Closed
Bug 522722
Opened 15 years ago
Closed 15 years ago
Add test for new Function() to add-on validation
Categories
(addons.mozilla.org Graveyard :: Developer Pages, enhancement, P5)
addons.mozilla.org Graveyard
Developer Pages
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 518439
5.4
People
(Reporter: Gijs, Assigned: rjwalsh)
Details
Copied from my mail to amo-editors: Especially authors not very aware of the security risks use it as a shortcut to manipulate webpage content more easily - and then end up with gaping security holes in their code. It's possible it would be nice to have a similar check for unwrapping such wrappers and using the unwrapped object, which tends to have the same problem (IIRC it's "wrappedJSObject", although I'm not 100% sure if that's correct, and more importantly, there are a lot of other wrappers where one needs to access that property, and just using it does not necessarily mean there is unsafe access going on, depends where the object in question is coming from etc.). So, to be clear, we can test all their files for wrappedJSObject and/or similar, and test chrome.manifest specifically for "xpcnativewrappers=no" instructions (where you may want to be generous about whitespace).
Comment 1•15 years ago
|
||
Looks like we already are: http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/components/validation.php?view=markup $unsafePatterns = array('/nsIProcess/', '/\.launch\s*\(/', '/\beval\s*\(/', '/\bsetInterval\s*\(/', '/\bsetTimeout\s*\(/', '/<browser\s*(?![^<>]*type=["\'])[^<>]*>/i', '/<iframe\s*(?![^<>]*type=["\'])[^<>]*>/i', '/xpcnativewrappers=/', '/evalInSandbox/', '/mozIJSSubscriptLoader/', '/wrappedJSObject/'); Is something else needed here?
Comment 2•15 years ago
|
||
Looks good to me, CCing mrbkap to see if anything else comes to mind.
Comment 3•15 years ago
|
||
Only thing I can think of is the Function constructor (called either as |new Function()| or simply |Function()|)?
Reporter | ||
Comment 4•15 years ago
|
||
(In reply to comment #1) > Looks like we already are: > > http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/components/validation.php?view=markup Uhm, https://addons.mozilla.org/en-US/developers/versions/validate/81168#test-results-67077 shows passes only, but https://addons.mozilla.org/en-US/firefox/files/browse/67077/1 has an xpcnativewrappers=no line in its chrome.manifest... Maybe chrome.manifest isn't actually checked for this regex?
Reporter | ||
Comment 5•15 years ago
|
||
(In reply to comment #4) > (In reply to comment #1) > > Looks like we already are: > > > > http://viewvc.svn.mozilla.org/vc/addons/trunk/site/app/controllers/components/validation.php?view=markup > > Uhm, > https://addons.mozilla.org/en-US/developers/versions/validate/81168#test-results-67077 > shows passes only, but > https://addons.mozilla.org/en-US/firefox/files/browse/67077/1 has an > xpcnativewrappers=no line in its chrome.manifest... > > Maybe chrome.manifest isn't actually checked for this regex? Ugh, except apparently those results were old - they should state if they were done using a different version of the add-on! :-\
Reporter | ||
Comment 6•15 years ago
|
||
Updating the summary per comment #3.
Summary: Add test for xpcnativewrappers and/or wrappedJSObject to add-on validation → Add test for new Function() to add-on validation
Comment 7•15 years ago
|
||
Thanks Gijs. RJ is going to be in that file anyway this week, so I'll assign to him. RJ - if you could add this check to the tests that would be awesome. P5 though, so don't stress about it. Also, to address comment 5, test results are deleted daily so old results shouldn't be a problem anymore.
Assignee: nobody → rjbuild1088
Priority: -- → P5
Target Milestone: --- → 5.4
Reporter | ||
Comment 8•15 years ago
|
||
(In reply to comment #7) > Also, to address comment 5, test results are deleted daily so old results > shouldn't be a problem anymore. This is really a bit of a sideshow, but just out of interest - any reason they can't be auto-regenerated once a new XPI is uploaded? That seems like the most "natural" way to get up-to-date info for any nomination/update.
Comment 9•15 years ago
|
||
The comments in bug 523888 can shed some light into why the current test result caching works this way.
Assignee | ||
Comment 10•15 years ago
|
||
Unless I'm totally missing something here, this appears to be resolved in bug 518439 ?
Comment 11•15 years ago
|
||
RJ brings up a good point
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•