Changeset 287303 in webkit for trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

Timestamp:

Dec 21, 2021, 12:45:38 AM (3 years ago)

Author:

Carlos Garcia Campos

Message:

CSP: Include the sample in eval violation reports
​https://bugs.webkit.org/show_bug.cgi?id=234390

Reviewed by Kate Cheney.

LayoutTests/imported/w3c:

Update expectations.

• web-platform-tests/content-security-policy/securitypolicyviolation/script-sample-expected.txt:

Source/JavaScriptCore:

• interpreter/Interpreter.cpp:

(JSC::eval): Pass the code to reportViolationForUnsafeEval().

• runtime/DirectEvalExecutable.cpp:

(JSC::DirectEvalExecutable::create): Ditto.

• runtime/FunctionConstructor.cpp:

(JSC::stringifyFunction): Helper function with the code to stringify function to be called also for the csp
violation report.
(JSC::constructFunction): Call stringifyFunction() to get the code for reportViolationForUnsafeEval().
(JSC::constructFunctionSkippingEvalEnabledCheck): Use stringifyFunction().

• runtime/IndirectEvalExecutable.cpp:

(JSC::IndirectEvalExecutable::createImpl): Pass the code to reportViolationForUnsafeEval().

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::reportViolationForUnsafeEval): Add string parameter for the code sample.

• runtime/JSGlobalObjectFunctions.cpp:

(JSC::JSC_DEFINE_HOST_FUNCTION): Pass the code to reportViolationForUnsafeEval().

Source/WebCore:

• bindings/js/JSDOMWindowBase.cpp:

(WebCore::JSDOMWindowBase::reportViolationForUnsafeEval): Handle the source parameter and pass it to allowEval().

• bindings/js/JSDOMWindowBase.h:
• bindings/js/JSWorkerGlobalScopeBase.cpp:

(WebCore::JSWorkerGlobalScopeBase::reportViolationForUnsafeEval): Handle the source parameter.

• bindings/js/JSWorkerGlobalScopeBase.h:
• bindings/js/JSWorkletGlobalScopeBase.cpp:

(WebCore::JSWorkletGlobalScopeBase::reportViolationForUnsafeEval): Ditto.

• bindings/js/JSWorkletGlobalScopeBase.h:
• bindings/js/ScheduledAction.h:

(WebCore::ScheduledAction::code const): Return the code.

• page/DOMWindow.cpp:

(WebCore::DOMWindow::setTimeout): Pass the code to allowEval().
(WebCore::DOMWindow::setInterval): Ditto.

• page/csp/ContentSecurityPolicy.cpp:

(WebCore::ContentSecurityPolicy::allowEval const): Handle codeContent parameter and pass it to reportViolation().
(WebCore::ContentSecurityPolicy::reportViolation const): Ditto.

• page/csp/ContentSecurityPolicy.h:
• workers/WorkerGlobalScope.cpp:

(WebCore::WorkerGlobalScope::setTimeout): Pass the code to allowEval().
(WebCore::WorkerGlobalScope::setInterval): Ditto.

File:

• trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/runtime/JSGlobalObjectFunctions.cpp

@@ -471 +471 @@
         return JSValue::encode(x);
 
+
+    auto codeString = asString(x);
     if (!globalObject->evalEnabled()) {
-        globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject);
+        globalObject->globalObjectMethodTable()->reportViolationForUnsafeEval(globalObject, codeString);
         throwException(globalObject, scope, createEvalError(globalObject, globalObject->evalDisabledErrorMessage()));
         return JSValue::encode(jsUndefined());
     }
 
-    String s = asString(x)->value(globalObject);
+    String s = codeString->value(globalObject);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());