コード例 #1
0
def test_innerHTML():
    """Tests that the dev can't define event handlers in innerHTML."""

    assert not _do_test_raw(
        """
    var x = foo();
    x.innerHTML = "<div></div>";
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = foo();
    x.innerHTML = "<div onclick=\\"foo\\"></div>";
    """
    ).failed()

    # Test without declaration
    assert _do_test_raw(
        """
    x.innerHTML = "<div onclick=\\"foo\\"></div>";
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = foo();
    x.innerHTML = "x" + y;
    """
    ).failed()
コード例 #2
0
def test_objectpattern_assignment():
    "Tests that ObjectPatterns are respected"

    results = _do_test_raw(
        """
    var foo = {a:3,b:4,c:5};
    var {a:x, b:y, c:z} = foo;
    """
    )
    assert not results.failed()
    assert _get_var(results, "x") == 3
    assert _get_var(results, "y") == 4
    assert _get_var(results, "z") == 5

    results = _do_test_raw(
        """
    var foo = {
        a:1,
        b:2,
        c:{
            d:4
        }
    };
    var {a:x, c:{d:y}} = foo;
    """
    )
    assert not results.failed()
    assert _get_var(results, "x") == 1
    assert _get_var(results, "y") == 4
コード例 #3
0
def test_settimeout_pass():
    "Test cases in which setTimeout should be allowed"

    assert not _do_test_raw(
        """
    setTimeout(function(){foo.bar();}, 1000);
    """
    ).failed()

    assert not _do_test_raw(
        """
    window["set" + "Timeout"](function(){foo.bar();}, 1000);
    """
    ).failed()

    assert not _do_test_raw(
        """
    setTimeout();
    """
    ).failed()

    assert not _do_test_raw(
        """
    window["set" + "Timeout"]();
    """
    ).failed()
コード例 #4
0
def test_global_overwrite():
    "Tests that important objects cannot be overridden by JS"

    err = _do_test_raw("""
    Number.prototype = "This is the new prototype";
    """)
    assert err.failed()
    assert len(err.warnings) == 1

    err = _do_test_raw("""
    Object.prototype.test = "bar";
    """)
    assert err.failed()
    assert len(err.warnings) == 2

    err = _do_test_raw("""
    Object.prototype["test"] = "bar";
    """)
    assert err.failed()
    assert len(err.warnings) == 2

    assert _do_test_raw("""
    Object = "asdf";
    """).failed()

    assert _do_test_raw("""
    var x = Object.prototype;
    x.test = "asdf";
    """).failed()
コード例 #5
0
def test_insertAdjacentHTML():
    """Test that insertAdjacentHTML works the same as innerHTML."""

    assert not _do_test_raw(
        """
    var x = foo();
    x.insertAdjacentHTML("foo bar", "<div></div>");
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = foo();
    x.insertAdjacentHTML("foo bar", "<div onclick=\\"foo\\"></div>");
    """
    ).failed()

    # Test without declaration
    assert _do_test_raw(
        """
    x.insertAdjacentHTML("foo bar", "<div onclick=\\"foo\\"></div>");
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = foo();
    x.insertAdjacentHTML("foo bar", "x" + y);
    """
    ).failed()
コード例 #6
0
def test_settimeout_fail():
    "Test cases in which setTimeout should fail"

    assert _do_test_raw(
        """
    setTimeout("abc.def()", 1000);
    """
    ).failed()

    assert _do_test_raw(
        """
    window["set" + "Timeout"]("abc.def()", 1000);
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = "foo.bar()";
    setTimeout(x, 1000);
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = "foo.bar()";
    window["set" + "Timeout"](x, 1000);
    """
    ).failed()
コード例 #7
0
def test_bug652577_loadOverlay():
    """Make sure that loadOverlay is dangerous."""

    assert _do_test_raw(
        """
    document.loadOverlay();
    """
    ).failed()

    assert _do_test_raw(
        """
    document.loadOverlay("foobar");
    """
    ).failed()

    assert not _do_test_raw(
        """
    document.loadOverlay("chrome:foo/bar/");
    """
    ).failed()

    assert not _do_test_raw(
        """
    document.loadOverlay("chr" + "ome:foo/bar/");
    """
    ).failed()

    assert not _do_test_raw(
        """
    document.loadOverlay("resource:foo/bar/");
    """
    ).failed()
コード例 #8
0
def test_jsobject_computed_properties():
    """
    Tests that computed property names work as expected.
    """

    ID = ("testcases_javascript_instancetypes", "set_on_event",
          "on*_str_assignment")

    err1 = _do_test_raw("""
        var foo = {};
        foo["onthing"] = "stuff";
    """)
    err2 = _do_test_raw("""
        var foo = {
            ["onthing"]: "stuff",
        };
    """)

    eq_(err1.warnings[0]["id"], ID)
    eq_(err2.warnings[0]["id"], ID)

    assert not _do_test_raw("""
        var foo = {
            [Symbol.iterator]: function* () {},
            ["foo" + bar]: "baz",
            [thing]: "quux",
        };
    """).failed()
コード例 #9
0
def test_createElementNS():
    """Tests that createElementNS calls are filtered properly"""

    assert not _do_test_raw(
        """
    var x = "foo";
    x.createElementNS();
    x.createElementNS("foo");
    x.createElementNS("foo", "bar");
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = "foo";
    x.createElementNS("foo", "script");
    """
    ).failed()

    assert _do_test_raw(
        """
    var x = "foo";
    x.createElementNS("foo", bar);
    """
    ).failed()
コード例 #10
0
def test_template_escape():
    """Tests that the use of unsafe template escape sequences is flagged."""

    assert _do_test_raw('<%= foo %>').failed()
    assert _do_test_raw('{{{ foo }}}').failed()

    assert _do_test_raw("ng-bind-html-unsafe='foo'").failed()
コード例 #11
0
def test_callexpression_argument_traversal():
    """
    This makes sure that unknown function calls still have their arguments
    traversed.
    """

    DECLARATIONS = (
        'function foo(x){}',
        'var foo = function foo(x){}',
        'var foo = (x) => {}',
        'var foo = (x) => undefined',
    )
    for declaration in DECLARATIONS:
        assert not _do_test_raw("""
        %s;
        foo({"bar":function(){
            bar();
        }});
        """ % declaration).failed()

        assert _do_test_raw("""
        %s;
        foo({"bar":function(){
            eval("evil");
        }});
        """ % declaration).failed()
コード例 #12
0
def test_createElementNS():
    """Tests that createElementNS calls are filtered properly"""

    assert not _do_test_raw("""
    var x = "foo";
    x.createElementNS();
    x.createElementNS("foo");
    x.createElementNS("foo", "bar");
    """).failed()

    assert _do_test_raw("""
    var x = "foo";
    x.createElementNS("foo", "script");
    """).failed()

    assert _do_test_raw("""
    var x = "foo";
    x.createElementNS("foo", bar);
    """).failed()

    # Test for https://github.com/mozilla/amo-validator/issues/368
    assert not _do_test_raw("""
        var x = "foo",
            nsXUL = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";

        x.createElementNS(nsXUL, 'panelview')
    """).failed()

    # Creating a <script> element raises a warning of course.
    assert _do_test_raw("""
        var x = "foo",
            nsXUL = "http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul";

        x.createElementNS(nsXUL, 'script')
    """).failed()
コード例 #13
0
def test_math_infinity():
    """Test for known tracebacks regarding math."""
    _do_test_raw("""
    var x = Infinity;
    x >>= 10;
    var y = Infinity;
    var z = 10 >> y;
    """)
コード例 #14
0
def test_compiletime_errors():
    "Tests that compile time errors don't break the validator"

    # Syntax error
    assert _do_test_raw("var x =;").failed()

    # Reference error
    assert _do_test_raw("x - y = 4;").failed()
コード例 #15
0
def test_pagemod_fail():
    """
    Test that invalid conditions raise messages when the PageMod function is
    used with an unscrupulous JS script.
    """
    assert _do_test_raw("foo.PageMod({contentScript: 'eval();'});").failed()
    assert _do_test_raw("""
        foo.PageMod({contentScript: "ev" + "al();"});
    """).failed()
コード例 #16
0
def test_unicode_pref():
    """Tests that non-ASCII preferences do not cause errors."""

    assert not _do_test_raw("""
    pref("extensions.foo-bar.\u263a", true);
    """, path='defaults/preferences/prefs.js').failed()

    assert not _do_test_raw("""
    pref("extensions.foo-bar.\\u263a", true);
    """, path='defaults/preferences/prefs.js').failed()
コード例 #17
0
def test_xpcom_shortcut_cu():
    """Test the Components.utils shortcut."""

    assert not _do_test_raw("""
    Cu.foo();
    """).failed()

    assert _do_test_raw("""
    Cu.evalInSandbox("foo");
    """).failed()
コード例 #18
0
def test_document_write():
    """Test that the dev can't define event handler in outerHTML."""

    assert _do_test_raw("""
    document.write("<div></div>");
    """).failed()

    assert _do_test_raw("""
    document.writeln("<div></div>");
    """).failed()
コード例 #19
0
def test_prototype_array_instantiation():
    """
    Test that JSPrototypes and JSArrays handle deep instantiation properly.
    """

    _do_test_raw("""
    var x = {};
    x.prototype.foo.bar = "asdf";
    var y = [];
    y.a.b.c.d = 123;
    """)
コード例 #20
0
def test_nsisound_play():
    """Test that nsISound.play is flagged."""

    assert not _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsISound);
    foo.bar("asdf");
    """).failed()

    assert _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsISound);
    foo.play("asdf");
    """).failed()
コード例 #21
0
def test_nsidnsservice_resolve():
    """Test that nsIDNSService.resolve is flagged."""

    assert not _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsIDNSService);
    foo.asyncResolve("asdf");
    """).failed()

    assert _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsIDNSService);
    foo.resolve("asdf");
    """).failed()
コード例 #22
0
def test_complex_innerHTML():
    """Tests that innerHTML can't be assigned an HTML chunk with bad code"""

    assert not _do_test_raw("""
    var x = foo();
    x.innerHTML = "<script src=\\"chrome://foo.bar/\\"></script>";
    """).failed()

    assert _do_test_raw("""
    var x = foo();
    x.innerHTML = "<script src=\\"http://foo.bar/\\"></script>";
    """).failed()
コード例 #23
0
def test_extension_manager_api():
    assert _do_test_raw("""
    Cc["@mozilla.org/extensions/manager;1"].getService();
    """).failed()

    assert _do_test_raw("""
    if (topic == "em-action-requested") true;
    """).failed()

    assert _do_test_raw("""
    thing.QueryInterface(Ci.nsIExtensionManager);
    """).failed()
コード例 #24
0
ファイル: test_js_xpcom.py プロジェクト: krupa/amo-validator
def test_nsiaccessibilityretrieval():
    """Flag any uses of nsIAccessibilityRetrieval."""

    assert not _do_test_raw("""
    var c = Components.classes[""].createInstance(
        Components.interfaces.nsIAccessibilityRetrievalWhatever);
    """).failed()

    assert _do_test_raw("""
    var c = Components.classes[""].createInstance(
        Components.interfaces.nsIAccessibilityRetrieval);
    """).failed()
コード例 #25
0
def test_pagemod_pass():
    """
    Test that invalid conditions do not throw exceptions or messages when the
    PageMod function is used with a valid JS script.
    """
    assert not _do_test_raw("foo.PageMod({contentScript: ''});").failed()
    assert not _do_test_raw("""
        foo.PageMod({contentScript: 'alert();'});
    """).failed()
    assert not _do_test_raw("""
        foo.PageMod({contentScript: "aler" + "t();"});
    """).failed()
コード例 #26
0
def test_pref_dangerous_branch():
    """
    Test that preferences created in dangerous branches from
    defaults/preferences/*.js files throw warnings.
    """

    assert _do_test_raw("""
    pref("extensions.getAddons.get.url", "http://evil.com/");
    """, path='defaults/preferences/prefs.js').failed()

    assert _do_test_raw("""
    user_pref("extensions.getAddons.get.url", "http://evil.com/");
    """, path='defaults/preferences/prefs.js').failed()
コード例 #27
0
def test_synchronous_sql():
    """Test that uses of synchronous SQL are flagged."""

    assert _do_test_raw("database.executeSimpleSQL('foo');").failed()

    assert not _do_test_raw("database.createStatement();").failed()

    for meth in "execute", "executeStep":
        assert _do_test_raw("database.createStatement().%s();" % meth).failed()

    assert not _do_test_raw("""
        database.createStatement().executeAsync()
    """).failed()
コード例 #28
0
def test_jsm_global_overwrites():
    """
    JavaScript modules do not cause global scope conflicts, so we should not
    make errors if globals are overwritten.
    """

    assert _do_test_raw("""
    String.prototype.foo = "bar";
    """).failed()

    assert not _do_test_raw("""
    String.prototype.foo = "bar";
    """, path="test.jsm").failed()
コード例 #29
0
def test_simple_operators_when_dirty():
    """
    Test that when we're dealing with dirty objects, binary operations don't
    cave in the roof.

    Note that this test (if it fails) may cause some ugly crashes.
    """

    _do_test_raw("""
    var x = foo();  // x is now a dirty object.
    y = foo();  // y is now a dirty object as well.
    """ +
    """y += y + x;""" * 100)  # This bit makes the validator's head explode.
コード例 #30
0
def test_bug_1200929():
    """Test that XPIProvider and AddonManagerInternal are not used."""

    real_world_usage = (
        'XPIProviderBP = Cu.import("resource://gre/modules/XPIProvider.jsm", {});')

    err = _do_test_raw(real_world_usage)
    assert err.failed()
    assert err.signing_summary['high'] == 1

    err = _do_test_raw('AddonManagerInternal.getAddonByID(1234);')
    assert err.failed()
    assert err.signing_summary['high'] == 1
コード例 #31
0
def test_xpcom_shortcut_ci():
    """Test the Components.interfaces shortcut."""

    err = _do_test_raw("""
    var item = Components.classes["@mozilla.org/windowmediator;1"]
                         .getService(Ci.nsIWindowMediator);
    item.registerNotification();
    """, bootstrap=True)
    assert len(err.warnings) == 1

    err = _do_test_raw("""
    var item = Components.classes["@mozilla.org/windowmediator;1"]
                         .getService(Ci.nsIWindowMediator);
    item.registerNotification();
    """, bootstrap=False)
    assert len(err.warnings) == 0
コード例 #32
0
def test_jsm_EXPORTED_SYMBOLS():
    """Test that EXPORTED_SYMBOLS is a trigger for JSM."""

    assert not _do_test_raw("""
    var EXPORTED_SYMBOLS = foo;
    String.prototype.foo = "bar";
    """).failed()
コード例 #33
0
def test_getinterface():
    """Test the functionality of the getInterface method."""

    assert _do_test_raw("""
        obj.getInterface(Components.interfaces.nsIXMLHttpRequest)
           .open("GET", "foo", false);
    """).failed()
コード例 #34
0
def test_boolean_comparison():
    """Test that true/false are properly compared."""

    scope = _do_test_raw("""
    var a = false < true,
        b = true > false,
        c = false > true,
        d = true < false,
        e = false < false,
        f = true < true,
        g = true == true,
        h = false == false,
        i = true > 0,
        j = true == 1,
        k = false < 1,
        l = false == 0;
    """)
    assert _get_var(scope, 'a') is True
    assert _get_var(scope, 'b') is True
    assert _get_var(scope, 'c') is False
    assert _get_var(scope, 'd') is False
    assert _get_var(scope, 'e') is False
    assert _get_var(scope, 'f') is False
    assert _get_var(scope, 'g') is True
    assert _get_var(scope, 'h') is True
    assert _get_var(scope, 'i') is True
    assert _get_var(scope, 'j') is True
    assert _get_var(scope, 'k') is True
    assert _get_var(scope, 'l') is True
コード例 #35
0
def test_processNextEvent_banned():
    """Test that processNextEvent is properly banned."""

    assert not _do_test_raw("""
    foo().processWhatever();
    var x = "processNextEvent";
    """).failed()

    assert _do_test_raw("""
    foo().processNextEvent();
    """).failed()

    assert _do_test_raw("""
    var x = "processNextEvent";
    foo[x]();
    """).failed()
コード例 #36
0
def test_synchronous_xhr():
    "Tests that syncrhonous AJAX requests are marked as dangerous"

    err = _do_test_raw("""
    var x = new XMLHttpRequest();
    x.open("GET", "http://foo/bar", true);
    x.send(null);
    """)
    assert not err.message_count

    err = _do_test_raw("""
    var x = new XMLHttpRequest();
    x.open("GET", "http://foo/bar", false);
    x.send(null);
    """)
    assert err.message_count
コード例 #37
0
def test_boolean_comparison():
    """Test that true/false are properly compared."""

    scope = _do_test_raw("""
    var a = false < true,
        b = true > false,
        c = false > true,
        d = true < false,
        e = false < false,
        f = true < true,
        g = true == true,
        h = false == false,
        i = true > 0,
        j = true == 1,
        k = false < 1,
        l = false == 0;
    """)
    eq_(_get_var(scope, "a"), True)
    eq_(_get_var(scope, "b"), True)
    eq_(_get_var(scope, "c"), False)
    eq_(_get_var(scope, "d"), False)
    eq_(_get_var(scope, "e"), False)
    eq_(_get_var(scope, "f"), False)
    eq_(_get_var(scope, "g"), True)
    eq_(_get_var(scope, "h"), True)
    eq_(_get_var(scope, "i"), True)
    eq_(_get_var(scope, "j"), True)
    eq_(_get_var(scope, "k"), True)
    eq_(_get_var(scope, "l"), True)
コード例 #38
0
def test_complex_innerHTML():
    """Tests that innerHTML can't be assigned an HTML chunk with bad code"""

    assert _do_test_raw("""
    var x = foo();
    x.innerHTML = "<b></b>";
    """).failed()
コード例 #39
0
 def test(js, want_pass):
     err = _do_test_raw(js)
     if err.warnings:
         result = err.warnings[0]['id'][-1] != 'webbrowserpersist_saveuri'
         assert result == want_pass
     else:
         assert want_pass
コード例 #40
0
def test_nsITransferable_init():
    """
    Tests that nsITransferable.init() is not called with a null first arg.
    """

    err = _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsITransferable);
    foo.init("hello");
    """)
    assert not err.failed()

    err = _do_test_raw("""
    var foo = Cc["foo"].getService(Components.interfaces.nsITransferable);
    foo.init(null);
    """)
    assert err.failed()
コード例 #41
0
ファイル: test_regex.py プロジェクト: pombreda/amo-validator
def test_app_update_timer():
    """Flag instances of app.update.timer in compatibility."""

    err = _do_test_raw("""
    var f = app.update.timer;
    """)
    assert not err.failed()
    assert not any(err.compat_summary.values())

    err = _do_test_raw("""
    var f = app.update.timer;
    """, versions={"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}":
                       version_range("firefox", "6.0a1")})
    assert not err.failed(fail_on_warnings=False)
    assert err.warnings
    assert err.compat_summary["errors"]
コード例 #42
0
def test_pollution():
    """Make sure that the JS namespace pollution tests are done properly."""

    assert not _do_test_raw("""
    a = "foo";
    b = "foo";
    c = "foo";
    """,
                            ignore_pollution=False).failed()

    assert _do_test_raw("""
    a = "foo";
    b = "foo";
    c = "foo";
    d = "foo";
    """,
                        ignore_pollution=False).failed()
コード例 #43
0
def test_overwritability():
    """Test that XPCOM globals can be overwritten."""

    assert not _do_test_raw("""
    xhr = Components.classes[""].createInstance(
        Components.interfaces.nsIXMLHttpRequest);
    xhr = "foo";
    """).failed(fail_on_warnings=False)
コード例 #44
0
ファイル: test_regex.py プロジェクト: pombreda/amo-validator
def test_basic_regex_fail():
    "Tests that a simple Regex match causes a warning"

    assert _do_test_raw("var x = 'network.http.';").failed()
    assert _do_test_raw("var x = 'extensions.foo.update.url';").failed()
    assert _do_test_raw("var x = 'network.websocket.foobar';").failed()
    assert _do_test_raw("var x = 'browser.preferences.instantApply';").failed()
    assert _do_test_raw("var x = 'nglayout.debug.disable_xul_cache';").failed()

    err = ErrorBundle()
    err.supported_versions = {}
    result = validator.testcases.content._process_file(
        err, MockXPI(), "foo.css",
        "All I wanna do is browser.preferences.instantApply() to you",
        "foo.css")
    assert result
    assert err.failed()
コード例 #45
0
def test_on_event_null():
    """Null should not trigger on* events."""

    assert not _do_test_raw("""
    var x = foo(),
        y = null;
    x.onclick = y;
    """).failed()
コード例 #46
0
def test_sql_methods():
    """Tests that warnings on SQL methods are emitted properly"""

    err = _do_test_raw("""
        x.executeSimpleSQL("foo " + y);
    """)
    assert err.warnings[0]['id'][-1] == 'executeSimpleSQL_dynamic'

    err = _do_test_raw("""
        x.createStatement("foo " + y);
    """)
    assert err.warnings[0]['id'][-1] == 'executeSimpleSQL_dynamic'

    err = _do_test_raw("""
        x.createAsyncStatement("foo " + y);
    """)
    assert err.warnings[0]['id'][-1] == 'executeSimpleSQL_dynamic'
コード例 #47
0
def test_sql_methods():
    """Tests that warnings on SQL methods are emitted properly"""

    err = _do_test_raw("""
        x.executeSimpleSQL("foo " + y);
    """)
    eq_(err.warnings[0]["id"][-1], "executeSimpleSQL_dynamic")

    err = _do_test_raw("""
        x.createStatement("foo " + y);
    """)
    eq_(err.warnings[0]["id"][-1], "executeSimpleSQL_dynamic")

    err = _do_test_raw("""
        x.createAsyncStatement("foo " + y);
    """)
    eq_(err.warnings[0]["id"][-1], "executeSimpleSQL_dynamic")
コード例 #48
0
def test_on_event():
    """Tests that on* properties are not assigned strings."""

    assert not _do_test_raw("""
    var x = foo();
    x.fooclick = "bar";
    """).failed()

    assert not _do_test_raw("""
    var x = foo();
    x.onclick = function() {};
    """).failed()

    assert _do_test_raw("""
    var x = foo();
    x.onclick = "bar";
    """).failed()
コード例 #49
0
def test_outerHTML():
    """Test that the dev can't define event handler in outerHTML."""

    assert not _do_test_raw("""
    var x = foo();
    x.outerHTML = "<div></div>";
    """).failed()

    for pattern in _DANGEROUS_STRINGS:

        assert _do_test_raw("""
        var x = foo();
        x.outerHTML = %s;
        """ % pattern).failed(), pattern

        assert _do_test_raw("""
        x.outerHTML = %s;
        """ % pattern).failed(), pattern
コード例 #50
0
def test_settimeout_pass():
    'Test cases in which setTimeout should be allowed'

    assert not _do_test_raw("""
    setTimeout(function(){foo.bar();}, 1000);
    """).failed()

    assert not _do_test_raw("""
    window["set" + "Timeout"](function(){foo.bar();}, 1000);
    """).failed()

    assert not _do_test_raw("""
    setTimeout();
    """).failed()

    assert not _do_test_raw("""
    window["set" + "Timeout"]();
    """).failed()
コード例 #51
0
def test_on_event():
    """Tests that on* properties are not assigned strings."""

    assert not _do_test_raw("""
    var x = foo();
    x.fooclick = "bar";
    """).failed()

    assert not _do_test_raw("""
    var x = foo();
    x.onclick = function() {};
    """).failed()

    err = _do_test_raw("""
    x.attr({ onclick: "bar" });
    """)
    assert err.failed()
    eq_(err.warnings[0]['signing_severity'], 'medium')
コード例 #52
0
def test_no_dups():
    """Test that errors are not duplicated."""

    assert _do_test_raw("""
    eval("test");
    """).message_count == 1

    assert _do_test_raw("""
    var x = eval();
    """).message_count == 1

    assert _do_test_raw("""
    eval = 123;
    """).message_count == 1

    assert _do_test_raw("""
    eval.prototype = true;
    """).message_count == 2
コード例 #53
0
def test_createElement():
    """Tests that createElement calls are filtered properly"""

    assert not _do_test_raw("""
    var x = "foo";
    x.createElement();
    x.createElement("foo");
    """).failed()

    assert _do_test_raw("""
    var x = "foo";
    x.createElement("script");
    """).failed()

    assert _do_test_raw("""
    var x = "foo";
    x.createElement(bar);
    """).failed()
コード例 #54
0
def test_augconcat():
    'Tests augmented concatenation operators'

    err = _do_test_raw("""
    var x = "foo";
    x += "bar";
    """)
    assert not err.message_count
    eq_(_get_var(err, 'x'), 'foobar')

    err = _do_test_raw("""
    var x = {"xyz":"foo"};
    x["xyz"] += "bar";
    """)
    assert not err.message_count

    xyz_val = err.final_context.data['x'].get('xyz').as_primitive()
    assert xyz_val == 'foobar'
コード例 #55
0
def test_privileged_unprivileged_interaction():
    """Tests that functions which may lead to privilege escalation are
    detected."""

    for meth in 'cloneInto', 'exportFunction':
        err = _do_test_raw("""
            Cu.%s(foo)
        """ % meth)
        assert err.warnings

        assert err.warnings[0]['id'] == ('js', 'traverser', 'dangerous_global')
        assert err.warnings[0]['signing_severity'] == 'low'

    for form in ('var obj = { __exposedProps__: {} };',
                 'var obj = {}; obj.__exposedProps__ = {};'):
        err = _do_test_raw(form)
        assert err.warnings
        assert err.warnings[0]['signing_severity'] == 'high'
コード例 #56
0
def test_arraypattern_assignment():
    'Tests that array patterns can be used to assign variables'

    results = _do_test_raw("""
    var [x, y, z] = [1, 2, 3];
    """)
    assert not results.failed()
    assert _get_var(results, 'x') == 1
    assert _get_var(results, 'y') == 2
    assert _get_var(results, 'z') == 3
コード例 #57
0
def test_max_str_size_binop():
    """Test that the max string size is enforced for binary operators."""

    # Create a string and max out its size.
    err = _do_test_raw("""
    var x = "%s";
    x = x + x;
    x = x + x;
    """ % ("x" * (MAX_STR_SIZE / 2)))
    eq_(len(_get_var(err, "x")), MAX_STR_SIZE)
コード例 #58
0
def test_callexpression_argument_traversal():
    """
    This makes sure that unknown function calls still have their arguments
    traversed.
    """

    assert not _do_test_raw("""
    function foo(x){}
    foo({"bar":function(){
        bar();
    }});
    """).failed()

    assert _do_test_raw("""
    function foo(x){}
    foo({"bar":function(){
        eval("evil");
    }});
    """).failed()
コード例 #59
0
def test_multiple_assignments():
    'Tests that multiple variables can be assigned in one sitting'

    results = _do_test_raw("""
    var x = 1, y = 2, z = 3;
    """)
    assert not results.failed()
    assert _get_var(results, 'x') == 1
    assert _get_var(results, 'y') == 2
    assert _get_var(results, 'z') == 3
コード例 #60
0
def test_queryinterface():
    """Test the functionality of the QueryInterface method."""

    assert _do_test_raw("""
        var obj = {};
        obj.QueryInterface(Components.interfaces.nsIXMLHttpRequest);
        obj.open("GET", "foo", false);
    """).failed()

    assert _do_test_raw("""
        var obj = {};
        obj.QueryInterface(Components.interfaces.nsIXMLHttpRequest);
        obj.QueryInterface(Components.interfaces.nsISupports);
        obj.open("GET", "foo", false);
    """).failed()

    assert _do_test_raw("""
        var obj = {};
        obj.QueryInterface(Components.interfaces.nsISupports);
        obj.QueryInterface(Components.interfaces.nsIXMLHttpRequest);
        obj.open("GET", "foo", false);
    """).failed()

    assert _do_test_raw("""
        {}.QueryInterface(Components.interfaces.nsIXMLHttpRequest)
          .open("GET", "foo", false);
    """).failed()

    assert _do_test_raw("""
        {}.QueryInterface(Components.interfaces.nsIXMLHttpRequest)
          .QueryInterface(Components.interfaces.nsISupports)
          .open("GET", "foo", false);
    """).failed()

    assert _do_test_raw("""
        {}.QueryInterface(Components.interfaces.nsISupports)
          .QueryInterface(Components.interfaces.nsIXMLHttpRequest)
          .open("GET", "foo", false);
    """).failed()

    # TODO:
    if False:
        assert _do_test_raw("""
            var obj = {};
            obj.QueryInterface(Components.interfaces.nsIXMLHttpRequest);
            obj.open("GET", "foo", false);
        """).failed()

        assert _do_test_raw("""
            var obj = { foo: {} };
            obj.foo.QueryInterface(Components.interfaces.nsIXMLHttpRequest);
            obj.foo.open("GET", "foo", false);
        """).failed()