def pref_tester(): """Create a JSRegexTest instance based on the final values in the PREF_REGEXPS, BANNED_PREF_REGEXPS, and BANNED_PREF_BRANCHES definitions, and add most of the resulting expressions to the bare JS string tester as well.""" # Match exact preference names from BANNED_PREF_REGEXPS. PREF_REGEXPS.extend((pattern, { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Potentially unsafe preference branch referenced', 'description': 'Extensions should not alter preferences ' 'matching /%s/.' % pattern }) for pattern in BANNED_PREF_REGEXPS) # Match any preference under each branch in BANNED_PREF_BRANCHES. PREF_REGEXPS.extend( ('^%s' % re.escape(branch), merge_description( { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Potentially unsafe preference branch referenced' }, reason or ('Extensions should not alter preferences in ' 'the `%s` preference branch' % branch))) for branch, reason in BANNED_PREF_BRANCHES) # Make sure our string tester has not yet been finalized. assert regex_javascript.string_tester is None STRING_REGEXPS.extend( (pattern, add_pref_help(desc)) for pattern, desc in PREF_REGEXPS) # The following patterns should only be flagged in strings we're certain # are being passed to preference setter functions, so add them after # appending the others to the literal string tests. PREF_REGEXPS.append((r'.*password.*', { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Passwords should not be stored in preferences', 'description': 'Storing passwords in preferences is insecure. ' 'The Login Manager should be used instead.' }), ) return JSRegexTest(PREF_REGEXPS)
'reviewer.', 'signing_help': ( 'Given the potential security risks of exposing APIs to unprivileged ' 'code, extensions which use these APIs must undergo manual code ' 'review for at least one submission. If you are not using these APIs ' 'to interact with content code, please consider alternatives, such as ' 'JavaScript modules (http://mzl.la/1HMH2m9), CommonJS modules ' '(http://mzl.la/1JBMjuU, http://mzl.la/1OBaE8u), the observer ' 'service (http://mzl.la/1MLqWdJ), or window listeners which install ' 'global properties on privileged windows.'), 'signing_severity': 'medium', 'editors_only': True} STRING_REGEXPS.append( (DANGEROUS_CATEGORIES, DANGEROUS_CATEGORY_WARNING) ) @decorator.register_test(tier=2, simple=True) def test_categories(err): """Test for categories in the chrome.manifest file.""" chrome = err.get_resource('chrome.manifest') if not chrome: return for entry in chrome.entries: if (entry['type'] == 'category' and entry['args'][0] in DANGEROUS_CATEGORIES): err.warning(filename=entry['filename'],
'signing_help': ('Given the potential security risks of exposing APIs to unprivileged ' 'code, extensions which use these APIs must undergo manual code ' 'review for at least one submission. If you are not using these APIs ' 'to interact with content code, please consider alternatives, such as ' 'JavaScript modules (http://mzl.la/1HMH2m9), CommonJS modules ' '(http://mzl.la/1JBMjuU, http://mzl.la/1OBaE8u), the observer ' 'service (http://mzl.la/1MLqWdJ), or window listeners which install ' 'global properties on privileged windows.'), 'signing_severity': 'medium', 'editors_only': True } STRING_REGEXPS.append((DANGEROUS_CATEGORIES, DANGEROUS_CATEGORY_WARNING)) @decorator.register_test(tier=2, simple=True) def test_categories(err): """Test for categories in the chrome.manifest file.""" chrome = err.get_resource('chrome.manifest') if not chrome: return for entry in chrome.entries: if (entry['type'] == 'category' and entry['args'][0] in DANGEROUS_CATEGORIES): err.warning(filename=entry['filename'], line=entry['line'],