Modified: trunk/Source/_javascript_Core/ChangeLog (217050 => 217051)
--- trunk/Source/_javascript_Core/ChangeLog 2017-05-18 17:46:38 UTC (rev 217050)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-05-18 18:09:24 UTC (rev 217051)
@@ -1,3 +1,26 @@
+2017-05-18 Joseph Pecoraro <[email protected]>
+
+ Remote Inspector: Be stricter about checking message types
+ https://bugs.webkit.org/show_bug.cgi?id=172259
+ <rdar://problem/32264839>
+
+ Reviewed by Brian Burg.
+
+ * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
+ (Inspector::RemoteInspector::receivedSetupMessage):
+ (Inspector::RemoteInspector::receivedDataMessage):
+ (Inspector::RemoteInspector::receivedDidCloseMessage):
+ (Inspector::RemoteInspector::receivedIndicateMessage):
+ (Inspector::RemoteInspector::receivedConnectionDiedMessage):
+ (Inspector::RemoteInspector::receivedAutomaticInspectionConfigurationMessage):
+ (Inspector::RemoteInspector::receivedAutomaticInspectionRejectMessage):
+ (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
+ * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
+ (Inspector::RemoteInspectorXPCConnection::deserializeMessage):
+ (Inspector::RemoteInspectorXPCConnection::handleEvent):
+ (Inspector::RemoteInspectorXPCConnection::sendMessage):
+ Bail if we don't receive the expected types for message data.
+
2017-05-18 Filip Pizlo <[email protected]>
DFG inlining should be hardened for the no-result case
Modified: trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorCocoa.mm (217050 => 217051)
--- trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorCocoa.mm 2017-05-18 17:46:38 UTC (rev 217050)
+++ trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorCocoa.mm 2017-05-18 18:09:24 UTC (rev 217051)
@@ -43,6 +43,14 @@
#import <wtf/spi/darwin/XPCSPI.h>
#import <wtf/text/WTFString.h>
+#define BAIL_IF_UNEXPECTED_TYPE(expr, classExpr) \
+ do { \
+ id value = (expr); \
+ id classValue = (classExpr); \
+ if (![value isKindOfClass:classValue]) \
+ return; \
+ } while (0);
+
namespace Inspector {
static bool canAccessWebInspectorMachPort()
@@ -449,16 +457,21 @@
void RemoteInspector::receivedSetupMessage(NSDictionary *userInfo)
{
- unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
- if (!targetIdentifier)
- return;
+ NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
- NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
- if (!connectionIdentifier)
- return;
+ NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
- NSString *sender = [userInfo objectForKey:WIRSenderKey];
- if (!sender)
+ NSString *sender = userInfo[WIRSenderKey];
+ BAIL_IF_UNEXPECTED_TYPE(sender, [NSString class]);
+
+ NSNumber *automaticallyPauseNumber = userInfo[WIRAutomaticallyPause];
+ BAIL_IF_UNEXPECTED_TYPE(automaticallyPauseNumber, [NSNumber class]);
+ BOOL automaticallyPause = automaticallyPauseNumber.boolValue;
+
+ unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
+ if (!targetIdentifier)
return;
if (m_targetConnectionMap.contains(targetIdentifier))
@@ -474,7 +487,6 @@
if (is<RemoteInspectionTarget>(target)) {
bool isAutomaticInspection = m_automaticInspectionCandidateTargetIdentifier == target->targetIdentifier();
- bool automaticallyPause = [[userInfo objectForKey:WIRAutomaticallyPause] boolValue];
if (!connectionToTarget->setup(isAutomaticInspection, automaticallyPause)) {
connectionToTarget->close();
@@ -495,7 +507,13 @@
void RemoteInspector::receivedDataMessage(NSDictionary *userInfo)
{
- unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
+ NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+ NSData *data = ""
+ BAIL_IF_UNEXPECTED_TYPE(data, [NSData class]);
+
+ unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
if (!targetIdentifier)
return;
@@ -503,7 +521,6 @@
if (!connectionToTarget)
return;
- NSData *data = "" objectForKey:WIRSocketDataKey];
RetainPtr<NSString> message = adoptNS([[NSString alloc] initWithData:data encoding:NSUTF8StringEncoding]);
connectionToTarget->sendMessageToTarget(message.get());
}
@@ -510,14 +527,16 @@
void RemoteInspector::receivedDidCloseMessage(NSDictionary *userInfo)
{
- unsigned targetIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
+ NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+ NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
+
+ unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
if (!targetIdentifier)
return;
- NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
- if (!connectionIdentifier)
- return;
-
auto connectionToTarget = m_targetConnectionMap.get(targetIdentifier);
if (!connectionToTarget)
return;
@@ -538,18 +557,23 @@
void RemoteInspector::receivedIndicateMessage(NSDictionary *userInfo)
{
- unsigned identifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntegerValue];
- if (!identifier)
+ NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
+
+ NSNumber *indicateEnabledNumber = userInfo[WIRIndicateEnabledKey];
+ BAIL_IF_UNEXPECTED_TYPE(indicateEnabledNumber, [NSNumber class]);
+ BOOL indicateEnabled = indicateEnabledNumber.boolValue;
+
+ unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
+ if (!targetIdentifier)
return;
- BOOL indicateEnabled = [[userInfo objectForKey:WIRIndicateEnabledKey] boolValue];
-
callOnWebThreadOrDispatchAsyncOnMainThread(^{
RemoteControllableTarget* target = nullptr;
{
std::lock_guard<Lock> lock(m_mutex);
- auto findResult = m_targetMap.find(identifier);
+ auto findResult = m_targetMap.find(targetIdentifier);
if (findResult == m_targetMap.end())
return;
@@ -588,9 +612,8 @@
void RemoteInspector::receivedConnectionDiedMessage(NSDictionary *userInfo)
{
- NSString *connectionIdentifier = [userInfo objectForKey:WIRConnectionIdentifierKey];
- if (!connectionIdentifier)
- return;
+ NSString *connectionIdentifier = userInfo[WIRConnectionIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(connectionIdentifier, [NSString class]);
auto it = m_targetConnectionMap.begin();
auto end = m_targetConnectionMap.end();
@@ -611,8 +634,11 @@
void RemoteInspector::receivedAutomaticInspectionConfigurationMessage(NSDictionary *userInfo)
{
- m_automaticInspectionEnabled = [[userInfo objectForKey:WIRAutomaticInspectionEnabledKey] boolValue];
+ NSNumber *automaticInspectionEnabledNumber = userInfo[WIRAutomaticInspectionEnabledKey];
+ BAIL_IF_UNEXPECTED_TYPE(automaticInspectionEnabledNumber, [NSNumber class]);
+ m_automaticInspectionEnabled = automaticInspectionEnabledNumber.boolValue;
+
if (!m_automaticInspectionEnabled && m_automaticInspectionPaused)
m_automaticInspectionPaused = false;
}
@@ -619,15 +645,23 @@
void RemoteInspector::receivedAutomaticInspectionRejectMessage(NSDictionary *userInfo)
{
- unsigned rejectionIdentifier = [[userInfo objectForKey:WIRTargetIdentifierKey] unsignedIntValue];
+ NSNumber *targetIdentifierNumber = userInfo[WIRTargetIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(targetIdentifierNumber, [NSNumber class]);
- ASSERT(rejectionIdentifier == m_automaticInspectionCandidateTargetIdentifier);
- if (rejectionIdentifier == m_automaticInspectionCandidateTargetIdentifier)
+ unsigned targetIdentifier = targetIdentifierNumber.unsignedIntValue;
+ if (!targetIdentifier)
+ return;
+
+ ASSERT(targetIdentifier == m_automaticInspectionCandidateTargetIdentifier);
+ if (targetIdentifier == m_automaticInspectionCandidateTargetIdentifier)
m_automaticInspectionPaused = false;
}
void RemoteInspector::receivedAutomationSessionRequestMessage(NSDictionary *userInfo)
{
+ NSString *suggestedSessionIdentifier = userInfo[WIRSessionIdentifierKey];
+ BAIL_IF_UNEXPECTED_TYPE(suggestedSessionIdentifier, [NSString class]);
+
if (!m_client)
return;
@@ -634,10 +668,6 @@
if (!m_clientCapabilities || !m_clientCapabilities->remoteAutomationAllowed)
return;
- NSString *suggestedSessionIdentifier = [userInfo objectForKey:WIRSessionIdentifierKey];
- if (!suggestedSessionIdentifier)
- return;
-
m_client->requestAutomationSession(suggestedSessionIdentifier);
}
Modified: trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorXPCConnection.mm (217050 => 217051)
--- trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorXPCConnection.mm 2017-05-18 17:46:38 UTC (rev 217050)
+++ trunk/Source/_javascript_Core/inspector/remote/cocoa/RemoteInspectorXPCConnection.mm 2017-05-18 18:09:24 UTC (rev 217051)
@@ -144,6 +144,7 @@
RetainPtr<CFDictionaryRef> dictionary = adoptCF((CFDictionaryRef)_CFXPCCreateCFObjectFromXPCMessage(xpcDictionary));
ASSERT_WITH_MESSAGE(dictionary, "Unable to deserialize xpc message");
+ ASSERT(CFGetTypeID(dictionary.get()) == CFDictionaryGetTypeID());
return (NSDictionary *)dictionary.autorelease();
}
@@ -182,12 +183,18 @@
}
#endif
- NSDictionary *dataDictionary = deserializeMessage(object);
- if (!dataDictionary)
+ NSDictionary *dictionary = deserializeMessage(object);
+ if (![dictionary isKindOfClass:[NSDictionary class]])
return;
- NSString *message = [dataDictionary objectForKey:RemoteInspectorXPCConnectionMessageNameKey];
- NSDictionary *userInfo = [dataDictionary objectForKey:RemoteInspectorXPCConnectionUserInfoKey];
+ NSString *message = dictionary[RemoteInspectorXPCConnectionMessageNameKey];
+ if (![message isKindOfClass:[NSString class]])
+ return;
+
+ NSDictionary *userInfo = dictionary[RemoteInspectorXPCConnectionUserInfoKey];
+ if (userInfo && ![userInfo isKindOfClass:[NSDictionary class]])
+ return;
+
std::lock_guard<Lock> lock(m_mutex);
if (m_client)
m_client->xpcConnectionReceivedMessage(this, message, userInfo);
@@ -199,11 +206,12 @@
if (m_closed)
return;
- NSMutableDictionary *dictionary = [NSMutableDictionary dictionaryWithObject:messageName forKey:RemoteInspectorXPCConnectionMessageNameKey];
+ RetainPtr<NSMutableDictionary> dictionary = adoptNS([[NSMutableDictionary alloc] init]);
+ [dictionary setObject:messageName forKey:RemoteInspectorXPCConnectionMessageNameKey];
if (userInfo)
[dictionary setObject:userInfo forKey:RemoteInspectorXPCConnectionUserInfoKey];
- xpc_object_t xpcDictionary = _CFXPCCreateXPCMessageWithCFObject((CFDictionaryRef)dictionary);
+ xpc_object_t xpcDictionary = _CFXPCCreateXPCMessageWithCFObject((CFDictionaryRef)dictionary.get());
ASSERT_WITH_MESSAGE(xpcDictionary && xpc_get_type(xpcDictionary) == XPC_TYPE_DICTIONARY, "Unable to serialize xpc message");
if (!xpcDictionary)
return;
