From de72ae9bc7192bcf9428ff4a491cacbe971fb0ad Mon Sep 17 00:00:00 2001 From: msamuel Date: Wed, 14 Jun 2017 14:33:20 -0700 Subject: [PATCH] Fix standalone JS It's surprisingly hard to test precompiled JS using the internal build rules so I plan to figure out how to do the test process below as a sh_test. There are a few issues addressed here: 1. This fixes compiled code envelopes to be compatible with strict mode. In strict mode, a `this` value of null is not replaced with the global object. goog.global = this; and goog.exportSymbol installs the symbols into goog.global by default. 2. Exports need to happen after definition. 3. The curated polymer-1.0 externs do not include some symbols leading to renaming of those symbols in standalone/polymer-resin.js. Tested: Built //third_party/javascript/security/polymer_resin:all, copied the public tarball to a temp directory and did $ tar xf polymer_resin_public.tar $ npm install bower web-component-tester; bower install $ ./run_tests.sh -l chrome ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=159026669 --- bower.json | 4 +-- polymer-resin.js | 24 +++++++------- run_tests.sh | 7 ++-- standalone/polymer-resin-debug.js | 4 +-- standalone/polymer-resin.js | 26 +++++++-------- standalone/precompiled-test.html | 53 +++++++++++++++++++++++++++++++ standalone/precompiled-test.js | 40 +++++++++++++++++++++++ 7 files changed, 126 insertions(+), 32 deletions(-) create mode 100644 standalone/precompiled-test.html create mode 100644 standalone/precompiled-test.js diff --git a/bower.json b/bower.json index 9b3e756..61b3704 100644 --- a/bower.json +++ b/bower.json @@ -29,8 +29,8 @@ "**/.*", "**/*~", "**/*.md", - "*-test.html", - "*-test.js", + "**/*-test.html", + "**/*-test.js", "run_tests.sh", "images/**", "node_modules", diff --git a/polymer-resin.js b/polymer-resin.js index 690a3bf..c85c72d 100644 --- a/polymer-resin.js +++ b/polymer-resin.js @@ -222,19 +222,6 @@ security.polymer_resin.setReportHandler_ = function (reportHandler) { security.polymer_resin.reportHandler_ = reportHandler || null; }; - - -if (security.polymer_resin.STANDALONE) { - goog.exportSymbol( - 'security.polymer_resin.install', - security.polymer_resin.install); - - goog.exportSymbol( - 'security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER', - security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER); -} - - /** * @type {!RegExp} * @private @@ -788,3 +775,14 @@ security.polymer_resin.VALUE_HANDLERS_[ typeToUnwrap: goog.string.Const, unwrap: goog.string.Const.unwrap }; + + +if (security.polymer_resin.STANDALONE) { + goog.exportSymbol( + 'security.polymer_resin.install', + security.polymer_resin.install); + + goog.exportSymbol( + 'security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER', + security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER); +} diff --git a/run_tests.sh b/run_tests.sh index c33fada..594c229 100755 --- a/run_tests.sh +++ b/run_tests.sh @@ -18,6 +18,8 @@ export TEST_ROOT_DIR="$(mktemp -d "$TMPDIR"/wct_root.XXXXXXXXXX)" [ -d "$TEST_ROOT_DIR" ] +# `copy_over $d $f` copies $f to the relative path $d/$f under the +# test root creating parent directories as necessary. function copy_over() { local D="$1" local F="$2" @@ -31,7 +33,7 @@ function copy_over() { pushd "$SRC_DIR" -for f in *test.{html,js} +for f in *test.{html,js} standalone/*.{html,js} do copy_over polymer-resin "$f" done @@ -53,7 +55,8 @@ echo ' WCT.loadSuites([' \ > "$TEST_SUITE_HTML" -for f in *test.html; do +for f in *test.html standalone/*test.html +do echo " '../$f'," >> "$TEST_SUITE_HTML" done diff --git a/standalone/polymer-resin-debug.js b/standalone/polymer-resin-debug.js index d188c63..fe46b22 100644 --- a/standalone/polymer-resin-debug.js +++ b/standalone/polymer-resin-debug.js @@ -2954,7 +2954,7 @@ security.polymer_resin.classifyElement = function(name, ctor) { } return customElementsRegistry && customElementsRegistry.get(name) || security.polymer_resin.docRegisteredElements_[name] === security.polymer_resin.docRegisteredElements_ ? security.polymer_resin.CustomElementClassification.CUSTOM : ctor === HTMLUnknownElement ? security.polymer_resin.CustomElementClassification.LEGACY : ctor === HTMLElement && security.polymer_resin.VALID_CUSTOM_ELEMENT_NAME_REGEX_.test(name) ? security.polymer_resin.CustomElementClassification.CUSTOMIZABLE : security.polymer_resin.CustomElementClassification.BUILTIN; }; -security.polymer_resin.STANDALONE = !0; +security.polymer_resin.STANDALONE = !1; security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER = function(isViolation, formatString, var_args) { for (var consoleArgs = [formatString], i = 2, n = arguments.length; i < n; ++i) { consoleArgs[i - 1] = arguments[i]; @@ -2970,7 +2970,6 @@ security.polymer_resin.allowIdentifierWithPrefix_ = function(prefix) { security.polymer_resin.setReportHandler_ = function(reportHandler) { security.polymer_resin.reportHandler_ = reportHandler || null; }; -security.polymer_resin.STANDALONE && (goog.exportSymbol("security.polymer_resin.install", security.polymer_resin.install), goog.exportSymbol("security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER", security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER)); security.polymer_resin.allowedIdentifierPattern_ = /^$/; security.polymer_resin.allowUnsafeValues_ = !1; security.polymer_resin.reportHandler_ = void 0; @@ -3116,4 +3115,5 @@ security.polymer_resin.VALUE_HANDLERS_[security.html.contracts.AttrType.COMPILE_ security.polymer_resin.VALUE_HANDLERS_[security.html.contracts.AttrType.IDENTIFIER] = {filter:function(e, a, v) { return security.polymer_resin.allowedIdentifierPattern_.test(v) ? v : security.polymer_resin.INNOCUOUS_STRING_; }, safeReplacement:security.polymer_resin.INNOCUOUS_STRING_, typeToUnwrap:goog.string.Const, unwrap:goog.string.Const.unwrap}; +security.polymer_resin.STANDALONE && (goog.exportSymbol("security.polymer_resin.install", security.polymer_resin.install), goog.exportSymbol("security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER", security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER)); diff --git a/standalone/polymer-resin.js b/standalone/polymer-resin.js index 2646555..10539af 100644 --- a/standalone/polymer-resin.js +++ b/standalone/polymer-resin.js @@ -1,5 +1,5 @@ (function(){'use strict';var n=this,q=function(a,d){a=a.split(".");var b=n;a[0]in b||!b.execScript||b.execScript("var "+a[0]);for(var c;a.length&&(c=a.shift());)a.length||void 0===d?b[c]&&b[c]!==Object.prototype[c]?b=b[c]:b=b[c]={}:b[c]=d},r=function(a,d,b){return a.call.apply(a.bind,arguments)},t=function(a,d,b){if(!a)throw Error();if(2/g,ca=/"/g,da=/'/g,ea=/\x00/g,fa=/[\x00&<>"']/,ga=function(a){return String(a).replace(/\-([a-z])/g,function(a,b){return b.toUpperCase()})};var x=function(){this.f=w};x.prototype.v=!0;x.prototype.l=function(){return""};x.prototype.toString=function(){return"Const{}"};var y=function(a){return a instanceof x&&a.constructor===x&&a.f===w?"":"type_error:Const"},w={};var A=function(){this.f=z};A.prototype.v=!0;var z={};A.prototype.l=function(){return""};var C=function(){this.f=B};C.prototype.v=!0;var B={};C.prototype.l=function(){return""};var E=function(){this.f=D};E.prototype.v=!0;E.prototype.l=function(){return""};var D={};var G=function(){this.f="";this.A=F};G.prototype.v=!0;G.prototype.l=function(){return this.f};var ha=/^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i,F={},H=function(a){var d=new G;d.f=a;return d};H("about:blank");var J=function(){this.f=I};J.prototype.v=!0;J.prototype.l=function(){return""};var I={};/* +arguments)}},u=function(a,d,b){Function.prototype.bind&&-1!=Function.prototype.bind.toString().indexOf("native code")?u=r:u=t;return u.apply(null,arguments)};var v=/&/g,aa=//g,ca=/"/g,da=/'/g,ea=/\x00/g,fa=/[\x00&<>"']/,ga=function(a){return String(a).replace(/\-([a-z])/g,function(a,b){return b.toUpperCase()})};var x=function(){this.h=w};x.prototype.v=!0;x.prototype.l=function(){return""};x.prototype.toString=function(){return"Const{}"};var y=function(a){return a instanceof x&&a.constructor===x&&a.h===w?"":"type_error:Const"},w={};var A=function(){this.h=z};A.prototype.v=!0;var z={};A.prototype.l=function(){return""};var C=function(){this.h=B};C.prototype.v=!0;var B={};C.prototype.l=function(){return""};var E=function(){this.h=D};E.prototype.v=!0;E.prototype.l=function(){return""};var D={};var G=function(){this.h="";this.w=F};G.prototype.v=!0;G.prototype.l=function(){return this.h};var ha=/^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i,F={},H=function(a){var d=new G;d.h=a;return d};H("about:blank");var J=function(){this.h=I};J.prototype.v=!0;J.prototype.l=function(){return""};var I={};/* Copyright (c) 2017 The Polymer Project Authors. All rights reserved. This code may only be used under the BSD style license found at @@ -13,18 +13,18 @@ arguments)}},u=function(a,d,b){Function.prototype.bind&&-1!=Function.prototype.b http://polymer.github.io/PATENTS.txt */ var ia={align:1,alt:1,autofocus:1,bgcolor:1,border:1,checked:1,"class":1,color:1,cols:1,colspan:1,dir:8,disabled:1,draggable:1,face:1,"for":10,frameborder:1,height:1,hidden:1,href:4,id:10,ismap:1,label:1,lang:1,loop:1,max:1,maxlength:1,min:1,multiple:1,muted:1,name:10,placeholder:1,preload:1,rel:1,required:1,reversed:1,role:1,rows:1,rowspan:1,selected:1,shape:1,size:1,sizes:1,span:1,spellcheck:1,src:4,start:1,step:1,style:5,summary:1,tabindex:1,target:8,title:1,translate:1,valign:1,value:1,width:1, -wrap:1},K={a:{href:[{c:3}]},area:{href:[{c:3}]},audio:{src:[{c:3}]},blockquote:{cite:[{c:3}]},button:{formaction:[{c:3}],formmethod:[{c:1}],type:[{c:1}]},command:{type:[{c:1}]},del:{cite:[{c:3}]},form:{action:[{c:3}],method:[{c:1}]},img:{src:[{c:3}]},input:{formaction:[{c:3}],formmethod:[{c:1}],max:[{c:1}],min:[{c:1}],src:[{c:3}],step:[{c:1}],type:[{c:1}]},ins:{cite:[{c:3}]},li:{type:[{c:1}]},link:{href:[{c:3,g:"rel",h:"alternate"},{c:3,g:"rel",h:"author"},{c:3,g:"rel",h:"bookmark"},{c:3,g:"rel", -h:"canonical"},{c:3,g:"rel",h:"cite"},{c:3,g:"rel",h:"help"},{c:3,g:"rel",h:"icon"},{c:3,g:"rel",h:"license"},{c:3,g:"rel",h:"next"},{c:3,g:"rel",h:"prefetch"},{c:3,g:"rel",h:"prerender"},{c:3,g:"rel",h:"prev"},{c:3,g:"rel",h:"search"},{c:3,g:"rel",h:"subresource"}],media:[{c:1}],type:[{c:1}]},menuitem:{icon:[{c:3}]},ol:{type:[{c:1}]},q:{cite:[{c:3}]},source:{media:[{c:1}],src:[{c:3}]},style:{media:[{c:1}]},video:{poster:[{c:3}],src:[{c:3}]}},L={a:1,abbr:1,address:1,applet:4,area:5,article:1,aside:1, +wrap:1},K={a:{href:[{c:3}]},area:{href:[{c:3}]},audio:{src:[{c:3}]},blockquote:{cite:[{c:3}]},button:{formaction:[{c:3}],formmethod:[{c:1}],type:[{c:1}]},command:{type:[{c:1}]},del:{cite:[{c:3}]},form:{action:[{c:3}],method:[{c:1}]},img:{src:[{c:3}]},input:{formaction:[{c:3}],formmethod:[{c:1}],max:[{c:1}],min:[{c:1}],src:[{c:3}],step:[{c:1}],type:[{c:1}]},ins:{cite:[{c:3}]},li:{type:[{c:1}]},link:{href:[{c:3,f:"rel",g:"alternate"},{c:3,f:"rel",g:"author"},{c:3,f:"rel",g:"bookmark"},{c:3,f:"rel", +g:"canonical"},{c:3,f:"rel",g:"cite"},{c:3,f:"rel",g:"help"},{c:3,f:"rel",g:"icon"},{c:3,f:"rel",g:"license"},{c:3,f:"rel",g:"next"},{c:3,f:"rel",g:"prefetch"},{c:3,f:"rel",g:"prerender"},{c:3,f:"rel",g:"prev"},{c:3,f:"rel",g:"search"},{c:3,f:"rel",g:"subresource"}],media:[{c:1}],type:[{c:1}]},menuitem:{icon:[{c:3}]},ol:{type:[{c:1}]},q:{cite:[{c:3}]},source:{media:[{c:1}],src:[{c:3}]},style:{media:[{c:1}]},video:{poster:[{c:3}],src:[{c:3}]}},L={a:1,abbr:1,address:1,applet:4,area:5,article:1,aside:1, audio:1,b:1,base:4,bdi:1,bdo:1,blockquote:1,body:1,br:5,button:1,canvas:1,caption:1,cite:1,code:1,col:5,colgroup:1,command:1,data:1,datalist:1,dd:1,del:1,details:1,dfn:1,dialog:1,div:1,dl:1,dt:1,em:1,embed:4,fieldset:1,figcaption:1,figure:1,font:1,footer:1,form:1,frame:1,frameset:1,h1:1,h2:1,h3:1,h4:1,h5:1,h6:1,head:1,header:1,hr:5,html:1,i:1,iframe:4,img:5,input:5,ins:1,kbd:1,keygen:5,label:1,legend:1,li:1,link:5,main:1,map:1,mark:1,math:4,menu:1,menuitem:1,meta:4,meter:1,nav:1,noscript:1,object:4, ol:1,optgroup:1,option:1,output:1,p:1,param:5,picture:1,pre:1,progress:1,q:1,rb:1,rp:1,rt:1,rtc:1,ruby:1,s:1,samp:1,script:3,section:1,select:1,slot:1,small:1,source:5,span:1,strong:1,style:2,sub:1,summary:1,sup:1,svg:4,table:1,tbody:1,td:1,template:4,textarea:1,tfoot:1,th:1,thead:1,time:1,title:1,tr:1,track:5,u:1,ul:1,"var":1,video:1,wbr:5},ja=[{auto:!0,ltr:!0,rtl:!0},{_self:!0,_blank:!0}],M={"*":{dir:0,target:1}};var P=function(){if(!N){var a=ka,d={};for(b in a)d[b]=a[b];N=d;a=0;for(d=O.length;a',g,g,b,f);return a}if(a){var c=a.allowedIdentifierPrefixes;a=a.reportHandler;if(c)for(var k=0,m=c.length;k")&&(a=a.replace(ba,">")),-1!=a.indexOf('"')&&(a=a.replace(ca,""")),-1!=a.indexOf("'")&&(a=a.replace(da,"'")),-1!=a.indexOf("\x00")&&(a=a.replace(ea,"�")));return a},m:null,j:J,o:function(a){return a instanceof J&&a.constructor===J&&a.f===I?"":"type_error:SafeHtml"}}; -Z[3]={filter:function(a,d,b){a=b;a instanceof G||(a=a.v?a.l():String(a),ha.test(a)||(a="about:invalid#zClosurez"),a=H(a));return a.l()},m:"about:invalid#zClosurez",j:G,o:function(a){return a instanceof G&&a.constructor===G&&a.A===F?a.f:"type_error:SafeUrl"}};Z[4]={filter:function(){return"about:invalid#zClosurez"},m:"about:invalid#zClosurez",j:E,o:function(a){return a instanceof E&&a.constructor===E&&a.f===D?"":"type_error:TrustedResourceUrl"}}; -Z[5]={filter:function(){return"zClosurez"},m:"zClosurez",j:C,o:function(a){return a instanceof C&&a.constructor===C&&a.f===B?"":"type_error:SafeStyle"}};Z[7]={filter:function(){return" /*zClosurez*/ "},m:" /*zClosurez*/ ",j:A,o:function(a){return a instanceof A&&a.constructor===A&&a.f===z?"":"type_error:SafeScript"}}; -Z[8]={filter:function(a,d,b){b=String(b).toLowerCase();a:{var c=null;(a=M[a])&&(c=a[d]);if("number"!=typeof c&&((a=M["*"])&&(c=a[d]),"number"!=typeof c)){d=!1;break a}d=!0===ja[c][String(b).toLowerCase()]}return d?b:"zClosurez"},m:"zClosurez",j:null,o:null};Z[9]={filter:function(){return" /*zClosurez*/ "},m:"zClosurez",j:x,o:y};Z[10]={filter:function(a,d,b){return X.test(b)?b:"zClosurez"},m:"zClosurez",j:x,o:y};}()); +k=c.length,m=T;m")&&(a=a.replace(ba,">")),-1!=a.indexOf('"')&&(a=a.replace(ca,""")),-1!=a.indexOf("'")&&(a=a.replace(da,"'")),-1!=a.indexOf("\x00")&&(a=a.replace(ea,"�")));return a},m:null,j:J,o:function(a){return a instanceof J&&a.constructor===J&&a.h===I?"":"type_error:SafeHtml"}}; +Z[3]={filter:function(a,d,b){a=b;a instanceof G||(a=a.v?a.l():String(a),ha.test(a)||(a="about:invalid#zClosurez"),a=H(a));return a.l()},m:"about:invalid#zClosurez",j:G,o:function(a){return a instanceof G&&a.constructor===G&&a.w===F?a.h:"type_error:SafeUrl"}};Z[4]={filter:function(){return"about:invalid#zClosurez"},m:"about:invalid#zClosurez",j:E,o:function(a){return a instanceof E&&a.constructor===E&&a.h===D?"":"type_error:TrustedResourceUrl"}}; +Z[5]={filter:function(){return"zClosurez"},m:"zClosurez",j:C,o:function(a){return a instanceof C&&a.constructor===C&&a.h===B?"":"type_error:SafeStyle"}};Z[7]={filter:function(){return" /*zClosurez*/ "},m:" /*zClosurez*/ ",j:A,o:function(a){return a instanceof A&&a.constructor===A&&a.h===z?"":"type_error:SafeScript"}}; +Z[8]={filter:function(a,d,b){b=String(b).toLowerCase();a:{var c=null;(a=M[a])&&(c=a[d]);if("number"!=typeof c&&((a=M["*"])&&(c=a[d]),"number"!=typeof c)){d=!1;break a}d=!0===ja[c][String(b).toLowerCase()]}return d?b:"zClosurez"},m:"zClosurez",j:null,o:null};Z[9]={filter:function(){return" /*zClosurez*/ "},m:"zClosurez",j:x,o:y};Z[10]={filter:function(a,d,b){return X.test(b)?b:"zClosurez"},m:"zClosurez",j:x,o:y}; +q("security.polymer_resin.install",function(a){function d(a){var b=this.getAttribute(a);return!b||/[\[\{]/.test(a)?null:b}function b(a,b,c,f){if(!f)return f;var g=a.nodeType;if(1!==g){if(3===g){g=a.parentElement;b=!g;if(g&&1===g.nodeType){var e=g.localName;switch(W(e,g.constructor)){case 0:case 1:b=1===(Object.hasOwnProperty.call(L,e)?L[e]:null);break;case 3:case 2:b=!0}}if(b)return f&&f.v?f.l():String(f)}Y&&Y(!0,"Failed to sanitize %s %s%s node to value %O",a.parentElement&&a.parentElement.nodeName, +"#text","",f);return"zClosurez"}var g=a.localName;var l=a.localName;if(a.getAttribute("is")||2!==W(l,a.constructor)){var h=U[l];h||(h=U[l]=document.createElement(l));l=h}else l=ma;switch(c){case "attribute":var h=String(b).toLowerCase(),k=P()[h];if(("string"==typeof k?k:ga(h))in l)break;return f;case "property":if(b in l)break;h=b.toLowerCase();h=P()[h];if((h="string"==typeof h?h:null)&&h in l)break;return f;default:throw Error(c+": "+typeof c);}if("attribute"==c)b=b.toLowerCase();else{c=Q;if(!c){c= +P();l={};for(e in c)l[c[e]]=e;c=Q=l}e=c[b];b="string"==typeof e?e:String(b).replace(/([A-Z])/g,"-$1").toLowerCase()}a:{a=u(d,a);if(Object.hasOwnProperty.call(K,g)&&(e=K[g],Object.hasOwnProperty.call(e,b)&&(e=e[b],e instanceof Array))){c=null;l=!1;h=0;for(k=e.length;h',g,g,b,f);return a}if(a){var c=a.allowedIdentifierPrefixes;a=a.reportHandler;if(c)for(var k=0,m=c.length;k + + + + + + + + + + + + Precompiled Test + + + + + + + + + + + + diff --git a/standalone/precompiled-test.js b/standalone/precompiled-test.js new file mode 100644 index 0000000..d7f17bb --- /dev/null +++ b/standalone/precompiled-test.js @@ -0,0 +1,40 @@ +/** + * @license + * Copyright (c) 2017 The Polymer Project Authors. All rights reserved. + * This code may only be used under the BSD style license found at + * http://polymer.github.io/LICENSE.txt + * The complete set of authors may be found at + * http://polymer.github.io/AUTHORS.txt + * The complete set of contributors may be found at + * http://polymer.github.io/CONTRIBUTORS.txt + * Code distributed by Google as part of the polymer project is also + * subject to an additional IP rights grant found at + * http://polymer.github.io/PATENTS.txt + */ + +suite( + 'PrecompiledTest', + + function () { + var myTestFixture; + + setup(function () { + myTestFixture = fixture('precompiled-test-fixture'); + }); + + test('innocuous_string', function() { + var link = myTestFixture.$$('a'); + myTestFixture.x = 'http://example.com/foo'; + + assert.equal('http://example.com/foo', link.href); + }); + + test('evil_payload', function() { + var link = myTestFixture.$$('a'); + myTestFixture.x = 'javascript:evil()'; + + assert.equal( + 'about:invalid#zClosurez', + link.href); + }); + });