Closed Bug 1596360 Opened 6 years ago Closed 6 years ago

Monitor innerHTML calls in chrome code and on about: pages and assert we can not introduce new calls to innerHTML

Categories

(Core :: DOM: Security, task, P2)

Product:
Core
Component:
DOM: Security
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox74 --- fixed

People

(Reporter: ckerschb, Assigned: ckerschb)

References

(Blocks 2 open bugs)

Details

(Whiteboard: [domsecurity-active])

Attachments

(1 file)

Bug 1596360: Monitor the fragment parser in chrome code and in about: pages and assert that no new calls e.g. to innerHTML and friends can be introduced. r=jkt,gijs
47 bytes, text/x-phabricator-request
Details | Review

Ideally we shouldn't use .innerHTML() within chrome code or on any of our about: pages. In an effort we made sure that all calls to InnerHTML() pass through our internal fragment sanitizer which obviously reduces the risk. We do not do that for about: pages though. The fact that some about: pages are semi-privileged increases the risk of XSS in addition.

Within this bug we will add a dynamic runtime monitor of calls to innerHTML in chrome code as well as all of our about: pages. We will start by adding an allowlist which basically allows legacy code to work, but we will assert that no new instances of innerHTML can be added within chrome code or any of our about: pages.

Assignee: nobody → ckerschb
Status: NEW → ASSIGNED
Type: defect → task
Priority: -- → P2
Whiteboard: [domsecurity-active]
Summary: Monitor innerHTML calls in chrome code and on about: pages and assert we can introduces new calls to innerHTML → Monitor innerHTML calls in chrome code and on about: pages and assert we can not introduce new calls to innerHTML
Attachment #9108972 - Attachment description: Bug 1596360: Monitor innerHTML calls in chrome code and on about: pages and assert we can not introduce new calls to innerHTML. r=jkt → Bug 1596360: Monitor the fragment parser in chrome code and in about: pages and assert that no new calls e.g. to innerHTML and friends can be introduced. r=jkt,gijs
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b80ab0927b40 Monitor the fragment parser in chrome code and in about: pages and assert that no new calls e.g. to innerHTML and friends can be introduced. r=jkt,Gijs
Blocks: 1608415

(In reply to Oana Pop-Rus from comment #3)

Backed out changeset b80ab0927b40 (bug 1596360) for dt failures in DOMSecurityMonitor.cpp

Seems like I forgot to allowlist react-dom.js :-(

Flags: needinfo?(ckerschb)
Pushed by btara@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/830e263d8fca Monitor the fragment parser in chrome code and in about: pages and assert that no new calls e.g. to innerHTML and friends can be introduced. r=jkt,Gijs

https://hg.mozilla.org/mozilla-central/rev/830e263d8fca

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox74: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
See Also: → 1608872
Regressions: 1637288
  // check if there is a JS caller, if not, then we can can return early here
  // because we only care about calls to the fragment parser (e.g. innerHTML)
  // originating from JS code.
  nsAutoString filename;
  uint32_t lineNum = 0;
  uint32_t columnNum = 0;
  JSContext* cx = nsContentUtils::GetCurrentJSContext();
  if (!nsJSUtils::GetCallingLocation(cx, filename, &lineNum, &columnNum)) {
    return;
  }

I think other similar callers null-check cx here (it can definitely be null).

(I've since worked out how to avoid that scenario.)

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: