Add TrustedTypes sink annotations to bom.js and dom.js

Summary: As a follow up to D46007012, this diff modifies the type declarations of XSS DOM sinks to accept Trusted Type objects as well. Annoyingly, the spec does not fully enumerate the list of sensitive surfaces. I took some hints from microsoft/TypeScript-DOM-lib-generator#1246 and manual inspection, but left out some of the more ambiguous hints. Changelog: [new] Updated dom libdefs to allow Trusted Type objects Reviewed By: SamChou19815 Differential Revision: D46085621 fbshipit-source-id: d10bf667849560319ad69edc639090a9ddd35f9f
facebook · May 26, 2023 · fe42c21 · fe42c21
1 parent 5555259
commit fe42c21
Show file tree

Hide file tree

Showing 7 changed files with 626 additions and 490 deletions.
diff --git a/lib/bom.js b/lib/bom.js
@@ -571,7 +571,7 @@ declare var location: Location;
 ///////////////////////////////////////////////////////////////////////////////
 
 declare class DOMParser {
-    parseFromString(source: string, mimeType: string): Document;
+    parseFromString(source: string | TrustedHTML, mimeType: string): Document;
 }
 
 type FormDataEntryValue = string | File
@@ -836,7 +836,7 @@ type WorkerOptions = {
 }
 
 declare class Worker extends EventTarget {
-    constructor(stringUrl: string, workerOptions?: WorkerOptions): void;
+    constructor(stringUrl: string | TrustedScriptURL, workerOptions?: WorkerOptions): void;
     onerror: null | (ev: any) => mixed;
     onmessage: null | (ev: MessageEvent) => mixed;
     onmessageerror: null | (ev: MessageEvent) => mixed;
@@ -845,20 +845,20 @@ declare class Worker extends EventTarget {
 }
 
 declare class SharedWorker extends EventTarget {
-    constructor(stringUrl: string, name?: string): void;
-    constructor(stringUrl: string, workerOptions?: WorkerOptions): void;
+    constructor(stringUrl: string | TrustedScriptURL, name?: string): void;
+    constructor(stringUrl: string | TrustedScriptURL, workerOptions?: WorkerOptions): void;
     port: MessagePort;
     onerror: (ev: any) => mixed;
 }
 
-declare function importScripts(...urls: Array<string>): void;
+declare function importScripts(...urls: Array<string | TrustedScriptURL>): void;
 
 declare class WorkerGlobalScope extends EventTarget {
     self: this;
     location: WorkerLocation;
     navigator: WorkerNavigator;
     close(): void;
-    importScripts(...urls: Array<string>): void;
+    importScripts(...urls: Array<string | TrustedScriptURL>): void;
     onerror: (ev: any) => mixed;
     onlanguagechange: (ev: any) => mixed;
     onoffline: (ev: any) => mixed;

diff --git a/lib/dom.js b/lib/dom.js
@@ -152,7 +152,10 @@ declare interface CustomElementRegistry {
 declare interface ShadowRoot extends DocumentFragment {
   +delegatesFocus: boolean;
   +host: Element;
-  innerHTML: string;
+  // flowlint unsafe-getters-setters:off
+  get innerHTML(): string;
+  set innerHTML(value: string | TrustedHTML): void;
+  // flowlint unsafe-getters-setters:error
   +mode: ShadowRootMode;
 }
 
@@ -1323,8 +1326,8 @@ declare class Document extends Node {
   styleSheets: StyleSheetList;
   title: string;
   visibilityState: 'visible' | 'hidden' | 'prerender' | 'unloaded';
-  write(...content: Array<string>): void;
-  writeln(...content: Array<string>): void;
+  write(...content: Array<string | TrustedHTML>): void;
+  writeln(...content: Array<string | TrustedHTML>): void;
   xmlEncoding: string;
   xmlStandalone: boolean;
   xmlVersion: string;
@@ -1673,7 +1676,7 @@ declare class Range { // extension
   setStartAfter(refNode: Node): void;
   extractContents(): DocumentFragment;
   setEndAfter(refNode: Node): void;
-  createContextualFragment(fragment: string): DocumentFragment;
+  createContextualFragment(fragment: string | TrustedHTML): DocumentFragment;
   intersectsNode(refNode: Node): boolean;
   isPointInRange(refNode: Node, offset: number): boolean;
   static END_TO_END: number;
@@ -1718,11 +1721,17 @@ declare class Element extends Node implements Animatable {
   clientTop: number;
   clientWidth: number;
   id: string;
-  innerHTML: string;
+  // flowlint unsafe-getters-setters:off
+  get innerHTML(): string;
+  set innerHTML(value: string | TrustedHTML): void;
+  // flowlint unsafe-getters-setters:error
   localName: string;
   namespaceURI: ?string;
   nextElementSibling: ?Element;
-  outerHTML: string;
+  // flowlint unsafe-getters-setters:off
+  get outerHTML(): string;
+  set outerHTML(value: string | TrustedHTML): void;
+  // flowlint unsafe-getters-setters:error
   prefix: string | null;
   previousElementSibling: ?Element;
   scrollHeight: number;
@@ -1857,7 +1866,7 @@ declare class Element extends Node implements Animatable {
   hasAttributeNS(namespaceURI: string | null, localName: string): boolean;
   hasAttributes(): boolean;
   insertAdjacentElement(position: 'beforebegin' | 'afterbegin' | 'beforeend' | 'afterend', element: Element): void;
-  insertAdjacentHTML(position: 'beforebegin' | 'afterbegin' | 'beforeend' | 'afterend', html: string): void;
+  insertAdjacentHTML(position: 'beforebegin' | 'afterbegin' | 'beforeend' | 'afterend', html: string | TrustedHTML): void;
   insertAdjacentText(position: 'beforebegin' | 'afterbegin' | 'beforeend' | 'afterend', text: string): void;
   matches(selector: string): boolean;
   releasePointerCapture(pointerId: number): void;
@@ -2047,7 +2056,10 @@ declare class HTMLElement extends Element {
   dropzone: any;
   hidden: boolean;
   id: string;
-  innerHTML: string;
+  // flowlint unsafe-getters-setters:off
+  get innerHTML(): string;
+  set innerHTML(value: string | TrustedHTML): void;
+  // flowlint unsafe-getters-setters:error
   isContentEditable: boolean;
   itemProp: any;
   itemScope: boolean;
@@ -3393,7 +3405,10 @@ declare class HTMLIFrameElement extends HTMLElement {
   scrolling: string;
   sandbox: DOMTokenList;
   src: string;
-  srcdoc: string;
+  // flowlint unsafe-getters-setters:off
+  get srcdoc(): string;
+  set srcdoc(value: string | TrustedHTML): void;
+  // flowlint unsafe-getters-setters:error
   width: string;
 }
 
@@ -3887,8 +3902,12 @@ declare class HTMLScriptElement extends HTMLElement {
   charset: string;
   crossOrigin?: string;
   defer: boolean;
-  src: string;
-  text: string;
+  // flowlint unsafe-getters-setters:off
+  get src(): string;
+  set src(value: string | TrustedScriptURL): void;
+  get text(): string;
+  set text(value: string | TrustedScript): void;
+  // flowlint unsafe-getters-setters:error
   type: string;
 }
 

diff --git a/lib/serviceworkers.js b/lib/serviceworkers.js
@@ -163,7 +163,7 @@ declare class ServiceWorkerContainer extends EventTarget {
   getRegistration(clientURL?: string): Promise<ServiceWorkerRegistration | void>,
   getRegistrations(): Promise<Iterator<ServiceWorkerRegistration>>,
   register(
-    scriptURL: string,
+    scriptURL: string | TrustedScriptURL,
     options?: RegistrationOptions
   ): Promise<ServiceWorkerRegistration>,
   startMessages(): void,

diff --git a/tests/bom/bom.exp b/tests/bom/bom.exp
@@ -23,8 +23,8 @@ with `HTMLFormElement` [2]. [incompatible-call]
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 References:
-   <BUILTINS>/dom.js:1125:70
-   1125|   createElement(tagName: 'input', options?: ElementCreationOptions): HTMLInputElement;
+   <BUILTINS>/dom.js:1128:70
+   1128|   createElement(tagName: 'input', options?: ElementCreationOptions): HTMLInputElement;
                                                                               ^^^^^^^^^^^^^^^^ [1]
    <BUILTINS>/bom.js:580:24
     580|     constructor(form?: HTMLFormElement): void;