Exemple #1
0
SRICheckDataVerifier::SRICheckDataVerifier(const SRIMetadata& aMetadata,
                                           const nsACString& aSourceFileURI,
                                           nsIConsoleReportCollector* aReporter)
  : mCryptoHash(nullptr)
  , mBytesHashed(0)
  , mHashLength(0)
  , mHashType('\0')
  , mInvalidMetadata(false)
  , mComplete(false)
{
  MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller

  // IntegrityMetadata() checks this and returns "no metadata" if
  // it's disabled so we should never make it this far
  MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false));
  MOZ_ASSERT(aReporter);

  if (!aMetadata.IsValid()) {
    nsTArray<nsString> params;
    aReporter->AddConsoleReport(nsIScriptError::warningFlag,
                                NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                nsContentUtils::eSECURITY_PROPERTIES,
                                aSourceFileURI, 0, 0,
                                NS_LITERAL_CSTRING("NoValidMetadata"),
                                const_cast<const nsTArray<nsString>&>(params));
    mInvalidMetadata = true;
    return; // ignore invalid metadata for forward-compatibility
  }

  aMetadata.GetHashType(&mHashType, &mHashLength);
}
Exemple #2
0
SRICheckDataVerifier::SRICheckDataVerifier(const SRIMetadata& aMetadata,
                                           const nsIDocument* aDocument)
  : mCryptoHash(nullptr),
    mBytesHashed(0),
    mInvalidMetadata(false),
    mComplete(false)
{
  MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller

  // IntegrityMetadata() checks this and returns "no metadata" if
  // it's disabled so we should never make it this far
  MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false));

  if (!aMetadata.IsValid()) {
    nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
                                    NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                    aDocument,
                                    nsContentUtils::eSECURITY_PROPERTIES,
                                    "NoValidMetadata");
    mInvalidMetadata = true;
    return; // ignore invalid metadata for forward-compatibility
  }

  uint32_t hashLength;
  aMetadata.GetHashType(&mHashType, &hashLength);
}
Exemple #3
0
/* static */ nsresult
SRICheck::VerifyIntegrity(const SRIMetadata& aMetadata,
                          nsIURI* aRequestURI,
                          const CORSMode aCORSMode,
                          uint32_t aStringLen,
                          const uint8_t* aString,
                          const nsIDocument* aDocument)
{
  if (MOZ_LOG_TEST(GetSriLog(), mozilla::LogLevel::Debug)) {
    nsAutoCString requestURL;
    aRequestURI->GetAsciiSpec(requestURL);
    // requestURL will be empty if GetAsciiSpec fails
    SRILOG(("SRICheck::VerifyIntegrity, url=%s (length=%u)",
            requestURL.get(), aStringLen));
  }

  MOZ_ASSERT(!aMetadata.IsEmpty()); // should be checked by caller

  // IntegrityMetadata() checks this and returns "no metadata" if
  // it's disabled so we should never make it this far
  MOZ_ASSERT(Preferences::GetBool("security.sri.enable", false));

  if (NS_FAILED(IsEligible(aRequestURI, aCORSMode, aDocument))) {
    return NS_OK; // ignore non-CORS resources for forward-compatibility
  }
  if (!aMetadata.IsValid()) {
    nsContentUtils::ReportToConsole(nsIScriptError::warningFlag,
                                    NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                    aDocument,
                                    nsContentUtils::eSECURITY_PROPERTIES,
                                    "NoValidMetadata");
    return NS_OK; // ignore invalid metadata for forward-compatibility
  }

  for (uint32_t i = 0; i < aMetadata.HashCount(); i++) {
    if (NS_SUCCEEDED(VerifyHash(aMetadata, i, aStringLen,
                                aString, aDocument))) {
      return NS_OK; // stop at the first valid hash
    }
  }

  nsAutoCString alg;
  aMetadata.GetAlgorithm(&alg);
  NS_ConvertUTF8toUTF16 algUTF16(alg);
  const char16_t* params[] = { algUTF16.get() };
  nsContentUtils::ReportToConsole(nsIScriptError::errorFlag,
                                  NS_LITERAL_CSTRING("Sub-resource Integrity"),
                                  aDocument,
                                  nsContentUtils::eSECURITY_PROPERTIES,
                                  "IntegrityMismatch",
                                  params, ArrayLength(params));
  return NS_ERROR_SRI_CORRUPT;
}