0;
|
|
leftSelectEl.addEventListener('change', e => {
|
|
numEvents++;
|
|
if (numEvents == 1) {
|
|
assert(showStub.lastCall.calledWithExactly(
|
|
'/c/42/3/path/to/file.txt'),
|
|
'Should navigate to /c/42/3/path/to/file.txt');
|
|
leftSelectEl.value = '1';
|
|
element.fire('change', {}, {node: leftSelectEl});
|
|
assert(blurSpy.called, 'Dropdown should be blurred after selection');
|
|
} else if (numEvents == 2) {
|
|
assert(showStub.lastCall.calledWithExactly(
|
|
'/c/42/1..3/path/to/file.txt'),
|
|
'Should navigate to /c/42/1..3/path/to/file.txt');
|
|
showStub.restore();
|
|
done();
|
|
}
|
|
});
|
|
leftSelectEl.value = 'PARENT';
|
|
rightSelectEl.value = '3';
|
|
element.fire('change', {}, {node: leftSelectEl});
|
|
});
|
|
|
|
test('filesWeblinks', () => {
|
|
element.filesWeblinks = {
|
|
meta_a: [
|
|
{
|
|
name: 'foo',
|
|
url: 'f.oo',
|
|
},
|
|
],
|
|
meta_b: [
|
|
{
|
|
name: 'bar',
|
|
url: 'ba.r',
|
|
},
|
|
],
|
|
};
|
|
flushAsynchronousOperations();
|
|
const domApi = Polymer.dom(element.root);
|
|
assert.equal(
|
|
domApi.querySelector('a[href="f.oo"]').textContent, 'foo');
|
|
assert.equal(
|
|
domApi.querySelector('a[href="ba.r"]').textContent, 'bar');
|
|
});
|
|
});
|
|
</script>
|