def require(this, args, callee): """Test for unsafe uses of `require()` in SDK add-ons.""" module = args[0].as_primitive() if not isinstance(module, basestring): return if module.startswith('sdk/'): module = module[len('sdk/'):] if module in LOW_LEVEL_SDK_MODULES: this.traverser.err.metadata['requires_chrome'] = True return { 'warning': 'Use of low-level or non-SDK interface', 'description': 'Your add-on uses an interface which bypasses ' 'the high-level protections of the add-on SDK. ' 'This interface should be avoided, and its use ' 'may significantly complicate your review ' 'process.' } if module in DEPRECATED_SDK_MODULES: return merge_description( { 'err_id': ('testcases_javascript', 'security', 'sdk_import'), 'warning': 'Deprecated SDK module imported' }, DEPRECATED_SDK_MODULES[module])
def check_import(this, args, callee): """Check Components.utils.import statements for dangerous modules.""" if len(args) > 0: module = args[0].as_str() # Strip any query parameters. module = re.sub(r'\?.*', '', module) if module in DANGEROUS_MODULES: kw = merge_description( { 'err_id': ('testcases_javascript', 'security', 'jsm_import'), 'warning': 'Potentially dangerous JSM imported.' }, DANGEROUS_MODULES[module]) this.traverser.warning(**kw) scope = callee.traverser.wrap(JSObject()) if not module.startswith( ('resource://gre/', 'resource:///', 'resource://services-sync/')): filename = None if not module.endswith('>'): # Does not end with a dirty string. filename = os.path.basename(module) callee.traverser.import_scopes.add((filename, scope)) return scope
def pref_tester(): """Create a JSRegexTest instance based on the final values in the PREF_REGEXPS, BANNED_PREF_REGEXPS, and BANNED_PREF_BRANCHES definitions, and add most of the resulting expressions to the bare JS string tester as well.""" # Match exact preference names from BANNED_PREF_REGEXPS. PREF_REGEXPS.extend((pattern, { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Potentially unsafe preference branch referenced', 'description': 'Extensions should not alter preferences ' 'matching /%s/.' % pattern }) for pattern in BANNED_PREF_REGEXPS) # Match any preference under each branch in BANNED_PREF_BRANCHES. PREF_REGEXPS.extend( ('^%s' % re.escape(branch), merge_description( { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Potentially unsafe preference branch referenced' }, reason or ('Extensions should not alter preferences in ' 'the `%s` preference branch' % branch))) for branch, reason in BANNED_PREF_BRANCHES) # Make sure our string tester has not yet been finalized. assert regex_javascript.string_tester is None STRING_REGEXPS.extend( (pattern, add_pref_help(desc)) for pattern, desc in PREF_REGEXPS) # The following patterns should only be flagged in strings we're certain # are being passed to preference setter functions, so add them after # appending the others to the literal string tests. PREF_REGEXPS.append((r'.*password.*', { 'err_id': PREFERENCE_ERROR_ID, 'warning': 'Passwords should not be stored in preferences', 'description': 'Storing passwords in preferences is insecure. ' 'The Login Manager should be used instead.' }), ) return JSRegexTest(PREF_REGEXPS)