def pref_tester():
"""Create a JSRegexTest instance based on the final values in the
PREF_REGEXPS, BANNED_PREF_REGEXPS, and BANNED_PREF_BRANCHES definitions,
and add most of the resulting expressions to the bare JS string
tester as well."""
# Match exact preference names from BANNED_PREF_REGEXPS.
PREF_REGEXPS.extend((pattern, {
'err_id':
PREFERENCE_ERROR_ID,
'warning':
'Potentially unsafe preference branch referenced',
'description':
'Extensions should not alter preferences '
'matching /%s/.' % pattern
}) for pattern in BANNED_PREF_REGEXPS)
# Match any preference under each branch in BANNED_PREF_BRANCHES.
PREF_REGEXPS.extend(
('^%s' % re.escape(branch),
merge_description(
{
'err_id': PREFERENCE_ERROR_ID,
'warning': 'Potentially unsafe preference branch referenced'
}, reason or ('Extensions should not alter preferences in '
'the `%s` preference branch' % branch)))
for branch, reason in BANNED_PREF_BRANCHES)
# Make sure our string tester has not yet been finalized.
assert regex_javascript.string_tester is None
STRING_REGEXPS.extend(
(pattern, add_pref_help(desc)) for pattern, desc in PREF_REGEXPS)
# The following patterns should only be flagged in strings we're certain
# are being passed to preference setter functions, so add them after
# appending the others to the literal string tests.
PREF_REGEXPS.append((r'.*password.*', {
'err_id':
PREFERENCE_ERROR_ID,
'warning':
'Passwords should not be stored in preferences',
'description':
'Storing passwords in preferences is insecure. '
'The Login Manager should be used instead.'
}), )
return JSRegexTest(PREF_REGEXPS)
'reviewer.',
'signing_help': (
'Given the potential security risks of exposing APIs to unprivileged '
'code, extensions which use these APIs must undergo manual code '
'review for at least one submission. If you are not using these APIs '
'to interact with content code, please consider alternatives, such as '
'JavaScript modules (http://mzl.la/1HMH2m9), CommonJS modules '
'(http://mzl.la/1JBMjuU, http://mzl.la/1OBaE8u), the observer '
'service (http://mzl.la/1MLqWdJ), or window listeners which install '
'global properties on privileged windows.'),
'signing_severity': 'medium',
'editors_only': True}
STRING_REGEXPS.append(
(DANGEROUS_CATEGORIES, DANGEROUS_CATEGORY_WARNING)
)
@decorator.register_test(tier=2, simple=True)
def test_categories(err):
"""Test for categories in the chrome.manifest file."""
chrome = err.get_resource('chrome.manifest')
if not chrome:
return
for entry in chrome.entries:
if (entry['type'] == 'category' and
entry['args'][0] in DANGEROUS_CATEGORIES):
err.warning(filename=entry['filename'],
'signing_help':
('Given the potential security risks of exposing APIs to unprivileged '
'code, extensions which use these APIs must undergo manual code '
'review for at least one submission. If you are not using these APIs '
'to interact with content code, please consider alternatives, such as '
'JavaScript modules (http://mzl.la/1HMH2m9), CommonJS modules '
'(http://mzl.la/1JBMjuU, http://mzl.la/1OBaE8u), the observer '
'service (http://mzl.la/1MLqWdJ), or window listeners which install '
'global properties on privileged windows.'),
'signing_severity':
'medium',
'editors_only':
True
}
STRING_REGEXPS.append((DANGEROUS_CATEGORIES, DANGEROUS_CATEGORY_WARNING))
@decorator.register_test(tier=2, simple=True)
def test_categories(err):
"""Test for categories in the chrome.manifest file."""
chrome = err.get_resource('chrome.manifest')
if not chrome:
return
for entry in chrome.entries:
if (entry['type'] == 'category'
and entry['args'][0] in DANGEROUS_CATEGORIES):
err.warning(filename=entry['filename'],
line=entry['line'],
