Echo

a"	foo	baz
b'	bar	', 55 \| '

foo

baz

bar

', 55 | '

, ,

foo.com or
bar.com

')) 59 | .to.equal( 60 | 'Go to

foo.com or' + 61 | '
bar.com

'); 62 | }); 63 | it('unfortunate', () => { 64 | // We want it to have a large attack surface. 65 | // eslint-disable-next-line no-script-url 66 | expect(linkify('4 lulz: javascript://example.com%0aalert(document.domain)')) 67 | // eslint-disable-next-line no-script-url 68 | .to.equal('4 lulz: ' + 69 | // eslint-disable-next-line no-script-url 70 | 'javascript://example.com%0aalert(document.domain)'); 71 | }); 72 | }); 73 | -------------------------------------------------------------------------------- /lib/framework/code-loading-function-proxy.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | /** 19 | * @fileoverview 20 | * Provide a proxy that looks like `Function` and that, when used as a 21 | * constructor, behaves like `new Function` but without triggering V8's 22 | * allow_code_gen_callback. 23 | * 24 | * See lockdown.js for the code that introduces this code. 25 | */ 26 | 27 | 'use strict'; 28 | 29 | // SENSITIVE - Invokes vm to load code from strings. 30 | 31 | // eslint-disable-next-line no-use-before-define 32 | module.exports = makeProxy; 33 | 34 | const { Function } = global; 35 | 36 | const wellFormednessCheck = require('./well-formedness-check.js'); 37 | const paramPattern = /^(?:[_$A-Z\x80-\uFFFF]|\\u[0-9A-F]{4})(?:[_$0-9A-Z\x80-\uFFFF]|\\u[0-9A-F]{4})*$/i; 38 | const delicateGlobalsRewrite = require('./delicate-globals-rewrite.js'); 39 | 40 | function makeProxy(localRequire, filename) { 41 | // Use the requesters require function to give sensitive-module-hook 42 | // enough context to decide whether to allow access to vm. 43 | const { runInThisContext } = localRequire('vm'); 44 | 45 | const fun = new Proxy( 46 | Function, 47 | { 48 | apply(target, thisArg, argumentsList) { 49 | // eslint-disable-next-line no-use-before-define 50 | return loadCode(argumentsList); 51 | }, 52 | construct(target, argumentsList) { 53 | // eslint-disable-next-line no-use-before-define 54 | return loadCode(argumentsList); 55 | }, 56 | }); 57 | 58 | function loadCode(argumentList) { 59 | const formals = []; 60 | let body = ''; 61 | const nFormals = argumentList.length - 1; 62 | for (let i = 0; i < nFormals; ++i) { 63 | const paramName = `${ argumentList[i] }`; 64 | if (paramPattern.test(paramName)) { 65 | formals.push(paramName); 66 | } else { 67 | throw new SyntaxError(`Invalid param name: ${ paramName }`); 68 | } 69 | } 70 | body = (nFormals >= 0 && `${ argumentList[nFormals] }`) || ''; 71 | // new Function(code) 72 | // is an idiom used to check that code has no side-effects until 73 | // applied. 74 | wellFormednessCheck(body); 75 | 76 | const evalFilename = `eval:${ filename }`; 77 | 78 | const rewrittenBody = delicateGlobalsRewrite(body, evalFilename, localRequire); 79 | 80 | const code = `(function (${ formals.join(', ') }){ ${ rewrittenBody } })`; 81 | 82 | return runInThisContext( 83 | code, 84 | { 85 | filename: evalFilename, 86 | displayErrors: true, 87 | }); 88 | } 89 | 90 | return fun; 91 | } 92 | -------------------------------------------------------------------------------- /lib/framework/bootstrap-secure.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Coordinate startup of various pieces of security machinery. 23 | */ 24 | 25 | // SENSITIVE - Coordinates initialization of security machinery. 26 | 27 | // GUARANTEE - If the server is run with NODE_ENV=production 28 | // (see ../../test/end-to-end-lockeddown-test.js) then the 29 | // resource integrity and sensitive module hooks run on all 30 | // userland modules and uphold their guarantees. 31 | 32 | const process = require('process'); 33 | const path = require('path'); 34 | 35 | const { setInsecure } = require('./init-hooks.js'); 36 | const { isProduction } = require('./is-prod.js'); 37 | 38 | const nodeSecPatterns = require('node-sec-patterns'); 39 | const installModuleStubs = require('./module-stubs.js'); 40 | const lockdown = require('./lockdown.js'); 41 | 42 | module.exports = function bootstrap(projectRoot, isMain) { 43 | const insecureMode = !isProduction && 44 | // eslint-disable-next-line no-process-env 45 | process.env.UNSAFE_DISABLE_NODE_SEC_HOOKS === 'true'; 46 | 47 | // eslint-disable-next-line global-require 48 | const packageJson = require(path.join(projectRoot, 'package.json')); 49 | 50 | if (insecureMode) { 51 | // There will inevitably be a "disable because I'm developing" switch so 52 | // we ought test whether it's easy to workaround checks that dev features 53 | // aren't abusable in production. 54 | // eslint-disable-next-line no-console 55 | console.log('Running in insecure mode'); 56 | setInsecure(true); 57 | } else if (isMain) { 58 | // If not running as part of tests, then configure access 59 | // control checks to contract type constructors. 60 | nodeSecPatterns.authorize(packageJson, projectRoot); 61 | } 62 | 63 | // Visit files that are definitely needed but not loaded when running 64 | // generate-production-source-list.js. 65 | if (packageJson.mintable && packageJson.mintable.second) { 66 | for (const second of packageJson.mintable.second) { 67 | // eslint-disable-next-line global-require 68 | require(`${ second }/package.json`); 69 | } 70 | } 71 | 72 | // Install module stubs. 73 | installModuleStubs(isMain); 74 | // We don't want to install module stubs when running under 75 | // generate-production-source-list since that would mean that 76 | // the resource-integrity-hook rejects the access. 77 | 78 | // Lock down intrinsics early so security critical code can rely on properties 79 | // of objects that they create and which do not escape. 80 | lockdown(); 81 | }; 82 | -------------------------------------------------------------------------------- /scripts/build-vulnerable.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Builds a variant of the target server but with protective measures disabled. 4 | 5 | set -e 6 | 7 | # This needs to match the same lines in gen-vulnerable-patch.sh 8 | source_files="$( 9 | git check-ignore -n -v --no-index \ 10 | $( find lib -type f | grep -v lib/framework; 11 | echo package.json main.js scripts/run-locally.js static/* ) \ 12 | | perl -ne 'print "$1\n" if m/^::\t(.*)/' | sort 13 | )" 14 | hash_from="$( 15 | shasum -ba 1 vulnerable.patch $source_files 16 | )" 17 | 18 | 19 | force= 20 | check= 21 | while (( $# > 0 )); do 22 | case "$1" in 23 | -f) force=1; shift ;; 24 | -c) check=1; shift ;; 25 | esac 26 | done 27 | 28 | if [ -n "$check" ]; then 29 | if [ -f "vulnerable/patch-base.sha1" ] && [[ "$hash_from" != "$( cat vulnerable/patch-base.sha1 )" ]]; then 30 | echo \ 31 | "Vulnerable server needs repatching. 32 | If you tweaked the vulnerable server regenerate vulnerable.patch: 33 | ./scripts/gen-vulnerable-patch.sh 34 | else if you changed the target server, regenerate the vulnerable server thus: 35 | mv vulnerable vulnerable.bak 36 | ./scripts/build-vulnerable.sh 37 | " 38 | exit 1 39 | fi 40 | if [ -d vulnerable ]; then 41 | rejects="$(find vulnerable -name \*.rej | wc -l)" 42 | if (( $(find vulnerable -name \*.rej | wc -l) > 0 )); then 43 | echo "Vulnerable server patching failed with rejected chunks" 44 | find vulnerable -name \*.rej | perl -pe 's/^/\t* /' 45 | exit 1 46 | fi 47 | exit 0 48 | fi 49 | fi 50 | 51 | if [ -d vulnerable/ ]; then 52 | if [ -z "$force" ]; then 53 | echo "vulnerable/ directory already exists. Specify -f to force overwrite." 54 | exit 1 55 | fi 56 | rm -rf vulnerable/ 57 | fi 58 | 59 | echo Deleting old vulnerable/ 60 | rm -rf vulnerable/ 61 | 62 | echo Copying files over 63 | for f in $source_files; do 64 | 65 | mkdir -p vulnerable/"$(dirname "$f")" 66 | cp -r "$f" vulnerable/"$f" 67 | done 68 | 69 | rm -rf vulnerable/static/user-uploads 70 | 71 | echo Copying node_modules 72 | cp -r node_modules/ vulnerable/node_modules/ 73 | 74 | echo Patching 75 | pushd vulnerable/ >& /dev/null 76 | 77 | echo "#/bin/bash" > scripts/postinstall.sh 78 | chmod +x scripts/postinstall.sh 79 | 80 | echo \ 81 | '// The vulnerable target server is generated by a patch, so allow things like 82 | // commented out code and replacement of safesql.pg`...` with `...` 83 | module.exports = { 84 | "rules": { 85 | "line-comment-position": 0, 86 | "no-inline-comments": 0, 87 | "no-unreachable": 0, 88 | "padded-blocks": 0, 89 | "spaced-comment": 0, 90 | "quotes": 0 91 | } 92 | }; 93 | ' > .eslintrc.js 94 | 95 | for f in node_modules/{module-keys,node-sec-patterns,safesql,sh-template-tag,web-contract-types}/index.js \ 96 | node_modules/sh-template-tag/lib/tag.js node_modules/safesql/lib/id.js; do 97 | echo 'throw new Error(`'"$f"'! kapow!`);' > "$f" 98 | done 99 | 100 | patch -p0 < ../vulnerable.patch 101 | popd >& /dev/null 102 | 103 | echo -n "$hash_from" > vulnerable/patch-base.sha1 104 | -------------------------------------------------------------------------------- /patches/node_modules-depd-index.patch: -------------------------------------------------------------------------------- 1 | --- a/node_modules/depd/index.js 2018-01-11 23:59:13.000000000 -0500 2 | +++ b/node_modules/depd/index.js 2018-10-13 11:36:39.000000000 -0400 3 | @@ -1,6 +1,6 @@ 4 | /*! 5 | * depd 6 | - * Copyright(c) 2014-2017 Douglas Christopher Wilson 7 | + * Copyright(c) 2014-2018 Douglas Christopher Wilson 8 | * MIT Licensed 9 | */ 10 | 11 | @@ -8,8 +8,6 @@ 12 | * Module dependencies. 13 | */ 14 | 15 | -var callSiteToString = require('./lib/compat').callSiteToString 16 | -var eventListenerCount = require('./lib/compat').eventListenerCount 17 | var relative = require('path').relative 18 | 19 | /** 20 | @@ -92,7 +90,7 @@ 21 | } 22 | 23 | for (var i = 0; i < stack.length; i++) { 24 | - str += '\n at ' + callSiteToString(stack[i]) 25 | + str += '\n at ' + stack[i].toString() 26 | } 27 | 28 | return str 29 | @@ -129,6 +127,26 @@ 30 | } 31 | 32 | /** 33 | + * Determine if event emitter has listeners of a given type. 34 | + * 35 | + * The way to do this check is done three different ways in Node.js >= 0.8 36 | + * so this consolidates them into a minimal set using instance methods. 37 | + * 38 | + * @param {EventEmitter} emitter 39 | + * @param {string} type 40 | + * @returns {boolean} 41 | + * @private 42 | + */ 43 | + 44 | +function eehaslisteners (emitter, type) { 45 | + var count = typeof emitter.listenerCount !== 'function' 46 | + ? emitter.listeners(type).length 47 | + : emitter.listenerCount(type) 48 | + 49 | + return count > 0 50 | +} 51 | + 52 | +/** 53 | * Determine if namespace is ignored. 54 | */ 55 | 56 | @@ -167,7 +185,7 @@ 57 | */ 58 | 59 | function log (message, site) { 60 | - var haslisteners = eventListenerCount(process, 'deprecation') !== 0 61 | + var haslisteners = eehaslisteners(process, 'deprecation') 62 | 63 | // abort early if no destination 64 | if (!haslisteners && this._ignored) { 65 | @@ -310,7 +328,7 @@ 66 | // add stack trace 67 | if (this._traced) { 68 | for (var i = 0; i < stack.length; i++) { 69 | - formatted += '\n at ' + callSiteToString(stack[i]) 70 | + formatted += '\n at ' + stack[i].toString() 71 | } 72 | 73 | return formatted 74 | @@ -335,7 +353,7 @@ 75 | // add stack trace 76 | if (this._traced) { 77 | for (var i = 0; i < stack.length; i++) { 78 | - formatted += '\n \x1b[36mat ' + callSiteToString(stack[i]) + '\x1b[39m' // cyan 79 | + formatted += '\n \x1b[36mat ' + stack[i].toString() + '\x1b[39m' // cyan 80 | } 81 | 82 | return formatted 83 | @@ -400,18 +418,18 @@ 84 | } 85 | 86 | var args = createArgumentsString(fn.length) 87 | - var deprecate = this // eslint-disable-line no-unused-vars 88 | var stack = getStack() 89 | var site = callSiteLocation(stack[1]) 90 | 91 | site.name = fn.name 92 | 93 | - // eslint-disable-next-line no-eval 94 | - var deprecatedfn = eval('(function (' + args + ') {\n' + 95 | + // eslint-disable-next-line no-new-func 96 | + var deprecatedfn = new Function('fn', 'log', 'deprecate', 'message', 'site', 97 | '"use strict"\n' + 98 | + 'return function (' + args + ') {' + 99 | 'log.call(deprecate, message, site)\n' + 100 | 'return fn.apply(this, arguments)\n' + 101 | - '})') 102 | + '}')(fn, log, this, message, site) 103 | 104 | return deprecatedfn 105 | } 106 | -------------------------------------------------------------------------------- /test/collected-db-test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | const { after, before } = require('mocha'); 21 | const { spinUpDatabase } = require('../scripts/run-locally.js'); 22 | const dbTablesTest = require('./db-tables-test.js'); 23 | const endToEndTest = require('./end-to-end-test.js'); 24 | const { Pool } = require('../lib/safe/pg.js'); 25 | 26 | function noop() { 27 | // This function body left intentionally blank. 28 | } 29 | 30 | const testsThatRequireDb = [ dbTablesTest, endToEndTest ]; 31 | 32 | const { release, withDbConfig } = (() => { 33 | let pending = null; 34 | let dbConfig = null; 35 | let failure = null; 36 | let teardownFun = null; 37 | 38 | function scheduleToRun(...onDbAvailable) { 39 | for (const fun of onDbAvailable) { 40 | setTimeout(fun.bind(null, failure, dbConfig), 0); 41 | } 42 | } 43 | 44 | function maybeRunPending() { 45 | const toNotify = pending; 46 | pending = null; 47 | if (toNotify) { 48 | scheduleToRun(...toNotify); 49 | } 50 | } 51 | 52 | return { 53 | release() { 54 | // We don't need to wait for inflight database-using tasks to finish 55 | // before teardown since mocha describe() does that for us. 56 | setTimeout( 57 | () => { 58 | if (teardownFun) { 59 | teardownFun(); 60 | } 61 | }, 62 | // Wait a little bit. 63 | // TODO: Figure out why init-hooks-test fail with errors about 64 | // a connection closing hard due to the interrupting of the 65 | // DB server process. 66 | // ravis-ci.org/mikesamuel/attack-review-testbed/jobs/438005939#L528 67 | // eslint-disable-next-line no-magic-numbers 68 | 250); 69 | }, 70 | withDbConfig(onDbAvailable) { 71 | if (pending) { 72 | // Wait in line. 73 | pending.push(onDbAvailable); 74 | } else if (dbConfig) { 75 | scheduleToRun(onDbAvailable); 76 | } else { 77 | pending = [ onDbAvailable ]; 78 | try { 79 | spinUpDatabase(({ pgSocksDir, pgPort, teardown }) => { 80 | dbConfig = { 81 | user: 'webfe', 82 | host: pgSocksDir, 83 | port: pgPort, 84 | database: 'postgres', 85 | }; 86 | teardownFun = teardown; 87 | 88 | maybeRunPending(); 89 | }); 90 | } catch (exc) { 91 | teardownFun = noop; 92 | failure = exc; 93 | maybeRunPending(); 94 | } 95 | } 96 | }, 97 | }; 98 | })(); 99 | 100 | function makePoolPromise() { 101 | return new Promise((resolve, reject) => { 102 | withDbConfig( 103 | (dbConfigErr, dbConfig) => { 104 | if (dbConfigErr) { 105 | reject(dbConfigErr); 106 | } else { 107 | const pool = new Pool(dbConfig); 108 | /* 109 | pool.on('error', (err, client) => { 110 | console.error(`Unexpected error on idle client ${ client.creator }`, err); 111 | }); 112 | */ 113 | resolve(pool); 114 | } 115 | }); 116 | }); 117 | } 118 | 119 | for (let i = 0, { length } = testsThatRequireDb; i < length; ++i) { 120 | const test = testsThatRequireDb[i]; 121 | test(makePoolPromise); 122 | } 123 | 124 | before(() => withDbConfig(noop)); 125 | after(release); 126 | -------------------------------------------------------------------------------- /test/cases/end-to-end/index-case.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /* eslint array-element-newline: 0 */ 21 | 22 | const { URL } = require('url'); 23 | 24 | const now = Number(new Date('2019-04-12 12:00:00Z')); 25 | const homePagePath = `/?now=${ now }`; 26 | 27 | module.exports = { 28 | requests: (baseUrl, { isVulnerable }) => [ 29 | { 30 | req: { 31 | uri: new URL(homePagePath, baseUrl).href, 32 | method: 'GET', 33 | }, 34 | res: { 35 | body: [ 36 | '', 37 | '', 38 | '', 39 | 'Attack Review Testbed', 40 | '', 42 | '', 43 | '', 44 | '', 45 | '

', 46 | 'login', 47 | '

', 48 | '

Login

', 48 | '', 57 | '
', 58 | '', 59 | ``, 60 | '', 61 | '', 62 | '', 63 | '', 64 | ], 65 | logs: { 66 | stderr: '', 67 | stdout: 'GET /login?cont=/echo\n', 68 | }, 69 | statusCode: 200, 70 | }, 71 | }, 72 | { 73 | req: (lastReponse, { csrf }) => ({ 74 | uri: new URL('/login', baseUrl).href, 75 | form: { 76 | email: 'foo@bar.com', 77 | cont: `${ baseUrl.origin }/echo`, 78 | _csrf: csrf, 79 | }, 80 | method: 'POST', 81 | }), 82 | res: { 83 | headers: { 84 | location: new URL('/echo', baseUrl).href, 85 | }, 86 | body: [ '' ], 87 | logs: { 88 | stderr: '', 89 | stdout: 'POST /login\n', 90 | }, 91 | statusCode: 302, 92 | }, 93 | }, 94 | { 95 | req: { 96 | uri: new URL('/echo', baseUrl).href, 97 | }, 98 | res: { 99 | body: [ 100 | '', 101 | '', 102 | '', 103 | 'Database Echo', 104 | '', 106 | '', 107 | '', 108 | '', 109 | '

', 110 | 'Anonymous▼', 111 | '', 112 | '', 116 | '

', 117 | '

Echo

', 118 | '', 119 | '', 120 | '', 121 | '', 122 | '', 123 | '', 124 | '', 125 | '

Hello
World

', 126 | '', 127 | '', 128 | ], 129 | logs: { 130 | stderr: '', 131 | stdout: 'GET /echo\necho sending SELECT \'World\' AS "Hello"\n', 132 | }, 133 | statusCode: 200, 134 | }, 135 | }, 136 | ], 137 | }; 138 | -------------------------------------------------------------------------------- /test/resource-integrity-hook-test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | const path = require('path'); 21 | const { expect } = require('chai'); 22 | const { describe, it } = require('mocha'); 23 | 24 | const { makeHook } = require('../lib/framework/module-hooks/resource-integrity-hook.js'); 25 | const { runHook } = require('./run-hook.js'); 26 | 27 | const basedir = path.resolve(path.join(__dirname, '..')); 28 | 29 | const resultOnReject = require.resolve('../lib/framework/module-hooks/innocuous.js'); 30 | 31 | describe('resource-integrity-hook', () => { 32 | const config = { 33 | // As reported by `shasum -a 256 test/file-with-known-hash.js` 34 | '9c7bbbbab6d0bdaf8ab15a94f42324488280e47e1531a218e687b95d30bf376d': [ 'test/file-with-known-hash.js' ], 35 | 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa': [ 'test/file-with-wrong-hash.js' ], 36 | }; 37 | describe('reportOnly', () => { 38 | const hook = makeHook(config, basedir, true); 39 | it('match', () => { 40 | const target = './file-with-known-hash.js'; 41 | // Test hash caching 42 | for (let retries = 2; --retries >= 0;) { 43 | expect(runHook(hook, 'source.js', target)) 44 | .to.deep.equal({ 45 | result: target, 46 | stderr: '', 47 | stdout: '', 48 | }); 49 | } 50 | }); 51 | it('mismatch', () => { 52 | const target = './file-with-wrong-hash.js'; 53 | // Test hash caching 54 | for (let retries = 2; --retries >= 0;) { 55 | expect(runHook(hook, 'source.js', target)) 56 | .to.deep.equal({ 57 | result: target, 58 | stderr: ( 59 | 'lib/framework/module-hooks/resource-integrity-hook.js: ' + 60 | 'Blocking require("./file-with-wrong-hash.js") ' + 61 | 'by test/source.js\n'), 62 | stdout: '', 63 | }); 64 | } 65 | }); 66 | it('404', () => { 67 | const target = './no-such-file.js'; 68 | expect(runHook(hook, 'source.js', target)) 69 | .to.deep.equal({ 70 | result: target, 71 | stderr: ( 72 | 'lib/framework/module-hooks/resource-integrity-hook.js: ' + 73 | 'Blocking require("./no-such-file.js") ' + 74 | 'by test/source.js\n'), 75 | stdout: '', 76 | }); 77 | }); 78 | }); 79 | describe('active', () => { 80 | const hook = makeHook(config, basedir, false); 81 | it('match', () => { 82 | const target = './file-with-known-hash.js'; 83 | // Test hash caching 84 | for (let retries = 2; --retries >= 0;) { 85 | expect(runHook(hook, 'source.js', target)) 86 | .to.deep.equal({ 87 | result: target, 88 | stderr: '', 89 | stdout: '', 90 | }); 91 | } 92 | }); 93 | it('mismatch', () => { 94 | const target = './file-with-wrong-hash.js'; 95 | expect(runHook(hook, 'source.js', target)) 96 | .to.deep.equal({ 97 | result: resultOnReject, 98 | stderr: ( 99 | 'lib/framework/module-hooks/resource-integrity-hook.js: ' + 100 | 'Blocking require("./file-with-wrong-hash.js") ' + 101 | 'by test/source.js\n'), 102 | stdout: '', 103 | }); 104 | }); 105 | it('404', () => { 106 | const target = './no-such-file.js'; 107 | expect(runHook(hook, 'source.js', target)) 108 | .to.deep.equal({ 109 | result: resultOnReject, 110 | stderr: ( 111 | 'lib/framework/module-hooks/resource-integrity-hook.js: ' + 112 | 'Blocking require("./no-such-file.js") ' + 113 | 'by test/source.js\n'), 114 | stdout: '', 115 | }); 116 | }); 117 | }); 118 | it('fail-closed', () => { 119 | const hook = makeHook(null, basedir, false); 120 | const target = './file-with-known-hash.js'; 121 | expect(runHook(hook, 'source.js', target)) 122 | .to.deep.equal({ 123 | result: resultOnReject, 124 | stderr: ( 125 | 'lib/framework/module-hooks/resource-integrity-hook.js: ' + 126 | 'Blocking require("./file-with-known-hash.js") by test/source.js\n' 127 | ), 128 | stdout: '', 129 | }); 130 | }); 131 | }); 132 | -------------------------------------------------------------------------------- /test/db-tables-test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | const { expect } = require('chai'); 21 | const { describe, it } = require('mocha'); 22 | const safesql = require('safesql'); 23 | 24 | const { createTables, clearTables, initializeTablesWithTestData } = 25 | require('../lib/db-tables.js'); 26 | 27 | module.exports = (makePool) => { 28 | function dbIt(name, withPool, withClient) { 29 | it(name, function dbTest(done) { 30 | // Setting up the database takes some time. 31 | // Times are in millis. 32 | // eslint-disable-next-line no-magic-numbers, no-invalid-this 33 | this.timeout(5000); 34 | // eslint-disable-next-line no-magic-numbers, no-invalid-this 35 | this.slow(500); 36 | 37 | makePool().then( 38 | (pool) => { 39 | let client = null; 40 | function finish(exc) { 41 | if (client) { 42 | client.release(); 43 | client = null; 44 | } 45 | pool.end(); 46 | if (exc) { 47 | return done(exc); 48 | } 49 | return done(); 50 | } 51 | function finishErr(exc) { 52 | finish(exc || new Error()); 53 | } 54 | 55 | function usePool(exc) { 56 | if (exc) { 57 | finish(exc); 58 | return; 59 | } 60 | pool.connect().then( 61 | (aClient) => { 62 | client = aClient; 63 | withClient(client, finish, finishErr); 64 | }, 65 | finishErr); 66 | } 67 | 68 | setTimeout( 69 | () => withPool(pool, usePool, finishErr), 70 | // eslint-disable-next-line no-magic-numbers 71 | 50); 72 | }, 73 | (dbErr) => { 74 | done(dbErr || new Error()); 75 | }); 76 | }); 77 | } 78 | 79 | describe('db-tables', () => { 80 | dbIt( 81 | 'createTables', 82 | (pool, finish, finishErr) => createTables(pool).then(() => finish(), finishErr), 83 | (client, finish, finishErr) => 84 | client.query(safesql.pg`SELECT * FROM Accounts`).then( 85 | ({ rowCount, fields }) => { 86 | try { 87 | expect({ rowCount, fields: fields.map(({ name }) => name) }) 88 | .to.deep.equals({ 89 | rowCount: 0, 90 | fields: [ 'aid', 'displayname', 'displaynamehtml', 'publicurl', 'created' ], 91 | }); 92 | } catch (exc) { 93 | finish(exc); 94 | return; 95 | } 96 | finish(); 97 | }, 98 | finishErr)); 99 | 100 | dbIt( 101 | 'initializeTablesWithTestData', 102 | (pool, finish, finishErr) => initializeTablesWithTestData(pool).then(() => finish(), finishErr), 103 | (client, finish, finishErr) => 104 | client.query(safesql.pg`SELECT * FROM Accounts`).then( 105 | ({ rowCount, fields }) => { 106 | try { 107 | expect({ rowCount, fields: fields.map(({ name }) => name) }) 108 | .to.deep.equals({ 109 | rowCount: 4, 110 | fields: [ 'aid', 'displayname', 'displaynamehtml', 'publicurl', 'created' ], 111 | }); 112 | } catch (exc) { 113 | finish(exc); 114 | return; 115 | } 116 | finish(); 117 | }, 118 | finishErr)); 119 | 120 | dbIt( 121 | 'clearTables', 122 | (pool, finish, finishErr) => clearTables(pool).then(() => finish(), finishErr), 123 | (client, finish, finishErr) => 124 | client.query(safesql.pg`SELECT * FROM Accounts`).then( 125 | ({ rowCount, fields }) => { 126 | try { 127 | expect({ rowCount, fields: fields.map(({ name }) => name) }) 128 | .to.deep.equals({ 129 | rowCount: 0, 130 | fields: [ 'aid', 'displayname', 'displaynamehtml', 'publicurl', 'created' ], 131 | }); 132 | } catch (exc) { 133 | finish(exc); 134 | return; 135 | } 136 | finish(); 137 | }, 138 | finishErr)); 139 | }); 140 | }; 141 | -------------------------------------------------------------------------------- /test/doc-test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Some sanity checks for README.md files. 23 | * 24 | * - Checks example code in README.md files for well-formedness 25 | * - Runs example code that has a comment like //! expected output 26 | * - Looks for undefined link targets like [foo][never defines]. 27 | * - Checks that tables of contents are up-to-date with the pages header structure. 28 | */ 29 | 30 | /* eslint no-sync: 0 */ 31 | 32 | const { expect } = require('chai'); 33 | const { describe, it } = require('mocha'); 34 | 35 | // eslint-disable-next-line id-length 36 | const fs = require('fs'); 37 | // eslint-disable-next-line id-length 38 | const vm = require('vm'); 39 | 40 | const { 41 | tableOfContentsFor, 42 | replaceTableOfContentsIn, 43 | } = require('../scripts/markdown-table-of-contents.js'); 44 | 45 | const markdownPaths = { 46 | 'README.md': require.resolve('../README.md'), 47 | }; 48 | 49 | function lookForUndefinedLinks(markdownPath) { 50 | let markdown = fs.readFileSync(markdownPath, { encoding: 'utf8' }); 51 | 52 | // Strip out code blocks. 53 | markdown = markdown.replace( 54 | /^(\s*`{3,})\w*\n(?:[^`]|`(?!``))*\n\1\n/mg, '$1CODE\n'); 55 | markdown = markdown.replace( 56 | /`[^`\r\n]+`/g, ' CODE '); 57 | 58 | // Extract link names. 59 | const namedLinks = new Set(); 60 | for (;;) { 61 | const original = markdown; 62 | markdown = markdown.replace(/^\[(.*?)\]:[ \t]*\S.*/m, (all, name) => { 63 | namedLinks.add(name); 64 | return ``; 65 | }); 66 | if (original === markdown) { 67 | break; 68 | } 69 | } 70 | 71 | let undefinedLinks = new Set(); 72 | function extractLink(whole, text, target) { 73 | target = target || text; 74 | if (!namedLinks.has(target)) { 75 | undefinedLinks.add(target); 76 | } 77 | return ' LINK '; 78 | } 79 | // Look at links. 80 | for (;;) { 81 | const original = markdown; 82 | markdown = markdown.replace( 83 | /(?:^|[^\]\\])\[((?:[^\\\]]|\\.)+)\]\[(.*?)\]/, 84 | extractLink); 85 | if (original === markdown) { 86 | break; 87 | } 88 | } 89 | 90 | undefinedLinks = Array.from(undefinedLinks); 91 | expect(undefinedLinks).to.deep.equals([]); 92 | } 93 | 94 | 95 | function hackyUpdoc(markdownPath) { 96 | const markdown = fs.readFileSync(markdownPath, { encoding: 'utf8' }); 97 | 98 | // Strip out code blocks. 99 | const fencedJsBlockPattern = /^(\s*)```js(\n(?:[^`]|`(?!``))*)\n\1```\n/mg; 100 | for (let match; (match = fencedJsBlockPattern.exec(markdown));) { 101 | const [ , , code ] = match; 102 | const lineOffset = markdown.substring(0, match.index).split(/\n/g).length; 103 | 104 | it(`Line ${ lineOffset }`, () => { 105 | let tweakedCode = code.replace( 106 | /^console[.]log$(.*)$;\n\/\/! ?(.*)/mg, 107 | (whole, expr, want) => `expect(String(${ expr })).to.equal(${ JSON.stringify(want) });\n`); 108 | 109 | if (tweakedCode === code) { 110 | // Not a test. Just check well-formedness 111 | tweakedCode = `(function () {\n${ tweakedCode }\n})`; 112 | } 113 | 114 | const script = new vm.Script(tweakedCode, { filename: markdownPath, lineOffset }); 115 | 116 | script.runInNewContext({ require, expect }); 117 | }); 118 | } 119 | } 120 | 121 | 122 | describe('doc', () => { 123 | describe('links', () => { 124 | for (const [ name, mdPath ] of Object.entries(markdownPaths)) { 125 | it(name, () => { 126 | lookForUndefinedLinks(mdPath); 127 | }); 128 | } 129 | }); 130 | describe('code examples', () => { 131 | for (const [ name, mdPath ] of Object.entries(markdownPaths)) { 132 | describe(name, () => { 133 | hackyUpdoc(mdPath); 134 | }); 135 | } 136 | }); 137 | describe('tocs', () => { 138 | for (const [ name, mdPath ] of Object.entries(markdownPaths)) { 139 | it(name, () => { 140 | const originalMarkdown = fs.readFileSync(mdPath, { encoding: 'utf8' }); 141 | const { markdown, toc } = tableOfContentsFor(mdPath, originalMarkdown); 142 | const markdownProcessed = replaceTableOfContentsIn(mdPath, markdown, toc); 143 | expect(originalMarkdown).to.equal(markdownProcessed, mdPath); 144 | }); 145 | } 146 | }); 147 | }); 148 | -------------------------------------------------------------------------------- /test/cases/end-to-end/login-logout-case.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /* eslint array-element-newline: 0 */ 21 | 22 | const { URL } = require('url'); 23 | 24 | module.exports = { 25 | requests: (baseUrl) => [ 26 | { 27 | req: { 28 | uri: new URL('/login', baseUrl).href, 29 | }, 30 | res: { 31 | body: 'IGNORE', 32 | logs: { 33 | stderr: '', 34 | stdout: 'GET /login\n', 35 | }, 36 | statusCode: 200, 37 | }, 38 | }, 39 | { 40 | req: (lastReponse, { csrf }) => ({ 41 | uri: new URL('/login', baseUrl).href, 42 | method: 'POST', 43 | form: { 44 | _csrf: csrf, 45 | email: 'ada@example.com', 46 | cont: `${ baseUrl.origin }/echo`, 47 | }, 48 | }), 49 | res: { 50 | body: [ '' ], 51 | headers: { 52 | location: `${ baseUrl.origin }/echo`, 53 | }, 54 | logs: { 55 | stderr: '', 56 | stdout: 'POST /login\n', 57 | }, 58 | statusCode: 302, 59 | }, 60 | }, 61 | { 62 | req: { 63 | uri: new URL('/echo', baseUrl).href, 64 | }, 65 | res: { 66 | body: [ 67 | '', 68 | '', 69 | '', 70 | 'Database Echo', 71 | '', 73 | '', 74 | '', 75 | '', 76 | '

', 77 | // Got user name. See db-tables.js 78 | 'Ada▼', 79 | '', 80 | '', 84 | '

', 85 | '

Echo

', 86 | '', 87 | '', 88 | '', 89 | '', 90 | '', 91 | '', 92 | '', 93 | '

Hello
World

', 94 | '', 95 | '', 96 | ], 97 | logs: { 98 | stderr: '', 99 | stdout: 'GET /echo\necho sending SELECT \'World\' AS "Hello"\n', 100 | }, 101 | statusCode: 200, 102 | }, 103 | }, 104 | { 105 | req: (lastReponse, { csrf }) => ({ 106 | uri: new URL('/logout', baseUrl).href, 107 | headers: { 108 | Referer: `${ baseUrl.origin }/echo`, 109 | }, 110 | method: 'POST', 111 | form: { 112 | _csrf: csrf, 113 | }, 114 | }), 115 | res: { 116 | body: [ '' ], 117 | headers: { 118 | location: `${ baseUrl.origin }/echo`, 119 | }, 120 | logs: { 121 | stderr: '', 122 | stdout: 'POST /logout\n', 123 | }, 124 | statusCode: 302, 125 | }, 126 | }, 127 | { 128 | req: { 129 | uri: new URL('/echo', baseUrl).href, 130 | }, 131 | res: { 132 | body: [ 133 | '', 134 | '', 135 | '', 136 | 'Database Echo', 137 | '', 139 | '', 140 | '', 141 | '', 142 | '

', 143 | // No user name. 144 | 'login', 145 | '

', 146 | '

Echo

', 147 | '', 148 | '', 149 | '', 150 | '', 151 | '', 152 | '', 153 | '', 154 | '

Hello
World

', 155 | '', 156 | '', 157 | ], 158 | logs: { 159 | stderr: '', 160 | stdout: 'GET /echo\necho sending SELECT \'World\' AS "Hello"\n', 161 | }, 162 | statusCode: 200, 163 | }, 164 | }, 165 | ], 166 | }; 167 | -------------------------------------------------------------------------------- /lib/framework/module-hooks/resource-integrity-hook.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | /** 19 | * @fileoverview 20 | * A factory for hooks that prevent require of files not on a production whitelist 21 | * such as that generated by scripts/generate-production-source-list.js 22 | */ 23 | 24 | 'use strict'; 25 | 26 | // SENSITIVE - Trusted to preserve guarantee that the only code that 27 | // loads in production was written or `npm install`ed by a trusted 28 | // developer for use in production. 29 | 30 | // GUARANTEE - the output of makeHook only returns a module M if that 31 | // the hash of the content at require.resolve(M) appears on the production 32 | // whitelist. 33 | // This guarantee should survive in the face of an attacker who can 34 | // create files including symlinks and hardlinks but makes no 35 | // guarantee in the face of race conditions related to renaming 36 | // ancestor directories, replacing file content, or unmounting file 37 | // systems. 38 | 39 | // TODO: do we need to check the hash of ./innocuous.js's before 40 | // returning it? That seems a vector that doesn't require winning 41 | // a race condition. 42 | // 43 | // TODO: document caveats related to overwrites. 44 | // 45 | // If we cache hashes, we are assuming no overwrites and cannot trust 46 | // mtime more than we trust content. 47 | // 48 | // But commonly used modules assume the path to the require cache is fast, 49 | // so we might have to be optimistic and just tell people to run node as 50 | // a uid that cannot write source files if they want resource integrity 51 | // to be strong. 52 | // 53 | // TODO: Figure out how to phrase this guarantee optimistically assuming 54 | // some care taken with file permissions. 55 | // 56 | // TODO: Maybe gather stats on how many modules are required more than 57 | // once and lazily: lib/handlers? 58 | // 59 | // TODO: Do we reduce the attack surface by having startup scripts 60 | // `chmod -R ugo-w lib node_modules` even if the server process owns 61 | // its source files? 62 | 63 | // eslint-disable-next-line no-use-before-define 64 | exports.makeHook = makeHook; 65 | 66 | const { 67 | createHash, 68 | Hash: { 69 | prototype: { 70 | digest: digestHash, 71 | update: updateHash, 72 | }, 73 | }, 74 | } = require('crypto'); 75 | const { readFileSync } = require('fs'); 76 | const { join, relative } = require('path'); 77 | 78 | const { isBuiltinModuleId } = require('../builtin-module-ids.js'); 79 | 80 | const { create, hasOwnProperty } = Object; 81 | const { apply } = Reflect; 82 | // eslint-disable-next-line id-blacklist 83 | const { error: consoleerror, warn: consolewarn } = console; 84 | 85 | function makeHook(hashesToSourceLists, basedir, reportOnly) { 86 | const moduleid = relative(basedir, module.filename); 87 | if (!(hashesToSourceLists && typeof hashesToSourceLists === 'object')) { 88 | hashesToSourceLists = create(null); 89 | } 90 | 91 | // Don't hash modules more than once. 92 | // Assumes that modules don't change on disk. 93 | const hashCache = new Map(); 94 | 95 | function hashFor(file) { 96 | if (hashCache.has(file)) { 97 | return hashCache.get(file); 98 | } 99 | 100 | let key = null; 101 | let content = null; 102 | try { 103 | content = readFileSync(file); 104 | } catch (exc) { 105 | consoleerror(`${ moduleid }: ${ exc.message }`); 106 | } 107 | if (content !== null) { 108 | const hash = createHash('sha256'); 109 | key = apply( 110 | digestHash, 111 | apply(updateHash, hash, [ content ]), 112 | [ 'hex' ]); 113 | } 114 | 115 | hashCache.set(file, key); 116 | return key; 117 | } 118 | 119 | return function resourceIntegrityHook( 120 | importingFile, importingId, requiredId, resolveFilename) { 121 | if (isBuiltinModuleId(requiredId)) { 122 | return requiredId; 123 | } 124 | let target = null; 125 | try { 126 | target = resolveFilename(requiredId); 127 | } catch (exc) { 128 | // We fall-through to hash mismatch below. 129 | } 130 | if (target !== null) { 131 | const key = hashFor(target); 132 | if (key && apply(hasOwnProperty, hashesToSourceLists, [ key ])) { 133 | return requiredId; 134 | } 135 | } 136 | 137 | consolewarn( 138 | `${ moduleid }: Blocking require(${ JSON.stringify(requiredId) }) by ${ relative(basedir, importingFile) }`); 139 | if (reportOnly) { 140 | return requiredId; 141 | } 142 | return join(__dirname, 'innocuous.js'); 143 | }; 144 | } 145 | -------------------------------------------------------------------------------- /test/cases/end-to-end/drive-by-post-case.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /* eslint array-element-newline: 0 */ 21 | 22 | const { URL } = require('url'); 23 | 24 | const now = Number(new Date('2019-04-22 12:00:00Z')); 25 | 26 | // Logs in 27 | // Drafts a post 28 | // Uploads some images 29 | // Previews the post. 30 | // Commits 31 | // Views the index page with the new post. 32 | const indexRelUrl = `/?now=${ now }&offset=4`; 33 | 34 | module.exports = { 35 | requests: (baseUrl, { isProduction }) => [ 36 | // User logs in 37 | { 38 | req: { 39 | uri: new URL('/login', baseUrl).href, 40 | }, 41 | res: { 42 | body: 'IGNORE', 43 | logs: { 44 | stderr: '', 45 | stdout: 'GET /login\n', 46 | }, 47 | statusCode: 200, 48 | }, 49 | }, 50 | { 51 | req: (lastResponse, { csrf }) => ({ 52 | uri: new URL('/login', baseUrl).href, 53 | method: 'POST', 54 | form: { 55 | cont: '/', 56 | email: 'ada@example.com', 57 | _csrf: csrf, 58 | }, 59 | }), 60 | res: { 61 | body: [ '' ], 62 | logs: { 63 | stderr: '', 64 | stdout: 'POST /login\n', 65 | }, 66 | headers: { 67 | location: new URL('/', baseUrl).href, 68 | }, 69 | statusCode: 302, 70 | }, 71 | }, 72 | // Later user visits a page that posts cross-origin. 73 | { 74 | req: { 75 | uri: new URL('/post', baseUrl).href, 76 | method: 'POST', 77 | formData: { 78 | body: 'Eat at Joe\'s!', 79 | 'public': 'true', 80 | now, 81 | }, 82 | }, 83 | res: { 84 | body: [ 85 | '', 86 | '', 87 | '', 88 | 'Error', 89 | '', 91 | '', 92 | '', 93 | '', 94 | '

', 95 | 'login', 96 | (isProduction ? 97 | '

Something went wrong' : 98 | '

Attack Review Testbed

', 127 | 'Ada▼', 128 | '', 129 | `', 134 | '

Recent Posts

', 137 | '

', 138 | // Since offset is set, 1 post from canned data 139 | '', 140 | '', 141 | 'Fae', 142 | '', 143 | '', 144 | 'a week ago', 145 | '

(It is probably insecure)

', 146 | '

', 147 | // No "Eat at Joe's" post. 148 | '

`; 131 | }); 132 | 133 | function rewriteLink(href) { 134 | const { url, scheme, authority, schemeSpecificPart } = coerceToUrl(href); 135 | 136 | // Extract extra info from the URL. 137 | let extras = SCHEME_DATA[scheme]; 138 | if (extras && authority) { 139 | if (extras[authority]) { 140 | extras = extras[authority]; 141 | } else if (extras['*']) { 142 | extras = extras['*']; 143 | } 144 | } 145 | while (typeof extras === 'function') { 146 | extras = extras(scheme, authority, schemeSpecificPart); 147 | } 148 | const { attrs = '' } = extras || {}; 149 | 150 | return `${ href }`; 151 | } 152 | 153 | // Rewrite links 154 | html = html.replace(LINK_PATTERN, rewriteLink); 155 | 156 | // Reconsistute tags. 157 | html = html.replace( 158 | //g, 159 | (whole, index) => sideTable[index]); 160 | 161 | return html; 162 | } 163 | 164 | module.exports = linkify; 165 | -------------------------------------------------------------------------------- /lib/framework/delicate-globals-rewrite.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Lots of builtin code requires the global process variable. 23 | * Virtualizing it would slow that code down. 24 | * Instrumenting every non-builtin source file is actually the most 25 | * efficient way to deny user code to silently access process. 26 | * 27 | * Some code needs to legitimately use `new Function`, but the node 28 | * runtime does not use a V8 version with a sufficiently flexible 29 | * allow_code_generation_from_string callback API like V8 3.7 does. 30 | * We can proxy Function to instead use the vm module to load code 31 | * when there are explicit calls, and then use module whitelisting 32 | * to gate access to the vm module. 33 | * 34 | * This module provides a (code,filename)->code transform that does both. 35 | */ 36 | 37 | // SENSITIVE - receives privileged require function. 38 | 39 | // See ./lockdown.js for guarantees re process. 40 | 41 | // The guarantees re Function are mostly checked by the flag choice in 42 | // main, but the guarantee below states captures the negative space 43 | // around what the Function masking below aims to allow. 44 | 45 | // GUARANTEE - A module that doesn't explicitly invoke Function(...) or 46 | // new Function(...) shouldn't be able to implicitly load code as in 47 | // // Attacker controlled strings 48 | // let a = 'constructor', b = 'console.log(1337)'; 49 | // // Naive code 50 | // ({})[a][a](b)(); 51 | // so we don't need to audit all modules for possible implicit access to 52 | // the Function constructor. 53 | 54 | // eslint-disable-next-line no-use-before-define 55 | module.exports = rewriteCode; 56 | 57 | const { fromCharCode } = String; 58 | const { create, defineProperty } = Object; 59 | const { randomBytes } = require('crypto'); 60 | const codeLoadingFunctionProxy = require('./code-loading-function-proxy.js'); 61 | const wellFormednessCheck = require('./well-formedness-check.js'); 62 | const unprivilegedRequire = require('./unprivileged-require.js'); 63 | 64 | function rewriteCode(code, filename, fallbackRequire = unprivilegedRequire) { 65 | code = `${ code }`; 66 | const decoded = code.replace( 67 | /\\u([0-9A-Fa-f]{4})/g, 68 | // eslint-disable-next-line no-magic-numbers 69 | (whole, hex) => fromCharCode(parseInt(hex, 16))); 70 | 71 | const masks = []; 72 | 73 | // On first reference to Function, load one that uses this module's require to load code via vm. 74 | // This lets us deny implicit calls to the Function constructor. 75 | // Mask Function if it seems to be used as a constructor intentionally. 76 | if (/\bFunction\s*\(/.test(decoded)) { 77 | masks[masks.length] = (localRequire, mask) => { 78 | let fun = null; 79 | defineProperty( 80 | mask, 81 | 'Function', 82 | { 83 | get() { 84 | const req = localRequire || fallbackRequire; 85 | return fun || (fun = codeLoadingFunctionProxy(req, filename)); 86 | }, 87 | }); 88 | }; 89 | } 90 | 91 | // Mask process 92 | if (/process(?!\w)/.test(decoded)) { 93 | // TODO: get a process mask value that encapsulates module identity by passing require 94 | // to a module that returns a masking value. 95 | 96 | // Add a single use non-enumerable global so that two modules can't 97 | // conspire by having an early loading one compute a hash for a late 98 | // loading one. 99 | // eslint-disable-next-line no-magic-numbers 100 | masks[masks.length] = (localRequire, mask) => { 101 | let proc = null; 102 | defineProperty( 103 | mask, 104 | 'process', 105 | { 106 | get() { 107 | const req = localRequire || fallbackRequire; 108 | return proc || (proc = req('process')); 109 | }, 110 | }); 111 | }; 112 | } 113 | 114 | if (masks.length) { 115 | const [ , header, rest ] = /^((?:#[^\n\r\u2028\u2029]*[\n\r\u2028\u2029]*)?)([\s\S]*)$/.exec(code); 116 | wellFormednessCheck(rest, filename); 117 | 118 | // eslint-disable-next-line no-magic-numbers 119 | const maskId = `_mask${ randomBytes(16).toString('hex') }`; 120 | defineProperty( 121 | global, 122 | maskId, 123 | { 124 | value: (localRequire) => { 125 | const mask = create(null); 126 | for (const masker of masks) { 127 | masker(localRequire, mask); 128 | } 129 | return mask; 130 | }, 131 | }); 132 | 133 | const before = `with (${ maskId }(typeof require !== 'undefined' ? require : null)) {`; 134 | const after = '}'; 135 | 136 | // Preserve line numbers while creating treating rest as a FunctionBody that might have its own 137 | // PrologueDeclarations. 138 | return `${ header }${ before } return (() => { ${ rest } })(); ${ after }`; 139 | } 140 | 141 | return code; 142 | } 143 | -------------------------------------------------------------------------------- /test/external-process-test-server.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Provides a test function compatible with ./end-to-end-common.js that 23 | * spins up a server per test case as a child process. 24 | */ 25 | 26 | const childProcess = require('child_process'); 27 | const path = require('path'); 28 | const process = require('process'); 29 | const { URL } = require('url'); 30 | 31 | const { setTimeout } = global; 32 | 33 | const shutdowns = []; 34 | process.on('SIGINT', () => { 35 | const failure = new Error('interrupted'); 36 | for (const shutdown of shutdowns) { 37 | try { 38 | shutdown(failure); 39 | } catch (exc) { 40 | console.error(exc); // eslint-disable-line no-console 41 | } 42 | } 43 | shutdowns.length = 0; 44 | }); 45 | 46 | /** 47 | * Given a root path fires up /path/to/root/scripts/run-locally.js. 48 | */ 49 | module.exports = (root) => function externalProcessTest(testFun, { quiet, isProduction }) { 50 | return function test(done) { 51 | // Each process has to spin up its own database, so this takes a bit longer 52 | // than the in-process tests. 53 | this.slow(7500); // eslint-disable-line no-invalid-this, no-magic-numbers 54 | this.timeout(15000); // eslint-disable-line no-invalid-this, no-magic-numbers 55 | 56 | const tStart = Date.now(); 57 | function logTestEvent(str) { 58 | if (!quiet) { 59 | // eslint-disable-next-line no-console 60 | console.log(`t+${ Date.now() - tStart } ${ str }`); 61 | } 62 | } 63 | 64 | let serverProcess = childProcess.spawn( 65 | path.join(root, 'scripts', 'run-locally.js'), 66 | [ 67 | // Do not append to the attacker's logfile. 68 | '--log', '/dev/null', // eslint-disable-next-line array-element-newline 69 | /* Ask server to pick a non-conflicting port. */ 70 | 'localhost', '0', 71 | ], 72 | { 73 | cwd: root, 74 | env: Object.assign( 75 | {}, 76 | // eslint-disable-next-line no-process-env 77 | process.env, 78 | { 79 | NODE_ENV: isProduction ? 'production' : 'test', 80 | UNSAFE_DISABLE_NODE_SEC_HOOKS: 'false', 81 | }), 82 | stdio: [ 'ignore', 'pipe', 'pipe' ], 83 | shell: false, 84 | }); 85 | logTestEvent(`Spawned process ${ serverProcess.pid }`); 86 | 87 | let calledDone = false; 88 | function shutdown(exc) { 89 | if (serverProcess) { 90 | try { 91 | serverProcess.stdout.destroy(); 92 | serverProcess.stderr.destroy(); 93 | if (!serverProcess.killed) { 94 | logTestEvent(`Ending process ${ serverProcess.pid }`); 95 | serverProcess.kill('SIGINT'); 96 | } 97 | serverProcess = null; 98 | } catch (shutdownFailure) { 99 | exc = exc || shutdownFailure || new Error('shutdown failed'); 100 | if (exc !== shutdownFailure) { 101 | // eslint-disable-next-line no-console 102 | console.error(shutdownFailure); 103 | } 104 | } 105 | } 106 | 107 | if (!calledDone) { 108 | calledDone = true; 109 | if (exc) { 110 | logTestEvent('Done with error'); 111 | done(exc); // eslint-disable-line callback-return 112 | } else { 113 | logTestEvent('Done without error'); 114 | done(); // eslint-disable-line callback-return 115 | } 116 | } else if (exc) { 117 | // eslint-disable-next-line no-console 118 | console.error(exc); 119 | } 120 | } 121 | shutdowns.push(shutdown); 122 | 123 | let stdout = ''; 124 | let stderr = ''; 125 | let ready = false; 126 | let baseUrl = null; 127 | 128 | function logs() { 129 | const result = { stdout, stderr }; 130 | ([ stdout, stderr ] = [ '', '' ]); 131 | return result; 132 | } 133 | serverProcess.unref(); 134 | serverProcess.on('close', () => { 135 | logTestEvent('CLOSED'); 136 | 137 | if (ready) { 138 | shutdown(); 139 | } else { 140 | shutdown(new Error(`Server did not start serving\n${ JSON.stringify(logs(), null, 2) }`)); 141 | } 142 | }); 143 | serverProcess.on('error', (exc) => done(exc || new Error('spawn failed'))); 144 | 145 | serverProcess.stdout.on('data', (chunk) => { 146 | logTestEvent(`STDOUT [[${ chunk }]]`); 147 | stdout += chunk; 148 | if (!ready) { 149 | if (baseUrl === null) { 150 | const match = /(?:^|\n)Serving from localhost:(\d+) at /.exec(stdout); 151 | if (match) { 152 | logTestEvent('GOT PORT'); 153 | const actualPort = Number(match[1]); 154 | baseUrl = new URL(`http://localhost:${ actualPort }`); 155 | } 156 | } 157 | if (/(?:^|\n)Database seeded with test data\n/.test(stdout)) { 158 | logTestEvent('READY'); 159 | ready = true; 160 | setTimeout( 161 | () => { 162 | logTestEvent('TESTING'); 163 | // Flush before starting test 164 | logs(); 165 | testFun(baseUrl, shutdown, logs); 166 | }, 167 | // eslint-disable-next-line no-magic-numbers 168 | 50); 169 | } 170 | } 171 | }); 172 | serverProcess.stderr.on('data', (chunk) => { 173 | logTestEvent(`STDERR [[${ chunk }]]`); 174 | stderr += chunk; 175 | }); 176 | }; 177 | }; 178 | -------------------------------------------------------------------------------- /main.js: -------------------------------------------------------------------------------- 1 | #!/bin/echo Use scripts/run-locally.js or npm start instead 2 | 3 | /** 4 | * @license 5 | * Copyright 2018 Google LLC 6 | * 7 | * Licensed under the Apache License, Version 2.0 (the "License"); 8 | * you may not use this file except in compliance with the License. 9 | * You may obtain a copy of the License at 10 | * 11 | * https://www.apache.org/licenses/LICENSE-2.0 12 | * 13 | * Unless required by applicable law or agreed to in writing, software 14 | * distributed under the License is distributed on an "AS IS" BASIS, 15 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 | * See the License for the specific language governing permissions and 17 | * limitations under the License. 18 | */ 19 | 20 | 'use strict'; 21 | 22 | /** 23 | * @fileoverview 24 | * This ensures that trusted code runs early where it has access to builtins 25 | * before any monkeypatching by the majority of unprivileged modules. 26 | */ 27 | 28 | // SENSITIVE - Shebang enables early loaded trusted hooks, and code enables security machinery. 29 | 30 | const { execSync } = require('child_process'); 31 | const fs = require('fs'); // eslint-disable-line id-length 32 | const path = require('path'); 33 | const process = require('process'); 34 | 35 | const isMain = require.main === module; 36 | 37 | require('./lib/framework/bootstrap-secure.js')(path.resolve(__dirname), isMain); 38 | 39 | const { start } = require('./lib/server.js'); 40 | const safepg = require('./lib/safe/pg.js'); 41 | const { initializeTablesWithTestData } = require('./lib/db-tables'); 42 | const { flock } = require('fs-ext'); 43 | 44 | const processInfo = { 45 | pid: process.pid, 46 | argv: [ ...process.argv ], 47 | start: Date.now(), 48 | lastcommit: (() => { 49 | try { 50 | return execSync('git rev-parse HEAD', { encoding: 'utf8' }).replace(/\s+$/, ''); 51 | } catch (exc) { 52 | return 'git failed'; 53 | } 54 | })(), 55 | localhash: (() => { 56 | try { 57 | // `git rev-parse HEAD` does not include changes to the local client. 58 | // This doesn't included unadded files, but is better. 59 | return execSync('git show --pretty=%h --abbrev=32 | shasum -ba1', { encoding: 'utf8' }).replace(/\s+$/, ''); 60 | } catch (exc) { 61 | return 'git failed'; 62 | } 63 | })(), 64 | }; 65 | 66 | if (isMain) { 67 | // Fail fast if run via `node main.js` instead of as a script with the flags from #! above. 68 | let evalWorks = true; 69 | try { 70 | eval(String(Math.random())); // eslint-disable-line no-eval 71 | } catch (evalFailed) { 72 | evalWorks = false; 73 | } 74 | 75 | const argv = [ ...process.argv ]; 76 | // './bin/node' 77 | argv.shift(); 78 | // __filename 79 | argv.shift(); 80 | 81 | let requestLogFile = './request.log'; 82 | 83 | let initDb = true; 84 | flagloop: 85 | for (;;) { 86 | switch (argv[0]) { 87 | case '--noinitdb': 88 | argv.shift(); 89 | initDb = false; 90 | break; 91 | case '--log': 92 | argv.shift(); 93 | requestLogFile = argv.shift(); 94 | break; 95 | case '--': 96 | argv.shift(); 97 | break flagloop; 98 | default: 99 | break flagloop; 100 | } 101 | } 102 | 103 | const defaultHostName = 'localhost'; 104 | const defaultPort = 8080; 105 | const defaultRootDir = path.resolve(__dirname); 106 | 107 | if (evalWorks || argv[0] === '--help') { 108 | // eslint-disable-next-line no-console 109 | console.log(`Usage: ${ __filename } [--noinitdb] [ [ []]] 110 | 111 | : The hostname the service is typically reached under. Default ${ defaultHostName } 112 | : The local port to listen on. Default ${ defaultPort } 113 | : The root directory to use for static files and stored uploads. 114 | Default "$PWD": ${ defaultRootDir } 115 | `); 116 | } else { 117 | const [ hostName = defaultHostName, port = defaultPort, rootDir = defaultRootDir ] = argv; 118 | const database = new safepg.Pool(); 119 | // eslint-disable-next-line no-magic-numbers, no-sync 120 | const requestLogFileDescriptor = requestLogFile === '-' ? 1 : fs.openSync(requestLogFile, 'a', 0o600); 121 | 122 | // Log a request so we can replay attacks. 123 | // This appends to a log file that hopefully will allow us to playback successful and 124 | // unsuccessful attacks against variant servers. 125 | const writeToPlaybackLog = (message) => { // eslint-disable-line func-style 126 | message = Object.assign(message, { processInfo }); 127 | const octets = Buffer.from(`${ JSON.stringify(message, null, 1) },\n`, 'utf8'); 128 | // 2 means lock exclusively. 129 | // We lock in case multiple server processes interleave writes to the same channel. 130 | flock(requestLogFileDescriptor, 2, () => { 131 | fs.write(requestLogFileDescriptor, octets, (exc) => { 132 | // 8 means unlock 133 | // eslint-disable-next-line no-magic-numbers 134 | flock(requestLogFileDescriptor, 8); 135 | if (exc) { 136 | console.error(exc); // eslint-disable-line no-console 137 | } 138 | }); 139 | }); 140 | }; 141 | 142 | const { stop } = start( 143 | { hostName, port, rootDir, database, writeToPlaybackLog }, 144 | (exc, actualPort) => { 145 | if (exc) { 146 | process.exitCode = 1; 147 | // eslint-disable-next-line no-console 148 | console.error(exc); 149 | } else { 150 | // Our test fixtures depends on this exact format string. 151 | // eslint-disable-next-line no-console 152 | console.log(`Serving from ${ hostName }:${ actualPort } at ${ rootDir }`); 153 | } 154 | }); 155 | 156 | // eslint-disable-next-line no-inner-declarations 157 | function tearDown() { 158 | stop(); 159 | if (requestLogFileDescriptor) { 160 | // eslint-disable-next-line no-sync 161 | fs.closeSync(requestLogFileDescriptor); 162 | } 163 | try { 164 | database.end(); 165 | } catch (exc) { 166 | // Best effort. 167 | } 168 | } 169 | process.on('SIGINT', tearDown); 170 | 171 | if (initDb) { 172 | initializeTablesWithTestData(database).then( 173 | () => { 174 | // Our test fixtures depends on this exact string. 175 | // eslint-disable-next-line no-console 176 | console.log('Database seeded with test data'); 177 | }, 178 | (exc) => { 179 | // eslint-disable-next-line no-console 180 | console.error(exc); 181 | tearDown(); 182 | }); 183 | } 184 | } 185 | } 186 | 187 | // :) 188 | -------------------------------------------------------------------------------- /lib/handlers/login.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Associates the current session with an account. 23 | */ 24 | 25 | require('module-keys/cjs').polyfill(module, require); 26 | 27 | const { URL } = require('url'); 28 | 29 | const safesql = require('safesql'); 30 | const bodyParser = require('body-parser'); 31 | 32 | const template = require('./login.pug'); 33 | 34 | const postdataParser = bodyParser.urlencoded({ extended: false }); 35 | 36 | // eslint-disable-next-line no-magic-numbers 37 | const STATUS_TEMPORARY_REDIRECT = 302; 38 | 39 | exports.handle = (bundle, handleError) => { 40 | const { res, req, reqUrl, database, currentAccount, sessionNonce } = bundle; 41 | 42 | // Logout before logging in 43 | if (currentAccount && currentAccount.aid !== null) { 44 | res.statusCode = STATUS_TEMPORARY_REDIRECT; 45 | // Use continue to bounce back here after logging out. 46 | const dest = new URL(`/logout?cont=${ encodeURIComponent(reqUrl.pathname + reqUrl.search) }`, reqUrl); 47 | res.setHeader('Location', dest.href); 48 | res.end(); 49 | return; 50 | } 51 | 52 | // The URL we continue to on successful login. 53 | // We thread this through from one form to another via a hidden input. 54 | function getDestinationUrl(cont) { 55 | const defaultDest = new URL('/account', reqUrl); 56 | const dest = new URL(cont || req.headers.referer || defaultDest.pathname, defaultDest); 57 | if (dest.origin === reqUrl.origin) { 58 | // No open redirector. 59 | return dest; 60 | } 61 | return defaultDest; 62 | } 63 | 64 | let formPromise = null; 65 | if (req.method === 'POST') { 66 | formPromise = new Promise((resolve, reject) => { 67 | postdataParser(req, res, (exc) => { 68 | if (exc) { 69 | reject(exc); 70 | } else { 71 | const { cont, email } = req.body; 72 | resolve({ 73 | cont, 74 | email, 75 | submitted: true, 76 | }); 77 | } 78 | }); 79 | }); 80 | } else { 81 | formPromise = Promise.resolve({ 82 | cont: reqUrl.searchParams.get('cont'), 83 | email: null, 84 | submitted: false, 85 | }); 86 | } 87 | 88 | formPromise.then( 89 | ({ email, cont, submitted }) => { 90 | const contUrl = getDestinationUrl(cont); 91 | let loginPromise = Promise.resolve(null); 92 | if (submitted && typeof email === 'string') { 93 | email = email.replace(/^\s+|\s+$/g, ''); 94 | 95 | if (email) { 96 | loginPromise = new Promise((resolve, reject) => { 97 | database.connect().then( 98 | (client) => { 99 | // Release the client if anything goes wrong. 100 | function releaseAndReject(exc) { 101 | client.release(); 102 | reject(exc); 103 | } 104 | // If there's no account id associated with the given email, we need to create an 105 | // account record, before updating the PersonalInfo table with the email. 106 | function createNewAccount() { 107 | client.query(safesql.pg`INSERT INTO Accounts DEFAULT VALUES RETURNING *`).then( 108 | (resultSet) => { 109 | const [ { aid } ] = resultSet.rows; 110 | client.query(safesql.pg`INSERT INTO PersonalInfo (aid, email) VALUES (${ aid }, ${ email })`) 111 | .then( 112 | () => { 113 | // eslint-disable-next-line no-use-before-define 114 | associateAccountWithSessionNonce(resultSet); 115 | }, 116 | releaseAndReject); 117 | }, 118 | releaseAndReject); 119 | } 120 | // Once we've got an aid we can associate it with the sessionNonce in the Sessions 121 | // table. There must be a row there because this handler wouldn't have been reached 122 | // except after fetching the current account which creates an entry in Sessions if 123 | // none exists for the sessionNonce. 124 | function associateAccountWithSessionNonce(resultSet) { 125 | if (resultSet.rowCount === 1) { 126 | const [ { aid } ] = resultSet.rows; 127 | const sessionNonceValue = require.moduleKeys.unbox(sessionNonce, () => true); 128 | client.query(safesql.pg`UPDATE SESSIONS SET aid=${ aid } WHERE sessionnonce=${ sessionNonceValue }`) 129 | .then( 130 | (updates) => { 131 | client.release(); 132 | if (updates.rowCount === 1) { 133 | resolve(aid); 134 | } else { 135 | reject(new Error(`updated ${ updates.rowCount }`)); 136 | } 137 | }, 138 | releaseAndReject); 139 | } else { 140 | createNewAccount(); 141 | } 142 | } 143 | client.query(safesql.pg`SELECT aid FROM PersonalInfo WHERE email=${ email }`).then( 144 | associateAccountWithSessionNonce, 145 | releaseAndReject); 146 | }, 147 | reject); 148 | }); 149 | } 150 | } 151 | loginPromise.then( 152 | (aid) => { 153 | if (aid === null) { 154 | res.statusCode = 200; 155 | res.end(template(Object.assign({}, bundle, { email, cont: contUrl.href }))); 156 | } else { 157 | // Redirect on successful login. 158 | res.statusCode = STATUS_TEMPORARY_REDIRECT; 159 | res.setHeader('Location', contUrl.href); 160 | res.end(); 161 | } 162 | }, 163 | handleError); 164 | }, 165 | handleError); 166 | }; 167 | -------------------------------------------------------------------------------- /lib/framework/module-stubs.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Stub out modules that we don't want to actually load in production. 23 | */ 24 | 25 | const { min, max } = Math; 26 | const { create } = Object; 27 | const { apply: rapply, get: rget } = Reflect; 28 | 29 | module.exports = (preventLoad) => { 30 | function stubFor(id) { 31 | const filename = require.resolve(id); 32 | if (preventLoad) { 33 | const stub = new module.constructor(filename, filename); 34 | stub.loaded = true; 35 | 36 | Object.defineProperty( 37 | require.cache, 38 | filename, 39 | { value: stub, enumerable: true }); 40 | return stub; 41 | } 42 | 43 | // eslint-disable-next-line global-require 44 | require(id); 45 | return require.cache[filename]; 46 | } 47 | 48 | // stealthy-require fails to clear the module cache which is 49 | // super obnoxious. module-keys cause that to fail noisily 50 | // which is good, but that causes modules that need it to fail. 51 | // Return a stub that doesn't do the objectionable things that 52 | // stealthy-require does. This would cause problems if we 53 | // actually needed jsdom to load scripts instead of just provide 54 | // a DOM parser for DOMPurify. 55 | // eslint-disable-next-line func-name-matching 56 | stubFor('stealthy-require').exports = function stealthyRequire( 57 | // eslint-disable-next-line no-unused-vars, id-blacklist 58 | requireCache, callback, callbackForModulesToKeep, module) { 59 | return callback(); 60 | }; 61 | 62 | // We use jsdom to parse XML. We don't want it making external 63 | // HTTP requests. XMLHttpRequest should be unnecessary but 64 | // initializing the module fails because we deny access to 65 | // "http" and "child_process". 66 | // eslint-disable-next-line func-name-matching 67 | stubFor('jsdom/lib/jsdom/living/xmlhttprequest.js').exports = function createXMLHttpRequest() { 68 | return {}; 69 | }; 70 | 71 | stubFor('jsdom/lib/jsdom/living/websockets/WebSocket-impl.js').exports = { 72 | implementation: class WebSocketImpl { 73 | }, 74 | }; 75 | 76 | stubFor('jsdom/lib/jsdom/browser/resources/resource-loader.js').exports = class ResourceLoader { 77 | // May need to stub this out so that fetch('file:') does something useful. 78 | }; 79 | 80 | // eslint-disable-next-line global-require 81 | const Promise = require('promise/lib/node-extensions.js'); 82 | 83 | /* 84 | 85 | // with arity 3 86 | 87 | const f = function (a0,a1,a2) { 88 | var self = this; 89 | return new Promise(function (rs, rj) { 90 | var res = fn.call(self,a0,a1,a2,function (err, res) { 91 | if (err) { 92 | rj(err); 93 | } else { 94 | rs(res); 95 | } 96 | }); 97 | if (res && (typeof res === "object" || typeof res === "function") && 98 | typeof res.then === "function") { 99 | rs(res); 100 | } 101 | }); 102 | }; 103 | 104 | // with fn of length 3 105 | 106 | function (a0,a1,a2) { 107 | var self = this; 108 | var args; 109 | var argLength = arguments.length; 110 | if (arguments.length > 3) { 111 | args = new Array(arguments.length + 1); 112 | for (var i = 0; 113 | i < arguments.length; 114 | i++) { 115 | args[i] = arguments[i]; 116 | } 117 | } 118 | return new Promise(function (rs, rj) { 119 | var cb = function (err, res) { 120 | if (err) { 121 | rj(err); 122 | } else { 123 | rs(res); 124 | } 125 | } 126 | ; 127 | var res; 128 | switch (argLength) { 129 | case 0:res = fn.call(self,cb); 130 | break; 131 | case 1:res = fn.call(self,a0,cb); 132 | break; 133 | case 2:res = fn.call(self,a0,a1,cb); 134 | break; 135 | case 3:res = fn.call(self,a0,a1,a2,cb); 136 | break; 137 | default:args[argLength] = cb; 138 | res = fn.apply(self, args); 139 | } 140 | if (res && (typeof res === "object" || typeof res === "function") && 141 | typeof res.then === "function") { 142 | rs(res); 143 | } 144 | }); 145 | } 146 | */ 147 | 148 | const handlerForArgumentCount = create(null); 149 | 150 | // This does what the original denodeify does but without invoking 151 | // `new Function(...)`. 152 | // It's unnecessary since delicate-globals-rewrite now allows it 153 | // to do just that, but it seems to work, and might be worth 154 | // upstreaming as versions of Node without Proxy reach end of support. 155 | function denodeify(fun, argumentCount) { 156 | if (typeof fun !== 'function') { 157 | throw new TypeError(typeof fun); 158 | } 159 | let minArity = 0; 160 | // eslint-disable-next-line no-bitwise 161 | let maxArity = (fun.length >>> 0); 162 | // eslint-disable-next-line no-bitwise 163 | if (argumentCount === (argumentCount >>> 0)) { 164 | minArity = argumentCount; 165 | maxArity = argumentCount; 166 | } 167 | 168 | const key = `${ minArity }/${ maxArity }`; 169 | 170 | if (!handlerForArgumentCount[key]) { 171 | handlerForArgumentCount[key] = { 172 | get(target, prop, receiver) { 173 | if (prop === 'length') { 174 | return maxArity; 175 | } 176 | return rget(target, prop, receiver); 177 | }, 178 | apply(target, thisArgument, argumentsList) { 179 | return new Promise((resolve, reject) => { 180 | const { length } = argumentsList; 181 | const arity = min(maxArity, max(minArity, length)); 182 | 183 | let args = null; 184 | if (arity === length) { 185 | args = argumentsList; 186 | } else { 187 | args = []; 188 | for (let i = 0; i < arity; ++i) { 189 | args[i] = argumentsList[i]; 190 | } 191 | } 192 | args[arity] = (exc, res) => { 193 | if (exc) { 194 | reject(exc); 195 | } else { 196 | resolve(res); 197 | } 198 | }; 199 | const res = rapply(target, thisArgument, args); 200 | if (res && (typeof res === 'object' || typeof res === 'function') && 201 | typeof res.then === 'function') { 202 | resolve(res); 203 | } 204 | }); 205 | }, 206 | }; 207 | } 208 | return new Proxy(fun, handlerForArgumentCount[key]); 209 | } 210 | Promise.denodeify = denodeify; 211 | }; 212 | -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "attack-review-testbed", 3 | "version": "1.0.0-nopublish", 4 | "description": "A testbed for github.com/nodejs/security-wg/issues/409", 5 | "main": "main.js", 6 | "scripts": { 7 | "start": "scripts/run-locally.js", 8 | "start:vuln": "vulnerable/scripts/run-locally.js", 9 | "cover": "istanbul cover _mocha", 10 | "coveralls": "npm run cover -- --report lcovonly && cat ./coverage/lcov.info | coveralls", 11 | "license": "scripts/license-check.sh", 12 | "lint": "./node_modules/.bin/eslint .", 13 | "postinstall": "scripts/postinstall.sh", 14 | "prepack": "npm run lint && npm test", 15 | "prepublishOnly": "echo This package should not be published to NPM && false", 16 | "pretest": "./scripts/build-vulnerable.sh -c", 17 | "test": "scripts/test.sh" 18 | }, 19 | "repository": { 20 | "type": "git", 21 | "url": "git+https://github.com/mikesamuel/attack-review-testbed.git" 22 | }, 23 | "author": "@mikesamuel", 24 | "license": "Apache-2.0", 25 | "bugs": { 26 | "url": "https://github.com/mikesamuel/attack-review-testbed/issues" 27 | }, 28 | "homepage": "https://github.com/mikesamuel/attack-review-testbed#readme", 29 | "mintable": { 30 | "grants": { 31 | "web-contract-types/TrustedHTML": [ 32 | "pug-runtime-trusted-types", 33 | "./lib/handlers/account.pug", 34 | "./lib/handlers/echo.pug", 35 | "./lib/handlers/error.pug", 36 | "./lib/handlers/four-oh-four.pug", 37 | "./lib/handlers/index.pug", 38 | "./lib/handlers/login.pug", 39 | "./lib/handlers/logout.pug", 40 | "./lib/handlers/post.pug", 41 | "./lib/safe/html.js" 42 | ] 43 | }, 44 | "second": [ 45 | "safesql", 46 | "sh-template-tag", 47 | "web-contract-types" 48 | ] 49 | }, 50 | "sensitiveModules": { 51 | "child_process": { 52 | "advice": "Use safe/child_process.js instead.", 53 | "ids": [ 54 | "main.js", 55 | "lib/safe/child_process.js" 56 | ] 57 | }, 58 | "fs": { 59 | "advice": "The server has write permissions to a directory that contains static files. If you need file-system access, please contact security-oncall@. TODO: safe/fs.js will provide non-mutating file-system access", 60 | "ids": [ 61 | "clean-css/lib/reader/read-sources.js", 62 | "clean-css/lib/reader/apply-source-maps.js", 63 | "clean-css/lib/reader/load-original-sources.js", 64 | "destroy/index.js", 65 | "etag/index.js", 66 | "fd-slicer/index.js", 67 | "fs-ext/fs-ext.js", 68 | "jstransformer/index.js", 69 | "lib/server.js", 70 | "main.js", 71 | "mime/mime.js", 72 | "multiparty/index.js", 73 | "resolve/lib/async.js", 74 | "resolve/lib/node-modules-paths.js", 75 | "resolve/lib/sync.js", 76 | "pgpass/lib/index.js", 77 | "pn/fs.js", 78 | "pug-runtime/build.js", 79 | "pug/lib/index.js", 80 | "pug-load/index.js", 81 | "send/index.js", 82 | "uglify-js/tools/node.js" 83 | ] 84 | }, 85 | "http": [ 86 | "lib/server.js" 87 | ], 88 | "process": { 89 | "advice": "Process is easy to misuse. If you need access to process metadata, thread it through from main.js. Changes to the process's environment should go through the docker wrapper, and checks should go through its maintainers. Contact security-oncall@ if these options don't work for you.", 90 | "mode": "enforce", 91 | "ids": [ 92 | "main.js", 93 | "lib/framework/bootstrap-secure.js", 94 | "lib/framework/builtin-module-ids.js", 95 | "lib/framework/is-prod.js", 96 | "lib/framework/lockdown.js", 97 | "browser-process-hrtime/index.js", 98 | "clean-css/lib/reader/rewrite-url.js", 99 | "clean-css/lib/writer/source-maps.js", 100 | "debug/src/index.js", 101 | "debug/src/node.js", 102 | "depd", 103 | "iconv-lite/lib/index.js", 104 | "whatwg-encoding/node_modules/iconv-lite/lib/index.js", 105 | "jsdom/lib/jsdom/browser/Window.js", 106 | "mime/mime.js", 107 | "multiparty/index.js", 108 | "pg/lib/client.js", 109 | "pg/lib/connection-parameters.js", 110 | "pg/lib/defaults.js", 111 | "pg/lib/index.js", 112 | "pg/lib/query.js", 113 | "pgpass/lib/helper.js", 114 | "pg-pool/index.js", 115 | "resolve/lib/core.js", 116 | "uglify-js" 117 | ] 118 | }, 119 | "node_modules/pirates/lib/index.js": { 120 | "advice": "addHook affects all modules. security-oncall@ can help integrate custom loader hooks.", 121 | "ids": [ 122 | "node_modules/pug-require/index.js", 123 | "lib/framework/lockdown.js" 124 | ] 125 | }, 126 | "./lib/framework/init-hooks.js": [ 127 | "./lib/framework/bootstrap-secure.js" 128 | ], 129 | "pg": { 130 | "advice": "Use safe/pg.js instead.", 131 | "ids": [ 132 | "lib/safe/pg.js" 133 | ] 134 | }, 135 | "vm": { 136 | "mode": "enforce", 137 | "ids": [ 138 | "uglify-js/tools/node.js", 139 | "core-js/library/modules/_global.js", 140 | "depd/index.js", 141 | "pug-plugin-trusted-types/index.js", 142 | "jsdom/lib/api.js", 143 | "lodash.sortby/index.js", 144 | "nwsapi/src/nwsapi.js" 145 | ] 146 | } 147 | }, 148 | "dependencies": { 149 | "body-parser": "^1.18.3", 150 | "cookie": "^0.3.1", 151 | "csrf-crypto": "^1.0.1", 152 | "dompurify": "^1.0.8", 153 | "fs-ext": "^1.2.1", 154 | "jsdom": "^12.2.0", 155 | "mime-types": "^2.1.20", 156 | "multiparty": "^4.2.1", 157 | "node-sec-patterns": "^3.0.2", 158 | "pg": "^7.5.0", 159 | "pug": "^2.0.3", 160 | "pug-require": "^2.0.2", 161 | "safesql": "^2.0.2", 162 | "serve-static": "^1.13.2", 163 | "sh-template-tag": "^4.0.2", 164 | "tiny-relative-date": "^1.3.0", 165 | "tlds": "^1.203.1", 166 | "web-contract-types": "^2.0.2" 167 | }, 168 | "devDependencies": { 169 | "capture-console": "^1.0.1", 170 | "chai": "^4.2.0", 171 | "coveralls": "^3.0.2", 172 | "eslint": "^5.6.1", 173 | "eslint-config-strict": "^14.0.1", 174 | "istanbul": "^0.4.5", 175 | "mocha": "^5.2.0", 176 | "pre-commit": "^1.2.2", 177 | "random-number-csprng": "^1.0.2" 178 | }, 179 | "pre-commit": [ 180 | "license", 181 | "prepack" 182 | ], 183 | "eslintIgnore": [ 184 | "/bin/node.d/node/**", 185 | "/coverage/**", 186 | "**/node_modules/**" 187 | ], 188 | "eslintConfig": { 189 | "extends": [ 190 | "strict" 191 | ], 192 | "parserOptions": { 193 | "ecmaVersion": 6, 194 | "sourceType": "source", 195 | "ecmaFeatures": { 196 | "impliedStrict": false 197 | } 198 | }, 199 | "rules": { 200 | "no-confusing-arrow": [ 201 | "error", 202 | { 203 | "allowParens": true 204 | } 205 | ], 206 | "no-warning-comments": [ 207 | "error", 208 | { 209 | "terms": [ 210 | "do not submit" 211 | ] 212 | } 213 | ], 214 | "no-void": "off", 215 | "strict": [ 216 | "error", 217 | "global" 218 | ] 219 | } 220 | } 221 | } 222 | -------------------------------------------------------------------------------- /test/sensitive-module-hook-test.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | const { expect } = require('chai'); 21 | const { describe, it } = require('mocha'); 22 | 23 | const { makeHook } = require('../lib/framework/module-hooks/sensitive-module-hook.js'); 24 | const { runHook } = require('./run-hook.js'); 25 | 26 | describe('sensitive-module-hook', () => { 27 | const config = { 28 | 'child_process': { 29 | 'advice': 'Try to use safe/child_process instead. If that doesn\'t work, ask @security-oncall', 30 | 'ids': [ './may-use-childprocess.js' ], 31 | }, 32 | 'fs': null, 33 | 'process': { 34 | mode: 'report-only', 35 | }, 36 | './unsafe.js': './may-use-unsafe.js', 37 | }; 38 | describe('reportOnly', () => { 39 | const hook = makeHook(config, __dirname, true); 40 | describe('builtin', () => { 41 | it('allowed', () => { 42 | expect(runHook(hook, 'may-use-childprocess.js', 'child_process')) 43 | .to.deep.equal({ 44 | result: 'child_process', 45 | stdout: '', 46 | stderr: '', 47 | }); 48 | }); 49 | it('disallowed', () => { 50 | expect(runHook(hook, 'unsafe.js', 'child_process')) 51 | .to.deep.equal({ 52 | result: 'child_process', 53 | stderr: ( 54 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 55 | ' Reporting require("child_process") by unsafe.js\n\n' + 56 | '\tTry to use safe/child_process instead. If that doesn\'t work, ask @security-oncall\n'), 57 | stdout: '', 58 | }); 59 | }); 60 | it('not sensitive', () => { 61 | expect(runHook(hook, 'may-use-childprocess.js', 'path')) 62 | .to.deep.equals({ 63 | result: 'path', 64 | stderr: '', 65 | stdout: '', 66 | }); 67 | }); 68 | it('mode report-only', () => { 69 | expect(runHook(hook, 'uses-process.js', 'process')) 70 | .to.deep.equals({ 71 | result: 'process', 72 | stderr: ( 73 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 74 | ' Reporting require("process") by uses-process.js\n'), 75 | stdout: '', 76 | }); 77 | }); 78 | }); 79 | describe('user module', () => { 80 | it('allowed', () => { 81 | expect(runHook(hook, 'may-use-unsafe.js', './unsafe.js')) 82 | .to.deep.equals({ 83 | result: './unsafe.js', 84 | stderr: '', 85 | stdout: '', 86 | }); 87 | }); 88 | it('disallowed', () => { 89 | expect(runHook(hook, 'unsafe.js', './unsafe.js')) 90 | .to.deep.equals({ 91 | result: './unsafe.js', 92 | stderr: ( 93 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 94 | ' Reporting require("./unsafe.js") by unsafe.js\n'), 95 | stdout: '', 96 | }); 97 | }); 98 | it('no such file', () => { 99 | expect(() => runHook(hook, 'may-use-childprocess.js', './no-such-file.js')) 100 | .to.throw(Error, 'Cannot find module \'./no-such-file.js\''); 101 | }); 102 | it('not sensitive', () => { 103 | expect(runHook(hook, 'may-use-childprocess.js', './ok.js')) 104 | .to.deep.equals({ 105 | result: './ok.js', 106 | stdout: '', 107 | stderr: '', 108 | }); 109 | }); 110 | }); 111 | }); 112 | describe('active', () => { 113 | const hook = makeHook(config, __dirname, false); 114 | describe('builtin', () => { 115 | it('allowed', () => { 116 | expect(runHook(hook, 'may-use-childprocess.js', 'child_process')) 117 | .to.deep.equal({ 118 | result: 'child_process', 119 | stdout: '', 120 | stderr: '', 121 | }); 122 | }); 123 | it('disallowed', () => { 124 | expect(runHook(hook, 'unsafe.js', 'child_process')) 125 | .to.deep.equal({ 126 | result: require.resolve('../lib/framework/module-hooks/innocuous.js'), 127 | stderr: ( 128 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 129 | ' Blocking require("child_process") by unsafe.js\n\n' + 130 | '\tTry to use safe/child_process instead. If that doesn\'t work, ask @security-oncall\n'), 131 | stdout: '', 132 | }); 133 | }); 134 | it('disallowed no list', () => { 135 | expect(runHook(hook, 'unsafe.js', 'fs')) 136 | .to.deep.equal({ 137 | result: require.resolve('../lib/framework/module-hooks/innocuous.js'), 138 | stderr: ( 139 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 140 | ' Blocking require("fs") by unsafe.js\n'), 141 | stdout: '', 142 | }); 143 | }); 144 | it('not sensitive', () => { 145 | expect(runHook(hook, 'may-use-childprocess.js', 'path')) 146 | .to.deep.equals({ 147 | result: 'path', 148 | stderr: '', 149 | stdout: '', 150 | }); 151 | }); 152 | it('mode report-only', () => { 153 | expect(runHook(hook, 'uses-process.js', 'process')) 154 | .to.deep.equals({ 155 | result: 'process', 156 | stderr: ( 157 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 158 | ' Reporting require("process") by uses-process.js\n'), 159 | stdout: '', 160 | }); 161 | }); 162 | }); 163 | describe('user module', () => { 164 | it('allowed', () => { 165 | expect(runHook(hook, 'may-use-unsafe.js', './unsafe.js')) 166 | .to.deep.equals({ 167 | result: './unsafe.js', 168 | stderr: '', 169 | stdout: '', 170 | }); 171 | }); 172 | it('disallowed', () => { 173 | expect(runHook(hook, 'unsafe.js', './unsafe.js')) 174 | .to.deep.equals({ 175 | result: require.resolve('../lib/framework/module-hooks/innocuous.js'), 176 | stderr: ( 177 | '../lib/framework/module-hooks/sensitive-module-hook.js:' + 178 | ' Blocking require("./unsafe.js") by unsafe.js\n'), 179 | stdout: '', 180 | }); 181 | }); 182 | it('no such file', () => { 183 | expect(() => runHook(hook, 'may-use-childprocess.js', './no-such-file.js')) 184 | .to.throw(Error, 'Cannot find module \'./no-such-file.js\''); 185 | }); 186 | it('not sensitive', () => { 187 | expect(runHook(hook, 'may-use-childprocess.js', './ok.js')) 188 | .to.deep.equals({ 189 | result: './ok.js', 190 | stdout: '', 191 | stderr: '', 192 | }); 193 | }); 194 | }); 195 | }); 196 | }); 197 | -------------------------------------------------------------------------------- /lib/db-tables.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Utilities to set up database tables needed by handlers/*.js, and 23 | * utilities to restore to known state for tests. 24 | */ 25 | 26 | const safesql = require('safesql'); 27 | 28 | const initStmts = safesql.pg` 29 | 30 | -- Relate unique principle IDs to display info. 31 | CREATE TABLE IF NOT EXISTS Accounts ( 32 | aid serial PRIMARY KEY, 33 | displayname varchar, 34 | displaynamehtml varchar, 35 | publicurl varchar, 36 | created timestamp DEFAULT current_timestamp 37 | ); 38 | 39 | -- Relate server session nonces to Accounts. 40 | CREATE TABLE IF NOT EXISTS Sessions ( 41 | -- 256b base64 encoded 42 | sessionnonce char(44) PRIMARY KEY, 43 | aid integer, 44 | created timestamp DEFAULT current_timestamp 45 | ); 46 | 47 | -- Relates private user info to account ids. 48 | CREATE TABLE IF NOT EXISTS PersonalInfo ( 49 | aid integer UNIQUE, 50 | realname varchar, 51 | email varchar, 52 | created timestamp DEFAULT current_timestamp 53 | ); 54 | CREATE INDEX IF NOT EXISTS PersonInfo_aid ON PersonalInfo ( aid ); 55 | 56 | -- HTML snippets posted by users. 57 | -- A post is visible if it is public or its 58 | -- author and the viewer are friends. 59 | CREATE TABLE IF NOT EXISTS Posts ( 60 | pid serial PRIMARY KEY, 61 | author integer, -- JOINs on aid 62 | bodyhtml varchar NOT NULL, 63 | public bool DEFAULT false, 64 | created timestamp DEFAULT current_timestamp 65 | ); 66 | CREATE INDEX IF NOT EXISTS Posts_aid ON Posts ( author ); -- For efficient account deletion 67 | CREATE INDEX IF NOT EXISTS Posts_timestamp ON Posts ( created DESC ); -- For efficient display 68 | 69 | -- Images associated with posts. 70 | CREATE TABLE IF NOT EXISTS PostResources ( 71 | rid serial PRIMARY KEY, 72 | pid integer NOT NULL, 73 | urlpath varchar NOT NULL, 74 | created timestamp DEFAULT current_timestamp 75 | ); 76 | 77 | -- A account is always friends with themself. 78 | -- Per reciprocity, an account a is friends with account b if 79 | -- there are both entries (a, b) and (b, a) in this table. 80 | -- Every other pair of accounts are not friends :( 81 | -- An account a owns all/only entries where its aid is in leftAid. 82 | CREATE TABLE IF NOT EXISTS Friendships ( 83 | fid serial PRIMARY KEY, 84 | leftaid integer NOT NULL, -- JOINs on aid 85 | rightaid integer NOT NULL, -- JOINs on aid 86 | created timestamp DEFAULT current_timestamp 87 | ); 88 | CREATE INDEX IF NOT EXISTS Friendships_leftaid ON Friendships ( leftaid ); 89 | CREATE INDEX IF NOT EXISTS Friendships_leftaid_rightaid ON Friendships ( leftaid, rightaid ); 90 | 91 | -- Arbitrary metadata about a post. 92 | CREATE TABLE IF NOT EXISTS PostMetadata ( 93 | pid integer NOT NULL, 94 | key varchar NOT NULL, 95 | value varchar, 96 | created timestamp DEFAULT current_timestamp 97 | ); 98 | CREATE INDEX IF NOT EXISTS Postmetadata_pid ON PostMetadata ( pid ); 99 | 100 | `; 101 | 102 | const cannedData = safesql.pg` 103 | INSERT INTO Accounts 104 | ( aid, displayname, displaynamehtml, publicurl ) 105 | VALUES 106 | ( x'Ada'::int, 'Ada', NULL, NULL ), 107 | ( x'B0b'::int, NULL, 'Bob', 'javascript:alert(1)' ), 108 | ( x'Deb'::int, NULL, 'Deb', 'https://deb.example.com/' ), 109 | ( x'Fae'::int, 'Fae', 'Fae', 'mailto:fae@fae.fae' ) 110 | ; 111 | 112 | INSERT INTO PersonalInfo 113 | ( aid, realname, email ) 114 | VALUES 115 | ( x'Ada'::int, 'Ada Lovelace', 'ada@example.com' ), 116 | ( x'B0b'::int, 'Bob F. NULL', 'Bob !' ), 126 | ( x'Deb'::int, true, '2019-04-07 12:00:00', '¡Hi, all!' ), 127 | ( x'Deb'::int, false, '2019-04-08 12:00:00', 'Bob, I''m browsing via Lynx and your post isn''t Lynx-friendly.' ), 128 | ( x'Fae'::int, true, '2019-04-09 12:00:00', 'Sigh! Yet another Facebook.com knockoff without any users.' ), 129 | ( x'Fae'::int, true, '2019-04-10 12:00:00', '(It is probably insecure)' ), 130 | ( x'B0b'::int, false, '2019-04-11 12:00:00', 'You think?' ) 131 | ; 132 | 133 | INSERT INTO PostResources 134 | ( pid, urlpath ) 135 | VALUES 136 | ( 1, 'smiley.png' ) 137 | ; 138 | 139 | INSERT INTO Friendships 140 | ( leftaid, rightaid ) 141 | VALUES 142 | ( x'Ada'::int, x'Ada'::int ), 143 | ( x'Deb'::int, x'B0b'::int ), 144 | ( x'B0b'::int, x'Ada'::int ), 145 | ( x'B0b'::int, x'Deb'::int ), 146 | ( x'B0b'::int, x'Fae'::int ), 147 | ( x'Ada'::int, x'Fae'::int ), 148 | ( x'Fae'::int, x'Ada'::int ) 149 | ; 150 | `; 151 | 152 | 153 | const dropStmts = (() => { 154 | const createSql = initStmts.content; 155 | const tableNamePattern = /^CREATE (TABLE|INDEX) IF NOT EXISTS (\w+)/mg; 156 | 157 | let dropSql = null; 158 | for (let match; (match = tableNamePattern.exec(createSql));) { 159 | const [ , type, name ] = match; 160 | const canonName = name.toLowerCase(); 161 | const dropStmt = type.toUpperCase() === 'INDEX' ? 162 | safesql.pg`DROP INDEX IF EXISTS "${ canonName }"` : 163 | safesql.pg`DROP TABLE IF EXISTS "${ canonName }"`; 164 | dropSql = dropSql ? 165 | safesql.pg`${ dropSql }; 166 | ${ dropStmt }` : 167 | dropStmt; 168 | } 169 | 170 | return dropSql; 171 | })(); 172 | 173 | module.exports = { 174 | // eslint-disable-next-line no-use-before-define 175 | createTables, clearTables, initializeTablesWithTestData, 176 | }; 177 | 178 | function promiseToRun(dbPool, sql) { 179 | return new Promise((resolve, reject) => { 180 | dbPool.connect().then( 181 | (client) => { 182 | client.query(sql).then( 183 | (x) => { 184 | client.release(); 185 | resolve(x); 186 | }, 187 | (exc) => { 188 | client.release(); 189 | reject(exc); 190 | }); 191 | }, 192 | reject); 193 | }); 194 | } 195 | 196 | function createTables(dbPool) { 197 | return promiseToRun(dbPool, initStmts); 198 | } 199 | 200 | function clearTables(dbPool) { 201 | return promiseToRun(dbPool, safesql.pg`${ dropStmts };${ initStmts }`); 202 | } 203 | 204 | function initializeTablesWithTestData(dbPool) { 205 | return promiseToRun(dbPool, safesql.pg`${ dropStmts };${ initStmts };${ cannedData }`); 206 | } 207 | -------------------------------------------------------------------------------- /lib/framework/lockdown.js: -------------------------------------------------------------------------------- 1 | /** 2 | * @license 3 | * Copyright 2018 Google LLC 4 | * 5 | * Licensed under the Apache License, Version 2.0 (the "License"); 6 | * you may not use this file except in compliance with the License. 7 | * You may obtain a copy of the License at 8 | * 9 | * https://www.apache.org/licenses/LICENSE-2.0 10 | * 11 | * Unless required by applicable law or agreed to in writing, software 12 | * distributed under the License is distributed on an "AS IS" BASIS, 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 | * See the License for the specific language governing permissions and 15 | * limitations under the License. 16 | */ 17 | 18 | 'use strict'; 19 | 20 | /** 21 | * @fileoverview 22 | * Prevents non-additive changes to builtins, the global object, and make 23 | * apparent when native modules like 'process' are accessed ambiently. 24 | * 25 | * This does not prevent all monkeypatching of builtins, but does mean that 26 | * console internals and core modules like 'fs' and 'path' can get a trusted 27 | * path to Function.protoype.call. 28 | * 29 | * This is best effort. If it runs before anything else freezes properties, 30 | * then it will prevent some interference between modules. 31 | */ 32 | 33 | // SENSITIVE - adds hooks that affect all loaded modules. 34 | 35 | // GUARANTEE - ability to use `new Function(...)` to load code could be 36 | // restricted to a whitelist of modules allowed to access "vm". 37 | 38 | // GUARANTEE - myFunction.call and myFunction.apply mean what developers 39 | // expect if they declared myFunction. No guarantee is made about 40 | // `.call` of apparent functions received from outside because proxies. 41 | // GUARANTEE - `String(x)` in module code that does not itself introduce 42 | // a local name `String` returns a value x such that typeof x === 'string'. 43 | 44 | // CAVEAT - We mask process in user-land modules that load via require 45 | // hooks on .js code. This does nothing to restrict global['process']. 46 | // We cannot do so without affecting builtin module code that uses 47 | // global references to `process` because invoking require('process') 48 | // would introduce chicken-egg problems. 49 | // The guarantee below is almost certainly trivially violable in ways 50 | // that we can't fix but it's worth attacker effort to enumerate some. 51 | // 52 | // Until we can really gate access to process we can't bound the amount 53 | // of code we have to check to prevent 54 | // // Attacker controlled 55 | // let x = 'process', y = 'exit'; 56 | // // Naive code 57 | // function f() { return this[x][y](); } 58 | // f(); 59 | // 60 | // Properly gating that requires changing the meaning of `this` in 61 | // non-strict function bodies which requires changing the current 62 | // realm's global object. 63 | // 64 | // TODO: experiment with changing ../../.bin/node.d/node.patch to 65 | // tweak all builtin modules that have `process` as a free variable 66 | // to start with 67 | // const process = global[Symbol.from('process')]; 68 | // and the V8 bootstrap code to attach process there. 69 | // 70 | // Actually denying process to user code would require some kind of 71 | // secret shared or closely held reference available only to builtin 72 | // code. The module loader that allows builtins access to lib/internal 73 | // modules might server as the basis for getting such a secret from V8 74 | // and conveying it to only builtin modules. 75 | // 76 | // But being able to mitigate any access via string keys would 77 | // move an unmitigated process object out of the object graph 78 | // reachable via substrings of network messages. 79 | 80 | // GUARANTEE - global access to process is restricted to a whitelist 81 | // of legacy modules. 82 | // See require('../../package.json').sensitiveModules.process 83 | 84 | 85 | // eslint-disable-next-line no-use-before-define 86 | module.exports = lockdown; 87 | 88 | const { apply } = Reflect; 89 | 90 | const globalObject = global; 91 | 92 | const { 93 | create, 94 | defineProperties, 95 | hasOwnProperty, 96 | getOwnPropertyDescriptors, 97 | getOwnPropertyNames, 98 | getOwnPropertySymbols, 99 | } = Object; 100 | 101 | const constants = require('constants'); 102 | const { exit } = require('process'); 103 | const { addHook } = require('pirates'); 104 | const delicateGlobalsRewrite = require('./delicate-globals-rewrite.js'); 105 | 106 | const languageIntrinsics = [ 107 | /* eslint-disable array-element-newline */ 108 | // Buffer and constants are actually Node builtins 109 | Array, ArrayBuffer, Boolean, Buffer, console, Date, EvalError, Error, 110 | Float32Array, Float64Array, Function, Int8Array, Int16Array, Int32Array, 111 | Intl, JSON, Object, Map, Math, Number, Promise, Proxy, RangeError, 112 | ReferenceError, Reflect, RegExp, Set, String, Symbol, SyntaxError, TypeError, 113 | URIError, Uint8Array, Uint16Array, Uint32Array, Uint8ClampedArray, WeakMap, 114 | WeakSet, global.WebAssembly, constants, 115 | /* eslint-enable array-element-newline */ 116 | ]; 117 | 118 | const doNotFreeze = { 119 | __proto__: null, 120 | Object: { 121 | __proto__: null, 122 | toString: true, 123 | }, 124 | }; 125 | 126 | const importantGlobalKeys = [ 'Infinity', 'NaN', 'global', 'GLOBAL', 'isFinite', 'isNaN', 'root', 'undefined' ]; 127 | 128 | function lockdownOwnPropertiesOf(obj, keys, whitelist) { 129 | const descriptors = getOwnPropertyDescriptors(obj); 130 | if (!keys) { 131 | // Subclassing code has to set constructor. 132 | // eslint-disable-next-line no-inner-declarations 133 | function isNonConstructorMethod(key) { 134 | return typeof descriptors[key].value === 'function' && key !== 'constructor'; 135 | } 136 | keys = [ ...getOwnPropertyNames(descriptors), ...getOwnPropertySymbols(descriptors) ] 137 | .filter(isNonConstructorMethod); 138 | } 139 | const newDescriptors = create(null); 140 | for (let i = 0, len = keys.length; i < len; ++i) { 141 | const key = keys[i]; 142 | const descriptor = descriptors[key]; 143 | if (descriptor.configurable) { 144 | descriptor.configurable = false; 145 | if (apply(hasOwnProperty, descriptor, [ 'value' ]) && 146 | !(whitelist && whitelist[key] === true)) { 147 | descriptor.writable = false; 148 | } 149 | newDescriptors[key] = descriptor; 150 | try { 151 | delete obj[key]; 152 | } catch (exc) { 153 | // best effort 154 | } 155 | } 156 | } 157 | defineProperties(obj, newDescriptors); 158 | } 159 | 160 | function lockdownIntrinsics() { 161 | const globalsToPin = []; 162 | // Pin core prototype methods in place. 163 | for (const languageIntrinsic of languageIntrinsics) { 164 | const whitelist = languageIntrinsic.name ? doNotFreeze[languageIntrinsic.name] : null; 165 | lockdownOwnPropertiesOf(languageIntrinsic, null, whitelist); 166 | if (typeof languageIntrinsic === 'function' && languageIntrinsic.prototype) { 167 | lockdownOwnPropertiesOf(languageIntrinsic.prototype, null, whitelist); 168 | } 169 | if (typeof languageIntrinsic === 'function' && languageIntrinsic.name && 170 | globalObject[languageIntrinsic.name] === languageIntrinsic) { 171 | globalsToPin[globalsToPin.length] = languageIntrinsic.name; 172 | } 173 | } 174 | return globalsToPin; 175 | } 176 | 177 | function maskDelicateGlobals() { 178 | addHook(delicateGlobalsRewrite, { exts: [ '.js' ], ignoreNodeModules: false }); 179 | } 180 | 181 | let lockeddown = false; 182 | function lockdown() { 183 | if (lockeddown) { 184 | return; 185 | } 186 | lockeddown = true; 187 | 188 | try { 189 | const globalsToPin = [ ...importantGlobalKeys, ...lockdownIntrinsics() ]; 190 | 191 | // Pin important globals in place. 192 | lockdownOwnPropertiesOf(globalObject, globalsToPin); 193 | 194 | maskDelicateGlobals(); 195 | } catch (exc) { 196 | try { 197 | // eslint-disable-next-line no-console 198 | console.error(exc); 199 | } finally { 200 | // Fail hard. 201 | exit(1); 202 | // TODO: reallyExit? 203 | } 204 | } 205 | } 206 | --------------------------------------------------------------------------------