Remove eval from tests and flip assertion flag
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox66 | --- | fixed |
People
(Reporter: vinoth, Assigned: vinoth)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
Attachments
(1 file)
Eval(), new Function() should never execute with system principal.It is being removed everywhere from our codebase as part of Bug 1473549. In this bug, we rewrite the remaining test files with eval, add pref to xpcshell tests and turn on the assertion flag in all.js
Assignee | ||
Comment 1•5 years ago
|
||
Updated•5 years ago
|
Assignee | ||
Comment 2•5 years ago
|
||
(In reply to Vinothkumar Nagasayanan [:vinoth] from comment #1)
Created attachment 9030207 [details]
Bug 1512949 - Remove eval from tests and flip assertion flag
toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html test alone is failing after flipping the assertion flag. As per the discussion, plan is to land the patch to make sure no new eval() is added to the codebase. And to create a new bug to track test_insecure_form_field_autocomplete.html failure.
Assignee | ||
Updated•5 years ago
|
Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/92c56dcf69b8
Remove eval from tests and flip assertion flag r=ckerschb
Comment 4•5 years ago
|
||
Backed out changeset 92c56dcf69b8 (Bug 1512949) for mochitest failures setup | Login to delete is defined: login0 - false == true - got false, expected true (operator ==) CLOSED TREE
Failure logs:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222683852&repo=autoland&lineNumber=31852
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222692520&repo=autoland&lineNumber=6296
Backout by ebalazs@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/800b3eb8a695 Backed out changeset 92c56dcf69b8 for mochitest failures setup | Login to delete is defined: login0 - false == true - got false, expected true (operator ==) CLOSED TREE
Assignee | ||
Comment 6•5 years ago
|
||
(In reply to Eliza Balazs [:ebalazs_] from comment #4)
Backed out changeset 92c56dcf69b8 (Bug 1512949) for mochitest failures setup | Login to delete is defined: login0 - false == true - got false, expected true (operator ==) CLOSED TREE
Failure logs:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222683852&repo=autoland&lineNumber=31852
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=222692520&repo=autoland&lineNumber=6296
Bug 1521057 created to fix the failure.
Assignee | ||
Updated•5 years ago
|
Comment 7•5 years ago
|
||
Hey Matthew,
within this bug we are trying to land an assertion so we do not use eval() in system privileged context anymore. The patch got backed out because we are facing a problem with test test_insecure_form_field_autocomplete.html. We tried to figure out the problem and it seems the problem is unrelated to our changes. In more detail, when I check out the latest central and run test_insecure_form_field_autocomplete.html on my linux machine I get the following errors (see underneath).
We mainly wanted to consult you to see if there might be any other issues with that test. Put differently, do you have any suggestions for us how to move forward with landing this bug?
1 INFO Passed: 130
2 INFO Failed: 14
3 INFO Todo: 0
Unexpected Results
toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html
FAIL Checking form2 username is: singleuser5 - got "", expected "singleuser5"
FAIL Checking form2 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form3 username is: singleuser5 - got "", expected "singleuser5"
FAIL Checking form3 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form4 username is: singleuser5 - got "", expected "singleuser5"
FAIL Checking form4 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form5 username is: singleuser5 - got "", expected "singleuser5"
FAIL Checking form5 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form6 username is: singleuser5 - got "", expected "singleuser5"
FAIL Checking form6 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form6 username is: singleuser5X - got "X", expected "singleuser5X"
FAIL Checking form6 password is: singlepass5 - got "", expected "singlepass5"
FAIL Checking form8 username is: form8user - got "", expected "form8user"
FAIL Checking form8 password is: form8pass - got "", expected "form8pass"
Comment 8•5 years ago
|
||
(In reply to Christoph Kerschbaumer [:ckerschb] from comment #7)
within this bug we are trying to land an assertion so we do not use eval() in system privileged context anymore. The patch got backed out because we are facing a problem with test test_insecure_form_field_autocomplete.html. We tried to figure out the problem and it seems the problem is unrelated to our changes.
I don't think that's the case…
Login to delete is defined: login0 - false == true - got false, expected true (operator ==)
Seems like exactly the type of error I would expect from the change to the test in this bug… I don't think the this[…]
lookup works in that context. I confirmed using a debugger
statement. You can instead defined the logins on an object and then change the code to lookup on that object instead of this
:
let logins = {};
logins.login0 = new nsLoginInfo(…);
…
let login = logins[loginVariableName];
You should ignore any tier 2 test-verify failures and Linux ones (since it's disabled there) but don't ignore the other failures as they are real regressions AFAICT.
In more detail, when I check out the latest central and run test_insecure_form_field_autocomplete.html on my linux machine I get the following errors (see underneath).
This test is skipped on Linux so manually testing there is probably not useful for unblocking your landing: https://searchfox.org/mozilla-central/rev/6c784c93cfbd5119ed07773a170b59fbce1377ea/toolkit/components/passwordmgr/test/mochitest/mochitest.ini#40
Btw. I don't see where toolkit/components/passwordmgr/test/mochitest/test_basic_form_autocomplete.html is being handled.
Assignee | ||
Comment 9•5 years ago
|
||
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #8)
Seems like exactly the type of error I would expect from the change to the test in this bug… I don't think the
this[…]
lookup works in that context. I confirmed using adebugger
statement. You can instead defined the logins on an object and then change the code to lookup on that object instead ofthis
:let logins = {}; logins.login0 = new nsLoginInfo(…); … let login = logins[loginVariableName];
Hey Matthew,
I tried as you suggested, but still I get the same failures,
TEST-UNEXPECTED-FAIL | toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Checking form2 username is: singleuser5 - got "", expected "singleuser5"
1521077Intermittent toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Checking form2 username is: singleuser5 - got "", expected "singleuser5"
1325778Intermittent toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Test timed out.
TEST-UNEXPECTED-FAIL | toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Checking form2 password is: singlepass5 - got "", expected "singlepass5"
1521077Intermittent toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Checking form2 username is: singleuser5 - got "", expected "singleuser5"
1325778Intermittent toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html | Test timed out.
Please take a look at the failure in OS X 10.10 debug in this TRY push,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f7a61dee2b40aa5f701632723109df94b37d475f
Please kindly let us know if you have any other ideas about fixing this issue.
Comment 10•5 years ago
|
||
(In reply to Vinothkumar Nagasayanan [:vinoth] from comment #9)
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #8)
Please take a look at the failure in OS X 10.10 debug in this TRY push,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f7a61dee2b40aa5f701632723109df94b37d475f
Please kindly let us know if you have any other ideas about fixing this issue.
Those are test-verify jobs that I said you can ignore in comment 8:
You should ignore any tier 2 test-verify failures and Linux ones (since it's disabled there) but don't ignore the other failures as they are real regressions AFAICT.
Assignee | ||
Comment 11•5 years ago
|
||
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #10)
(In reply to Vinothkumar Nagasayanan [:vinoth] from comment #9)
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #8)
Please take a look at the failure in OS X 10.10 debug in this TRY push,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f7a61dee2b40aa5f701632723109df94b37d475f
Please kindly let us know if you have any other ideas about fixing this issue.
Those are test-verify jobs that I said you can ignore in comment 8:
You should ignore any tier 2 test-verify failures and Linux ones (since it's disabled there) but don't ignore the other failures as they are real regressions AFAICT.
Hey Matthew,
Thanks for the clarification. So this solves the issue. since you told we can ignore this tier 2 test-verify failures, so this patch will be accepted for landing with the tier 2 test-verify failures or I need to disable those failing tier 2 test-verify jobs before trying to land?
Comment 12•5 years ago
|
||
Tier 2 jobs do not result in a backout so you can ignore it, leave the tests as-is: https://wiki.mozilla.org/Sheriffing/Job_Visibility_Policy#Overview_of_the_Job_Visibility_Tiers
Assignee | ||
Updated•5 years ago
|
Comment 13•5 years ago
|
||
Pushed by apavel@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7a3cc3042d04
Remove eval from tests and flip assertion flag r=ckerschb
Comment 14•5 years ago
|
||
bugherder |
Description
•