From 962cfda0b70008bf39587a2fe9defb1422487652 Mon Sep 17 00:00:00 2001 From: hackademix Date: Sun, 30 Jan 2022 00:34:14 +0100 Subject: [PATCH 01/14] [XSS] Fix false positive on Microsoft authentication (thanks GrK and Hanna_Payne for reporting). --- src/xss/InjectionChecker.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index 0f3a250..9b72797 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -886,7 +886,7 @@ XSS.InjectionChecker = (async () => { l = l.replace(/[^=]*=\s*/i, '').replace(/[\u0000-\u001f]/g, ''); l = /^["']/.test(l) ? l.replace(/^(['"])([^]*?)\1[^]*/g, '$2') : l.replace(/[\s>][^]*/, ''); - if (/^(?:javascript|data):|\[[^]+\]/i.test(l) || /[<'"(]/.test(unescape(l)) && await this.checkUrl(l)) return true; + if (/^(?:javascript|data):/i.test(l) || /[<'"([]/.test(unescape(l)) && await this.checkUrl(l)) return true; } } return this._rxCheck("HTML", s) || this._rxCheck("Globals", s); From 8c65f84c4650674935c81e9eadd6ffbe49a25b08 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 00:12:29 +0100 Subject: [PATCH 02/14] Version bump: 11.2.16rc4. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index d90d2e1..8492349 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.16rc3", + "version": "11.2.16rc4", "description": "__MSG_Description__", "incognito": "spanning", From 197061b82f25d3754a762a562e7e120f0c96d3c1 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 00:13:08 +0100 Subject: [PATCH 03/14] [nscl] Mitigate side effects of dead objects on patched windows during extension updates. --- src/nscl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nscl b/src/nscl index e8efe68..b6e5023 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit e8efe68bbdaa458fab7a16c665262422ea508119 +Subproject commit b6e50234c5a22b687d425bbc43f9477fb2098f0b From 49959aa1087813791165903a5fd6f2c16b071492 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 08:54:59 +0100 Subject: [PATCH 04/14] Version bump: 11.2.16rc5. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 8492349..e228f94 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.16rc4", + "version": "11.2.16rc5", "description": "__MSG_Description__", "incognito": "spanning", From 0ff532072565539593a109a12019f2e9443426fc Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 17:15:46 +0100 Subject: [PATCH 05/14] [XSS] Interactive testing made a bit easier. --- src/bg/main.js | 10 ++++++++++ src/manifest.json | 1 - 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/bg/main.js b/src/bg/main.js index d589387..7dca693 100644 --- a/src/bg/main.js +++ b/src/bg/main.js @@ -309,6 +309,16 @@ include("/test/run.js"); }, + async testIC(callbackOrUrl) { + await include("xss/InjectionChecker.js"); + let IC = await XSS.InjectionChecker; + let ic = new IC(); + ic.logEnabled = true; + return (typeof callbackOrUrl === "function") + ? await callbackOrUrl(ic) + : ic.checkUrl(callbackOrUrl); + }, + async savePolicy() { if (this.policy) { await Storage.set("sync", { diff --git a/src/manifest.json b/src/manifest.json index e228f94..3b4697c 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -51,7 +51,6 @@ "/nscl/common/Permissions.js", "/nscl/common/Policy.js", "/nscl/common/locale.js", - "/nscl/common/SyntaxChecker.js", "/nscl/common/Storage.js", "/nscl/common/include.js", "/nscl/service/DocStartInjection.js", From 24317964a65e9d01269fb0af8565155020ff1d63 Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 17:16:52 +0100 Subject: [PATCH 06/14] Fallback to synchronous policy fetching if the document is already loaded (e.g. on updates). --- src/content/staticNS.js | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/content/staticNS.js b/src/content/staticNS.js index ca82384..01b9870 100644 --- a/src/content/staticNS.js +++ b/src/content/staticNS.js @@ -86,14 +86,18 @@ debug("Fetching policy for actual URL %s (was %s)", url, document.URL); } - debug(`Synchronously fetching policy for ${url}.`); if (this.syncFetchPolicy) { // extra hops to ensure that scripts don't run when CSP has not been set through HTTP headers this.syncFetchPolicy(); } else { - this.setup( - browser.runtime.sendSyncMessage({id: "fetchPolicy", url, contextUrl: url}) - ); + let msg = {id: "fetchPolicy", url, contextUrl: url}; + if (document.readyState === "complete") { + // no point fetching synchronously, since the document is already loaded (hot extension update?) + (async () => this.setup(await browser.runtime.sendMessage(msg)))(); + } else { + debug(`Synchronously fetching policy for ${url}.`); + this.setup(browser.runtime.sendSyncMessage(msg)); + } } }, From e997dcbd95c88ba25b93cd1d1c8e2ff2ad9b1e0e Mon Sep 17 00:00:00 2001 From: hackademix Date: Mon, 31 Jan 2022 18:49:01 +0100 Subject: [PATCH 07/14] Version bump: 11.2.16. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 3b4697c..e436595 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.16rc5", + "version": "11.2.16", "description": "__MSG_Description__", "incognito": "spanning", From b05e12a8e2f4c5e04c075cee01f6bf007fd43ed7 Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 3 Feb 2022 11:46:26 +0100 Subject: [PATCH 08/14] Version bump: 11.2.18rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index e436595..b9992a9 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.16", + "version": "11.2.18rc1", "description": "__MSG_Description__", "incognito": "spanning", From 8b0efc3e071d3103c96555b5cbb1a263dc6c368d Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 3 Feb 2022 11:50:28 +0100 Subject: [PATCH 09/14] [nscl] Use HTTPS SyncMessage endpoint for Chromium too (works around lack of file access by default on packed extensions breaking NoScript). --- src/nscl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/nscl b/src/nscl index b6e5023..1f5b1bb 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit b6e50234c5a22b687d425bbc43f9477fb2098f0b +Subproject commit 1f5b1bbe32d808270854cb4f0e3b3af8fa8af3d7 From 5600c9d5cc08146c23ddb5eebe3e5a707b11abee Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 3 Feb 2022 11:51:36 +0100 Subject: [PATCH 10/14] Version bump: 11.2.18. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index b9992a9..953c1f4 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.18rc1", + "version": "11.2.18", "description": "__MSG_Description__", "incognito": "spanning", From 942510f03578375fa5fffd376307493e966fbe2f Mon Sep 17 00:00:00 2001 From: hackademix Date: Thu, 3 Feb 2022 22:00:11 +0100 Subject: [PATCH 11/14] Version bump: 11.2.19rc1. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 953c1f4..44903ed 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.18", + "version": "11.2.19rc1", "description": "__MSG_Description__", "incognito": "spanning", From d6b62766d18fa63f90ef32aa40383cfc0ed9a802 Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 4 Feb 2022 00:17:05 +0100 Subject: [PATCH 12/14] [XSS] More resilient name handling. --- src/nscl | 2 +- src/xss/XSS.js | 12 ++++++++---- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/src/nscl b/src/nscl index 1f5b1bb..fa49ecb 160000 --- a/src/nscl +++ b/src/nscl @@ -1 +1 @@ -Subproject commit 1f5b1bbe32d808270854cb4f0e3b3af8fa8af3d7 +Subproject commit fa49ecb52140aa80db30a7fa834f6358acc94a13 diff --git a/src/xss/XSS.js b/src/xss/XSS.js index 89e69fd..1878af0 100644 --- a/src/xss/XSS.js +++ b/src/xss/XSS.js @@ -118,10 +118,14 @@ var XSS = (() => { if (reasons.protectName) { await include("/nscl/service/ContentScriptOnce.js"); - await ContentScriptOnce.execute(request, { - js: [{file: "/xss/sanitizeName.js"}], - }); - if (!block) return ALLOW; + try { + await ContentScriptOnce.execute(request, { + js: [{file: "/xss/sanitizeName.js"}], + }); + if (!block) return ALLOW; + } catch (e) { + error(e, "Sanitizing name in request", request.url); + } } if (reasons.urlInjection) data.push(`(URL) ${unescapedDest}`); if (reasons.postInjection) data.push(`(POST) ${reasons.postInjection}`); From 25cd549da9d7d5350bbbbe6ee6c8bbc5b8f6b5af Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 4 Feb 2022 00:18:15 +0100 Subject: [PATCH 13/14] [XSS] Faster invalidCharsRx initialization on Gecko 78 and above. --- src/test/XSS_test.js | 20 ++++++++++++-------- src/xss/InjectionChecker.js | 10 +++++++++- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/test/XSS_test.js b/src/test/XSS_test.js index e2da8d7..e909ff4 100644 --- a/src/test/XSS_test.js +++ b/src/test/XSS_test.js @@ -21,7 +21,7 @@ if (UA.isMozilla) { let y = async (url, originUrl = '') => await XSS.test({originUrl, url, method: "GET"}); let n = async (...args) => !await y(...args); - Promise.all([ + let xssTest = Promise.all([ () => y("https://noscript.net/ n("https://noscript.net/ y("https://vulnerabledoma.in/char_test?body=%80%3Cscript%3Ealert(1)%3C/script%3E"), @@ -32,25 +32,25 @@ if (UA.isMozilla) { () => y("https://vulnerabledoma.in/xss_link?url=javascript%26colo%00n%3Balert%u00281%29"), () => y("https://vulnerabledoma.in/xss_link?url=javascript:\\u{%0A6e}ame"), ].map(t => Test.run(t)) - ).then(() => Test.report()); + ); let invalidCharsTest = async () => { await include("xss/InjectionChecker.js"); let IC = await XSS.InjectionChecker; let rx = new IC().invalidCharsRx; - + console.log("Testing invalidCharsRx", rx); let x = n => '\\u' + ("0000" + n.toString(16)).slice(-4); function check(ch) { - eval(`{let _${ch}_}`); + Function(`let _${ch}_`); } let cur = 0x7e; let fail = false; - while (cur++ < 0xffff) { + while (cur++ < 0xffff && !fail) { let ch = String.fromCharCode(cur); try { check(ch); - if (tx.test(ch)) { + if (rx.test(ch)) { console.error(x(cur) + " should not test invalid!"); fail = true; } @@ -64,6 +64,10 @@ if (UA.isMozilla) { } return !fail; }; - - Test.run(invalidCharsTest, "InjectionChecker.invalidCharsRx").then(Test.report()); + (async () => { + await xssTest; + Test.report(); + await Test.run(invalidCharsTest, "InjectionChecker.invalidCharsRx"); + Test.report(); + })(); } diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js index 9b72797..1463443 100644 --- a/src/xss/InjectionChecker.js +++ b/src/xss/InjectionChecker.js @@ -526,7 +526,15 @@ XSS.InjectionChecker = (async () => { }, get invalidCharsRx() { - let value = new RegExp("^[^\"'`/<>]*[" + this._createInvalidRanges() + "]"); + let preamble = "^[^\"'`/<>]*"; + let value; + try { + // see https://mathiasbynens.be/notes/javascript-identifiers-es6#acceptable-unicode-symbols + value = new RegExp(preamble + "[^$_\\p{ID_Start}\\p{ID_Continue}\\u200c\\u200d\\u2028\\u2029]", "u"); + } catch (e) { + // Unicode entities are not supported in Gecko <= 77 + value = new RegExp(preamble + `[${this._createInvalidRanges()}]`, "u"); + } Object.defineProperty(Object.getPrototypeOf(this), 'invalidCharsRx', {value}); return value; }, From f2b413db05f61d6cc809a85f49f9cfc9f0d89732 Mon Sep 17 00:00:00 2001 From: hackademix Date: Fri, 4 Feb 2022 12:25:46 +0100 Subject: [PATCH 14/14] Version bump: 11.2.19. --- src/manifest.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/manifest.json b/src/manifest.json index 44903ed..d435141 100644 --- a/src/manifest.json +++ b/src/manifest.json @@ -8,7 +8,7 @@ "strict_min_version": "59.0" } }, - "version": "11.2.19rc1", + "version": "11.2.19", "description": "__MSG_Description__", "incognito": "spanning",