Mirrors
/
noscript
mirror of https://github.com/hackademix/noscript.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[XSS] Fixed false positives and timeouts (thanks riaggren for report).

This commit is contained in:
hackademix 2020-04-19 23:43:28 +02:00
parent 97c7cc74f3
commit 1e01979e41
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/bg/main.js
View File

@ -296,7 +296,7 @@
async collectSeen(tabId) { async collectSeen(tabId) {
try { try {
let seen = Array.from(await Messages.send("collect", {}, {tabId, frameId: 0})); let seen = Array.from(await Messages.send("collect", {uiid: ns.local.uiid}, {tabId, frameId: 0}));
debug("Collected seen", seen); debug("Collected seen", seen);
return seen; return seen;
} catch (e) { } catch (e) {

2
src/xss/InjectionCheckWorker.js
View File

@ -74,7 +74,7 @@ Entities = {
if (msg.handler in Handlers) try { if (msg.handler in Handlers) try {
await Handlers[msg.handler](msg); await Handlers[msg.handler](msg);
} catch (e) { } catch (e) {
postMessage({error: e}); postMessage({error: e.message});
} }
} }

8
src/xss/InjectionChecker.js
View File

@ -327,7 +327,7 @@ XSS.InjectionChecker = (async () => {
_assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/, _assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/,
_badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/, _badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/,
_wikiParensRx: /^(?:[\w.|-]+\/)*\(*[\w\s-]+\([\w\s-]+\)[\w\s-]*\)*$/, _wikiParensRx: /^(?:[\w.|-]+\/)*\(*[\w\s-]+\([\w\s-]+\)[\w\s-]*\)*$/,
_neutralDotsRx: /(?:^|[\/;&#])[\w-]+\.[\w-]+[\?;\&#]/g, _neutralDotsOrParensRx: /(?:^|[\/;&#])(?:[\w-]+\.[\w-]+[\?;\&#]|[\s\d]*\()/g,
_openIdRx: /^scope=(?:\w+\+)\w/, // OpenID authentication scope parameter, see http://forums.informaction.com/viewtopic.php?p=69851#p69851 _openIdRx: /^scope=(?:\w+\+)\w/, // OpenID authentication scope parameter, see http://forums.informaction.com/viewtopic.php?p=69851#p69851
_gmxRx: /\$\(clientName\)-\$\(dataCenter\)\.(\w+\.)+\w+/, // GMX webmail, see http://forums.informaction.com/viewtopic.php?p=69700#p69700 _gmxRx: /\$\(clientName\)-\$\(dataCenter\)\.(\w+\.)+\w+/, // GMX webmail, see http://forums.informaction.com/viewtopic.php?p=69700#p69700
@ -354,7 +354,7 @@ XSS.InjectionChecker = (async () => {
return this._singleAssignmentRx.test(expr) || this._riskyAssignmentRx.test(expr) && this._nameRx.test(expr); return this._singleAssignmentRx.test(expr) || this._riskyAssignmentRx.test(expr) && this._nameRx.test(expr);
return this._riskyParensRx.test(expr) || return this._riskyParensRx.test(expr) ||
this._maybeJSRx.test(expr.replace(this._neutralDotsRx, '')) && this._maybeJSRx.test(expr.replace(this._neutralDotsOrParensRx, '')) &&
!this._wikiParensRx.test(expr); !this._wikiParensRx.test(expr);
}, },
@ -457,7 +457,7 @@ XSS.InjectionChecker = (async () => {
checkLastFunction: function() { checkLastFunction: function() {
var fn = this.syntax.lastFunction; var fn = this.syntax.lastFunction;
if (!fn) return false; if (!fn) return false;
var m = fn.toSource().match(/\{([\s\S]*)\}/); var m = fn.toString().match(/\{([\s\S]*)\}/);
if (!m) return false; if (!m) return false;
var expr = this.stripLiteralsAndComments(m[1]); var expr = this.stripLiteralsAndComments(m[1]);
return /=[\s\S]*cookie|\b(?:setter|document|location|(?:inn|out)erHTML|\.\W*src)[\s\S]*=|[\w$\u0080-\uffff\)\]]\s*[\[\(]/.test(expr) || return /=[\s\S]*cookie|\b(?:setter|document|location|(?:inn|out)erHTML|\.\W*src)[\s\S]*=|[\w$\u0080-\uffff\)\]]\s*[\[\(]/.test(expr) ||
@ -778,7 +778,7 @@ XSS.InjectionChecker = (async () => {
if (ret) { if (ret) {
let msg = "JavaScript Injection in " + s; let msg = "JavaScript Injection in " + s;
if (this.syntax.lastFunction) { if (this.syntax.lastFunction) {
msg += "\n" + this.syntax.lastFunction.toSource(); msg += `\n${this.syntax.lastFunction}`;
} }
this.escalate(msg); this.escalate(msg);
} }