tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

file_evalscript_main.js (6926B)

      1 /* eslint-disable no-eval */
      2 // some javascript for the CSP eval() tests
      3 
      4 function logResult(str, passed) {
      5  var elt = document.createElement("div");
      6  var color = passed ? "#cfc;" : "#fcc";
      7  elt.setAttribute(
      8    "style",
      9    "background-color:" +
     10      color +
     11      "; width:100%; border:1px solid black; padding:3px; margin:4px;"
     12  );
     13  elt.innerHTML = str;
     14  document.body.appendChild(elt);
     15 }
     16 
     17 window._testResults = {};
     18 
     19 // check values for return values from blocked timeout or intervals
     20 var verifyZeroRetVal = (function (window) {
     21  return function (val, details) {
     22    logResult(
     23      (val === 0 ? "PASS: " : "FAIL: ") +
     24        "Blocked interval/timeout should have zero return value; " +
     25        details,
     26      val === 0
     27    );
     28    window.parent.verifyZeroRetVal(val, details);
     29  };
     30 })(window);
     31 
     32 // callback for when stuff is allowed by CSP
     33 var onevalexecuted = (function (window) {
     34  return function (shouldrun, what, data) {
     35    window._testResults[what] = "ran";
     36    window.parent.scriptRan(shouldrun, what, data);
     37    logResult(
     38      (shouldrun ? "PASS: " : "FAIL: ") + what + " : " + data,
     39      shouldrun
     40    );
     41  };
     42 })(window);
     43 
     44 // callback for when stuff is blocked
     45 var onevalblocked = (function (window) {
     46  return function (shouldrun, what, data) {
     47    window._testResults[what] = "blocked";
     48    window.parent.scriptBlocked(shouldrun, what, data);
     49    logResult(
     50      (shouldrun ? "FAIL: " : "PASS: ") + what + " : " + data,
     51      !shouldrun
     52    );
     53  };
     54 })(window);
     55 
     56 // Defer until document is loaded so that we can write the pretty result boxes
     57 // out.
     58 addEventListener(
     59  "load",
     60  function () {
     61    // setTimeout(String) test -- mutate something in the window._testResults
     62    // obj, then check it.
     63    {
     64      var str_setTimeoutWithStringRan =
     65        'onevalexecuted(false, "setTimeout(String)", "setTimeout with a string was enabled.");';
     66      function fcn_setTimeoutWithStringCheck() {
     67        if (this._testResults["setTimeout(String)"] !== "ran") {
     68          onevalblocked(
     69            false,
     70            "setTimeout(String)",
     71            "setTimeout with a string was blocked"
     72          );
     73        }
     74      }
     75      setTimeout(fcn_setTimeoutWithStringCheck.bind(window), 10);
     76      // eslint-disable-next-line no-implied-eval
     77      var res = setTimeout(str_setTimeoutWithStringRan, 10);
     78      verifyZeroRetVal(res, "setTimeout(String)");
     79    }
     80 
     81    // setInterval(String) test -- mutate something in the window._testResults
     82    // obj, then check it.
     83    {
     84      var str_setIntervalWithStringRan =
     85        'onevalexecuted(false, "setInterval(String)", "setInterval with a string was enabled.");';
     86      function fcn_setIntervalWithStringCheck() {
     87        if (this._testResults["setInterval(String)"] !== "ran") {
     88          onevalblocked(
     89            false,
     90            "setInterval(String)",
     91            "setInterval with a string was blocked"
     92          );
     93        }
     94      }
     95      setTimeout(fcn_setIntervalWithStringCheck.bind(window), 10);
     96      // eslint-disable-next-line no-implied-eval
     97      var res = setInterval(str_setIntervalWithStringRan, 10);
     98      verifyZeroRetVal(res, "setInterval(String)");
     99 
    100      // emergency cleanup, just in case.
    101      if (res != 0) {
    102        setTimeout(function () {
    103          clearInterval(res);
    104        }, 15);
    105      }
    106    }
    107 
    108    // setTimeout(function) test -- mutate something in the window._testResults
    109    // obj, then check it.
    110    {
    111      function fcn_setTimeoutWithFunctionRan() {
    112        onevalexecuted(
    113          true,
    114          "setTimeout(function)",
    115          "setTimeout with a function was enabled."
    116        );
    117      }
    118      function fcn_setTimeoutWithFunctionCheck() {
    119        if (this._testResults["setTimeout(function)"] !== "ran") {
    120          onevalblocked(
    121            true,
    122            "setTimeout(function)",
    123            "setTimeout with a function was blocked"
    124          );
    125        }
    126      }
    127      setTimeout(fcn_setTimeoutWithFunctionRan.bind(window), 10);
    128      setTimeout(fcn_setTimeoutWithFunctionCheck.bind(window), 10);
    129    }
    130 
    131    // eval() test -- should throw exception as per spec
    132    try {
    133      eval('onevalexecuted(false, "eval(String)", "eval() was enabled.");');
    134    } catch (e) {
    135      onevalblocked(false, "eval(String)", "eval() was blocked");
    136    }
    137 
    138    // eval(foo,bar) test -- should throw exception as per spec
    139    try {
    140      eval(
    141        'onevalexecuted(false, "eval(String,scope)", "eval() was enabled.");',
    142        1
    143      );
    144    } catch (e) {
    145      onevalblocked(
    146        false,
    147        "eval(String,object)",
    148        "eval() with scope was blocked"
    149      );
    150    }
    151 
    152    // [foo,bar].sort(eval) test -- should throw exception as per spec
    153    try {
    154      [
    155        'onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',
    156        1,
    157      ].sort(eval);
    158    } catch (e) {
    159      onevalblocked(
    160        false,
    161        "[String, obj].sort(eval)",
    162        "eval() with scope via sort was blocked"
    163      );
    164    }
    165 
    166    // [].sort.call([foo,bar], eval) test -- should throw exception as per spec
    167    try {
    168      [].sort.call(
    169        [
    170          'onevalexecuted(false, "[String, obj].sort(eval)", "eval() was enabled.");',
    171          1,
    172        ],
    173        eval
    174      );
    175    } catch (e) {
    176      onevalblocked(
    177        false,
    178        "[].sort.call([String, obj], eval)",
    179        "eval() with scope via sort/call was blocked"
    180      );
    181    }
    182 
    183    // new Function() test -- should throw exception as per spec
    184    try {
    185      var fcn = new Function(
    186        'onevalexecuted(false, "new Function(String)", "new Function(String) was enabled.");'
    187      );
    188      fcn();
    189    } catch (e) {
    190      onevalblocked(
    191        false,
    192        "new Function(String)",
    193        "new Function(String) was blocked."
    194      );
    195    }
    196 
    197    // ShadowRealm.prototype.evaluate -- should throw exception as per spec.
    198    try {
    199      var sr = new ShadowRealm();
    200      sr.evaluate("var x = 10");
    201      onevalexecuted(
    202        false,
    203        "ShadowRealm.prototype.evaluate(String)",
    204        "ShadowRealm.prototype.evaluate(String) was enabled."
    205      );
    206    } catch (e) {
    207      onevalblocked(
    208        false,
    209        "ShadowRealm.prototype.evaluate(String)",
    210        "ShadowRealm.prototype.evaluate(String) was blocked."
    211      );
    212    }
    213 
    214    // setTimeout(eval, 0, str)
    215    {
    216      // error is not catchable here, instead, we're going to side-effect
    217      // 'worked'.
    218      var worked = false;
    219 
    220      setTimeout(eval, 0, "worked = true");
    221      setTimeout(
    222        function (worked) {
    223          if (worked) {
    224            onevalexecuted(
    225              false,
    226              "setTimeout(eval, 0, str)",
    227              "setTimeout(eval, 0, string) was enabled."
    228            );
    229          } else {
    230            onevalblocked(
    231              false,
    232              "setTimeout(eval, 0, str)",
    233              "setTimeout(eval, 0, str) was blocked."
    234            );
    235          }
    236        },
    237        0,
    238        worked
    239      );
    240    }
    241  },
    242  false
    243 );