[XSS Auditor] Extract attribute truncation logic and formalize string…

… canonicalization https://bugs.webkit.org/show_bug.cgi?id=152874 Reviewed by Brent Fulgham. Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>): <https://src.chromium.org/viewvc/blink?revision=176339&view=revision> Extract the src-like and script-like attribute truncation logic into independent functions towards making it more straightforward to re-purpose this logic. Additionally, formalize the concept of string canonicalization as a member function that consolidates the process of decoding URL escape sequences, truncating the decoded string (if applicable), and removing characters that are considered noise. * html/parser/XSSAuditor.cpp: (WebCore::truncateForSrcLikeAttribute): Extracted from XSSAuditor::decodedSnippetForAttribute(). (WebCore::truncateForScriptLikeAttribute): Ditto. (WebCore::XSSAuditor::init): Write in terms of XSSAuditor::canonicalize(). (WebCore::XSSAuditor::filterCharacterToken): Updated to make use of formalized canonicalization methods. (WebCore::XSSAuditor::filterScriptToken): Ditto. (WebCore::XSSAuditor::filterObjectToken): Ditto. (WebCore::XSSAuditor::filterParamToken): Ditto. (WebCore::XSSAuditor::filterEmbedToken): Ditto. (WebCore::XSSAuditor::filterAppletToken): Ditto. (WebCore::XSSAuditor::filterFrameToken): Ditto. (WebCore::XSSAuditor::filterInputToken): Ditto. (WebCore::XSSAuditor::filterButtonToken): Ditto. (WebCore::XSSAuditor::eraseDangerousAttributesIfInjected): Ditto. (WebCore::XSSAuditor::eraseAttributeIfInjected): Updated code to use early return style and avoid an unnecessary string comparison when we know that a src attribute was injected. (WebCore::XSSAuditor::canonicalizedSnippetForTagName): Renamed; formerly known as XSSAuditor::decodedSnippetForName(). Updated to make use of XSSAuditor::canonicalize(). (WebCore::XSSAuditor::snippetFromAttribute): Renamed; formerly known as XSSAuditor::decodedSnippetForAttribute(). Moved truncation logic from here to WebCore::truncateFor{Script, Src}LikeAttribute. (WebCore::XSSAuditor::canonicalize): Added. (WebCore::XSSAuditor::canonicalizedSnippetForJavaScript): Added. (WebCore::canonicalize): Deleted. (WebCore::XSSAuditor::decodedSnippetForName): Deleted. (WebCore::XSSAuditor::decodedSnippetForAttribute): Deleted. (WebCore::XSSAuditor::decodedSnippetForJavaScript): Deleted. * html/parser/XSSAuditor.h: Define enum class for the various attribute truncation styles. Canonical link: https://commits.webkit.org/171197@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@195074 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Jan 14, 2016 · dc55119e25f55e9e69c4e60cda496d048ebb0838 · dc55119
1 parent a0c7fd9
commit dc55119e25f55e9e69c4e60cda496d048ebb0838
Showing with 159 additions and 104 deletions.

+44 −0 Source/WebCore/ChangeLog

+108 −98 Source/WebCore/html/parser/XSSAuditor.cpp

+7 −6 Source/WebCore/html/parser/XSSAuditor.h
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,47 @@
+2016-01-14  Daniel Bates  <dabates@apple.com>
+
+        [XSS Auditor] Extract attribute truncation logic and formalize string canonicalization
+        https://bugs.webkit.org/show_bug.cgi?id=152874
+
+        Reviewed by Brent Fulgham.
+
+        Derived from Blink patch (by Tom Sepez <tsepez@chromium.org>):
+        <https://src.chromium.org/viewvc/blink?revision=176339&view=revision>
+
+        Extract the src-like and script-like attribute truncation logic into independent functions
+        towards making it more straightforward to re-purpose this logic. Additionally, formalize the
+        concept of string canonicalization as a member function that consolidates the process of
+        decoding URL escape sequences, truncating the decoded string (if applicable), and removing
+        characters that are considered noise.
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::truncateForSrcLikeAttribute): Extracted from XSSAuditor::decodedSnippetForAttribute().
+        (WebCore::truncateForScriptLikeAttribute): Ditto.
+        (WebCore::XSSAuditor::init): Write in terms of XSSAuditor::canonicalize().
+        (WebCore::XSSAuditor::filterCharacterToken): Updated to make use of formalized canonicalization methods.
+        (WebCore::XSSAuditor::filterScriptToken): Ditto.
+        (WebCore::XSSAuditor::filterObjectToken): Ditto.
+        (WebCore::XSSAuditor::filterParamToken): Ditto.
+        (WebCore::XSSAuditor::filterEmbedToken): Ditto.
+        (WebCore::XSSAuditor::filterAppletToken): Ditto.
+        (WebCore::XSSAuditor::filterFrameToken): Ditto.
+        (WebCore::XSSAuditor::filterInputToken): Ditto.
+        (WebCore::XSSAuditor::filterButtonToken): Ditto.
+        (WebCore::XSSAuditor::eraseDangerousAttributesIfInjected): Ditto.
+        (WebCore::XSSAuditor::eraseAttributeIfInjected): Updated code to use early return style and avoid an unnecessary string
+        comparison when we know that a src attribute was injected.
+        (WebCore::XSSAuditor::canonicalizedSnippetForTagName): Renamed; formerly known as XSSAuditor::decodedSnippetForName(). Updated
+        to make use of XSSAuditor::canonicalize().
+        (WebCore::XSSAuditor::snippetFromAttribute): Renamed; formerly known as XSSAuditor::decodedSnippetForAttribute(). Moved
+        truncation logic from here to WebCore::truncateFor{Script, Src}LikeAttribute.
+        (WebCore::XSSAuditor::canonicalize): Added.
+        (WebCore::XSSAuditor::canonicalizedSnippetForJavaScript): Added.
+        (WebCore::canonicalize): Deleted.
+        (WebCore::XSSAuditor::decodedSnippetForName): Deleted.
+        (WebCore::XSSAuditor::decodedSnippetForAttribute): Deleted.
+        (WebCore::XSSAuditor::decodedSnippetForJavaScript): Deleted.
+        * html/parser/XSSAuditor.h: Define enum class for the various attribute truncation styles.
+
 2016-01-14  Daniel Bates  <dabates@apple.com>
 
         [XSS Auditor] Partial bypass when web server collapses path components