Closed Bug 1600317 Opened 6 years ago Closed 6 years ago

Add workaround for denying non-CDP methods to be called

Categories

(Remote Protocol :: Agent, task, P1)

Product:
Remote Protocol
Component:
Agent
Type:
task

Tracking

(firefox73 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox73 --- fixed

People

(Reporter: whimboo, Assigned: whimboo)

References

(Blocks 1 open bug)

Details

(Whiteboard: [puppeteer-alpha])

Attachments

(1 file)

Bug 1600317 - [remote] Deny internal methods to be called. r=#remote!
47 bytes, text/x-phabricator-request
Details | Review

Right now we allow all the methods on a domain to be called. Until we have the JSON schema validation in place, we agreed to deny calling methods with a _ prefix.

Note that this will also prevent internal inconsistencies by calling private/protected methods, and improves the security of the agent.

Assignee: nobody → hskupin
Blocks: 1595727
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [puppeteer-alpha-reserve]

As long as we do not validate incoming messages against the
Chrome DevTools JSON schema, all incoming commands would be
executed. To prevent clients from changing internal data by
calling internal commands (prefixed with "_"), deny their
execution.

Pushed by hskupin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fe56894c5e11 [remote] Deny internal methods to be called. r=remote-protocol-reviewers,maja_zf

https://hg.mozilla.org/mozilla-central/rev/fe56894c5e11

Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Whiteboard: [puppeteer-alpha-reserve] → [puppeteer-alpha]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: