bool WrapperFactory::WaiveXrayAndWrap(JSContext *cx, MutableHandleObject argObj) { MOZ_ASSERT(argObj); RootedObject obj(cx, js::UncheckedUnwrap(argObj)); MOZ_ASSERT(!js::IsInnerObject(obj)); if (js::IsObjectInContextCompartment(obj, cx)) { argObj.set(obj); return true; } // Even though waivers have no effect on access by scopes that don't subsume // the underlying object, good defense-in-depth dictates that we should avoid // handing out waivers to callers that can't use them. The transitive waiving // machinery unconditionally calls WaiveXrayAndWrap on return values from // waived functions, even though the return value might be not be same-origin // with the function. So if we find ourselves trying to create a waiver for // |cx|, we should check whether the caller has any business with waivers // to things in |obj|'s compartment. JSCompartment *target = js::GetContextCompartment(cx); JSCompartment *origin = js::GetObjectCompartment(obj); obj = AccessCheck::subsumes(target, origin) ? WaiveXray(cx, obj) : obj; if (!obj) return false; if (!JS_WrapObject(cx, &obj)) return false; argObj.set(obj); return true; }
// DoubleWrap is called from PrepareForWrapping to maintain the state that // we're supposed to waive Xray wrappers for the given on. On entrance, it // expects |cx->compartment != obj->compartment()|. The returned object will // be in the same compartment as |obj|. JSObject * WrapperFactory::DoubleWrap(JSContext *cx, HandleObject obj, unsigned flags) { if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) { JSAutoCompartment ac(cx, obj); return WaiveXray(cx, obj); } return obj; }
// DoubleWrap is called from PrepareForWrapping to maintain the state that // we're supposed to waive Xray wrappers for the given on. On entrance, it // expects |cx->compartment != obj->compartment()|. The returned object will // be in the same compartment as |obj|. JSObject * WrapperFactory::DoubleWrap(JSContext *cx, JSObject *obj, unsigned flags) { if (flags & WrapperFactory::WAIVE_XRAY_WRAPPER_FLAG) { JSAutoEnterCompartment ac; if (!ac.enter(cx, obj)) return nsnull; return WaiveXray(cx, obj); } return obj; }
JSObject * WrapperFactory::WaiveXray(JSContext *cx, JSObject *obj) { obj = UnwrapObject(obj); // We have to make sure that if we're wrapping an outer window, that // the .wrappedJSObject also wraps the outer window. obj = GetCurrentOuter(cx, obj); { // See if we already have a waiver wrapper for this object. CompartmentPrivate *priv = (CompartmentPrivate *)JS_GetCompartmentPrivate(js::GetObjectCompartment(obj)); JSObject *wobj = nsnull; if (priv && priv->waiverWrapperMap) { wobj = priv->waiverWrapperMap->Find(obj); xpc_UnmarkGrayObject(wobj); } // No wrapper yet, make one. if (!wobj) { JSObject *proto = js::GetObjectProto(obj); if (proto && !(proto = WaiveXray(cx, proto))) return nsnull; JSAutoEnterCompartment ac; if (!ac.enter(cx, obj) || !JS_WrapObject(cx, &proto)) return nsnull; wobj = Wrapper::New(cx, obj, proto, JS_GetGlobalForObject(cx, obj), &WaiveXrayWrapperWrapper); if (!wobj) return nsnull; // Add the new wrapper so we find it next time. if (priv) { if (!priv->waiverWrapperMap) { priv->waiverWrapperMap = JSObject2JSObjectMap::newMap(XPC_WRAPPER_MAP_SIZE); if (!priv->waiverWrapperMap) return nsnull; } if (!priv->waiverWrapperMap->Add(obj, wobj)) return nsnull; } } obj = wobj; } return obj; }
bool WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp) { if (JSVAL_IS_PRIMITIVE(*vp)) return JS_WrapValue(cx, vp); JSObject *obj = JSVAL_TO_OBJECT(*vp); obj = WaiveXray(cx, obj); if (!obj) return false; *vp = OBJECT_TO_JSVAL(obj); return JS_WrapValue(cx, vp); }
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be // wrapped in an Xray wrapper. cx->compartment is the compartment that will be // using the returned object. If the object to be wrapped is already in the // correct compartment, then this returns the unwrapped object. bool WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp) { if (JSVAL_IS_PRIMITIVE(*vp)) return JS_WrapValue(cx, vp); JSObject *obj = js::UnwrapObject(JSVAL_TO_OBJECT(*vp)); obj = GetCurrentOuter(cx, obj); if (js::IsObjectInContextCompartment(obj, cx)) { *vp = OBJECT_TO_JSVAL(obj); return true; } obj = WaiveXray(cx, obj); if (!obj) return false; *vp = OBJECT_TO_JSVAL(obj); return JS_WrapValue(cx, vp); }
// Call WaiveXrayAndWrap when you have a JS object that you don't want to be // wrapped in an Xray wrapper. cx->compartment is the compartment that will be // using the returned object. If the object to be wrapped is already in the // correct compartment, then this returns the unwrapped object. bool WrapperFactory::WaiveXrayAndWrap(JSContext *cx, jsval *vp) { if (JSVAL_IS_PRIMITIVE(*vp)) return JS_WrapValue(cx, vp); JSObject *obj = JSVAL_TO_OBJECT(*vp)->unwrap(); obj = GetCurrentOuter(cx, obj); if (obj->compartment() == cx->compartment) { *vp = OBJECT_TO_JSVAL(obj); return true; } obj = WaiveXray(cx, obj); if (!obj) return false; *vp = OBJECT_TO_JSVAL(obj); return JS_WrapValue(cx, vp); }
JSObject * WrapperFactory::CreateXrayWaiver(JSContext *cx, HandleObject obj) { // The caller is required to have already done a lookup. // NB: This implictly performs the assertions of GetXrayWaiver. MOZ_ASSERT(!GetXrayWaiver(obj)); XPCWrappedNativeScope *scope = GetObjectScope(obj); // Get a waiver for the proto. JSObject *proto; if (!js::GetObjectProto(cx, obj, &proto)) return nullptr; if (proto && !(proto = WaiveXray(cx, proto))) return nullptr; // Create the waiver. JSAutoCompartment ac(cx, obj); if (!JS_WrapObject(cx, &proto)) return nullptr; JSObject *waiver = Wrapper::New(cx, obj, proto, JS_GetGlobalForObject(cx, obj), &XrayWaiver); if (!waiver) return nullptr; // Add the new waiver to the map. It's important that we only ever have // one waiver for the lifetime of the target object. if (!scope->mWaiverWrapperMap) { scope->mWaiverWrapperMap = JSObject2JSObjectMap::newMap(XPC_WRAPPER_MAP_SIZE); MOZ_ASSERT(scope->mWaiverWrapperMap); } if (!scope->mWaiverWrapperMap->Add(obj, waiver)) return nullptr; return waiver; }
JSObject * WrapperFactory::PrepareForWrapping(JSContext *cx, HandleObject scope, HandleObject objArg, HandleObject objectPassedToWrap) { bool waive = ShouldWaiveXray(cx, objectPassedToWrap); RootedObject obj(cx, objArg); // Outerize any raw inner objects at the entry point here, so that we don't // have to worry about them for the rest of the wrapping code. if (js::IsInnerObject(obj)) { JSAutoCompartment ac(cx, obj); obj = JS_ObjectToOuterObject(cx, obj); NS_ENSURE_TRUE(obj, nullptr); // The outerization hook wraps, which means that we can end up with a // CCW here if |obj| was a navigated-away-from inner. Strip any CCWs. obj = js::UncheckedUnwrap(obj); MOZ_ASSERT(js::IsOuterObject(obj)); } // If we've got an outer window, there's nothing special that needs to be // done here, and we can move on to the next phase of wrapping. We handle // this case first to allow us to assert against wrappers below. if (js::IsOuterObject(obj)) return waive ? WaiveXray(cx, obj) : obj; // Here are the rules for wrapping: // We should never get a proxy here (the JS engine unwraps those for us). MOZ_ASSERT(!IsWrapper(obj)); // If the object being wrapped is a prototype for a standard class and the // wrapper does not subsumes the wrappee, use the one from the content // compartment. This is generally safer all-around, and in the COW case this // lets us safely take advantage of things like .forEach() via the // ChromeObjectWrapper machinery. // // If the prototype chain of chrome object |obj| looks like this: // // obj => foo => bar => chromeWin.StandardClass.prototype // // The prototype chain of COW(obj) looks lke this: // // COW(obj) => COW(foo) => COW(bar) => contentWin.StandardClass.prototype // // NB: We now remap all non-subsuming access of standard prototypes. // // NB: We need to ignore domain here so that the security relationship we // compute here can't change over time. See the comment above the other // subsumes call below. bool subsumes = AccessCheck::subsumes(js::GetContextCompartment(cx), js::GetObjectCompartment(obj)); XrayType xrayType = GetXrayType(obj); if (!subsumes && (xrayType == NotXray || ForceCOWBehavior(obj))) { JSProtoKey key = JSProto_Null; { JSAutoCompartment ac(cx, obj); key = IdentifyStandardPrototype(obj); } if (key != JSProto_Null) { RootedObject homeProto(cx); if (!JS_GetClassPrototype(cx, key, &homeProto)) return nullptr; MOZ_ASSERT(homeProto); // No need to double-wrap here. We should never have waivers to // COWs. return homeProto; } } // Now, our object is ready to be wrapped, but several objects (notably // nsJSIIDs) have a wrapper per scope. If we are about to wrap one of // those objects in a security wrapper, then we need to hand back the // wrapper for the new scope instead. Also, global objects don't move // between scopes so for those we also want to return the wrapper. So... if (!IS_WN_REFLECTOR(obj) || !js::GetObjectParent(obj)) return waive ? WaiveXray(cx, obj) : obj; XPCWrappedNative *wn = XPCWrappedNative::Get(obj); JSAutoCompartment ac(cx, obj); XPCCallContext ccx(JS_CALLER, cx, obj); RootedObject wrapScope(cx, scope); { if (NATIVE_HAS_FLAG(&ccx, WantPreCreate)) { // We have a precreate hook. This object might enforce that we only // ever create JS object for it. // Note: this penalizes objects that only have one wrapper, but are // being accessed across compartments. We would really prefer to // replace the above code with a test that says "do you only have one // wrapper?" nsresult rv = wn->GetScriptableInfo()->GetCallback()-> PreCreate(wn->Native(), cx, scope, wrapScope.address()); NS_ENSURE_SUCCESS(rv, waive ? WaiveXray(cx, obj) : obj); // If the handed back scope differs from the passed-in scope and is in // a separate compartment, then this object is explicitly requesting // that we don't create a second JS object for it: create a security // wrapper. if (js::GetObjectCompartment(scope) != js::GetObjectCompartment(wrapScope)) return waive ? WaiveXray(cx, obj) : obj; RootedObject currentScope(cx, JS_GetGlobalForObject(cx, obj)); if (MOZ_UNLIKELY(wrapScope != currentScope)) { // The wrapper claims it wants to be in the new scope, but // currently has a reflection that lives in the old scope. This // can mean one of two things, both of which are rare: // // 1 - The object has a PreCreate hook (we checked for it above), // but is deciding to request one-wrapper-per-scope (rather than // one-wrapper-per-native) for some reason. Usually, a PreCreate // hook indicates one-wrapper-per-native. In this case we want to // make a new wrapper in the new scope. // // 2 - We're midway through wrapper reparenting. The document has // moved to a new scope, but |wn| hasn't been moved yet, and // we ended up calling JS_WrapObject() on its JS object. In this // case, we want to return the existing wrapper. // // So we do a trick: call PreCreate _again_, but say that we're // wrapping for the old scope, rather than the new one. If (1) is // the case, then PreCreate will return the scope we pass to it // (the old scope). If (2) is the case, PreCreate will return the // scope of the document (the new scope). RootedObject probe(cx); rv = wn->GetScriptableInfo()->GetCallback()-> PreCreate(wn->Native(), cx, currentScope, probe.address()); // Check for case (2). if (probe != currentScope) { MOZ_ASSERT(probe == wrapScope); return waive ? WaiveXray(cx, obj) : obj; } // Ok, must be case (1). Fall through and create a new wrapper. } // Nasty hack for late-breaking bug 781476. This will confuse identity checks, // but it's probably better than any of our alternatives. // // Note: We have to ignore domain here. The JS engine assumes that, given a // compartment c, if c->wrap(x) returns a cross-compartment wrapper at time t0, // it will also return a cross-compartment wrapper for any time t1 > t0 unless // an explicit transplant is performed. In particular, wrapper recomputation // assumes that recomputing a wrapper will always result in a wrapper. // // This doesn't actually pose a security issue, because we'll still compute // the correct (opaque) wrapper for the object below given the security // characteristics of the two compartments. if (!AccessCheck::isChrome(js::GetObjectCompartment(wrapScope)) && AccessCheck::subsumes(js::GetObjectCompartment(wrapScope), js::GetObjectCompartment(obj))) { return waive ? WaiveXray(cx, obj) : obj; } } } // This public WrapNativeToJSVal API enters the compartment of 'wrapScope' // so we don't have to. RootedValue v(cx); nsresult rv = nsXPConnect::XPConnect()->WrapNativeToJSVal(cx, wrapScope, wn->Native(), nullptr, &NS_GET_IID(nsISupports), false, &v); NS_ENSURE_SUCCESS(rv, nullptr); obj.set(&v.toObject()); MOZ_ASSERT(IS_WN_REFLECTOR(obj), "bad object"); // Because the underlying native didn't have a PreCreate hook, we had // to a new (or possibly pre-existing) XPCWN in our compartment. // This could be a problem for chrome code that passes XPCOM objects // across compartments, because the effects of QI would disappear across // compartments. // // So whenever we pull an XPCWN across compartments in this manner, we // give the destination object the union of the two native sets. We try // to do this cleverly in the common case to avoid too much overhead. XPCWrappedNative *newwn = XPCWrappedNative::Get(obj); XPCNativeSet *unionSet = XPCNativeSet::GetNewOrUsed(newwn->GetSet(), wn->GetSet(), false); if (!unionSet) return nullptr; newwn->SetSet(unionSet); return waive ? WaiveXray(cx, obj) : obj; }