From 0bf0636de624996fe202b51eec8a58abd774269e Mon Sep 17 00:00:00 2001 From: Manu Garg Date: Thu, 25 May 2023 08:38:08 -0700 Subject: [PATCH] Fix the reported security bug. (#159) See https://github.com/manugarg/pacparser/security/advisories/GHSA-62q6-v997-f7v9 for more details on the security bug. Fix: - Use the JS_FunctionCall() API to call the FindProxyForURL() function instead of JS_EvaluateScript() API. - This also does away with the need to str_replace function. Making code simpler. - I've verified the fix with the test cases provided in the security bug. --- src/Makefile | 6 +---- src/pac_utils.h | 57 -------------------------------------------- src/pac_utils_test.c | 40 ------------------------------- src/pacparser.c | 30 +++++------------------ tests/proxy.pac | 43 +++++++++++++++------------------ 5 files changed, 26 insertions(+), 150 deletions(-) delete mode 100644 src/pac_utils_test.c diff --git a/src/Makefile b/src/Makefile index 18132c79..af108901 100644 --- a/src/Makefile +++ b/src/Makefile @@ -87,11 +87,7 @@ jsapi_buildstamp: spidermonkey/js/src spidermonkey/libjs.a: spidermonkey/js/src cd spidermonkey && SMCFLAGS="$(SHFLAGS) $(SMCFLAGS)" $(MAKE) jslib -pac_utils_test: pac_utils_test.c pac_utils.h - $(CC) $(MAINT_CFLAGS) $(CFLAGS) $(SHFLAGS) pac_utils_test.c -o pac_utils_test -lm -L. -I. - -pacparser.o: pacparser.c pac_utils.h pacparser.h pac_utils_test jsapi_buildstamp - ./pac_utils_test +pacparser.o: pacparser.c pac_utils.h pacparser.h jsapi_buildstamp $(CC) $(MAINT_CFLAGS) $(CFLAGS) $(SHFLAGS) -c pacparser.c -o pacparser.o touch pymod/pacparser_o_buildstamp diff --git a/src/pac_utils.h b/src/pac_utils.h index d788a392..9c310bf5 100644 --- a/src/pac_utils.h +++ b/src/pac_utils.h @@ -26,9 +26,6 @@ // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, // USA -#include -#include - static const char *pacUtils = "function dnsDomainIs(host, domain) {\n" " return (host.length >= domain.length &&\n" @@ -335,57 +332,3 @@ static const char *pacUtils = " return FindProxyForURL(url, host);\n" " }\n" "}\n"; - - -// You must free the result if result is non-NULL. -char *str_replace(const char *orig, const char *rep, const char *with) { - if (orig == NULL || rep == NULL || with == NULL) { - return NULL; - } - - size_t len_orig = strnlen(orig, 1024); - size_t len_rep = strnlen(rep, 1024); - size_t len_with = strnlen(with, 1024); - - if (len_orig == 0 || len_rep == 0) { - char *result = malloc(len_orig + 1); - strcpy(result, orig); - return result; - } - - // Count replacements needed - int count; // number of replacements - char const *start = orig; - // Cursor moves through the string, looking for rep. - char const *cursor; - for (count = 0;; ++count) { - cursor = strstr(start, rep); - if (cursor == NULL) { - break; - } - start = cursor + len_rep; - } - - char *tmp; - char *result; - tmp = result = malloc(len_orig + (len_with - len_rep) * count + 1); - - // first time through the loop, all the variable are set correctly - // from here on, - // tmp points to the end of the result string - // ins points to the next occurrence of rep in orig - // orig points to the remainder of orig after "end of rep" - while (count--) { - const char *ins = strstr(orig, rep); - int len_front = (int)(ins - orig); // How far have we moved - // Into the tmp, copy everything until we reach the rep. - // and move tmp forward. - tmp = strncpy(tmp, orig, len_front) + len_front; - tmp = strcpy(tmp, with) + len_with; - orig += len_front + len_rep; // move to next "end of rep" - } - - // Copy the remaining string. - strcpy(tmp, orig); - return result; -} diff --git a/src/pac_utils_test.c b/src/pac_utils_test.c deleted file mode 100644 index 14ba2756..00000000 --- a/src/pac_utils_test.c +++ /dev/null @@ -1,40 +0,0 @@ -#include -#include -#include -#include -#include "pac_utils.h" - -#define STREQ(s1, s2) (strcmp((s1), (s2)) == 0) - -// Unit tests -int main() { - // Test case 1: Single replacement - assert(STREQ("Hello, universe!", str_replace("Hello, world!", "world", "universe"))); - - // Test case 2: Multiple replacements - assert(STREQ("one cat, two cat, red cat, blue cat", - str_replace("one fish, two fish, red fish, blue fish", "fish", "cat"))); - // Expected output: "one cat, two cat, red cat, blue cat" - - // Test case 3: No replacements - assert(STREQ("AI is amazing", str_replace("AI is amazing", "robot", "AI"))); - - // Test case 4: Empty original string - assert(STREQ("", str_replace("", "hello", "world"))); - - // Test case 5: Empty replacement string - assert(STREQ("Hello, world!", str_replace("Hello, world!", "", "universe"))); - - // Test case 6: Empty "with" string - assert(STREQ("Hello, !", str_replace("Hello, world!", "world", ""))); - - // Test case 7: Complex replacements - assert(STREQ("abcdeXYZcba", str_replace("abcdeedcba", "ed", "XYZ"))); - - // Test case 8: Null inputs - assert(str_replace(NULL, "hello", "world") == NULL); - assert(str_replace("Hello hello", NULL, "world") == NULL); - assert(str_replace("Hello hello", "hello", NULL) == NULL); - - return 0; -} \ No newline at end of file diff --git a/src/pacparser.c b/src/pacparser.c index aae82aa8..7f2e0a04 100644 --- a/src/pacparser.c +++ b/src/pacparser.c @@ -238,7 +238,7 @@ my_ip(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *argv, jsval *r // myIpAddressEx in JS context; not available in core JavaScript. // returns 127.0.0.1 if not able to determine local ip. static JSBool // JS_TRUE or JS_FALSE -my_ip_ex(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *argv, jsval *rval) +my_ip_ex(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *UNUSED(argv), jsval *rval) { char ipaddr[INET6_ADDRSTRLEN * MAX_IP_RESULTS + MAX_IP_RESULTS]; char* out; @@ -451,32 +451,14 @@ pacparser_find_proxy(const char *url, const char *host) return NULL; } - // URL-encode "'" as we use single quotes to stick the URL into a temporary script. - char *sanitized_url = str_replace(url, "'", "%27"); - // Hostname shouldn't have single quotes in them - if (strchr(host, '\'')) { - print_error("%s %s\n", error_prefix, - "Invalid hostname: hostname can't have single quotes."); - free(sanitized_url); - return NULL; - } - - script = (char*) malloc(32 + strlen(sanitized_url) + strlen(host)); - script[0] = '\0'; - strcat(script, "findProxyForURL('"); - strcat(script, sanitized_url); - strcat(script, "', '"); - strcat(script, host); - strcat(script, "')"); - if (_debug()) print_error("DEBUG: Executing JavaScript: %s\n", script); - if (!JS_EvaluateScript(cx, global, script, strlen(script), NULL, 1, &rval)) { + jsval args[2]; + args[0] = STRING_TO_JSVAL(JS_NewStringCopyZ(cx, url)); + args[1] = STRING_TO_JSVAL(JS_NewStringCopyZ(cx, host)); + + if (!JS_CallFunctionName(cx, global, "findProxyForURL", 2, args, &rval)) { print_error("%s %s\n", error_prefix, "Problem in executing findProxyForURL."); - free(sanitized_url); - free(script); return NULL; } - free(sanitized_url); - free(script); return JS_GetStringBytes(JS_ValueToString(cx, rval)); } diff --git a/tests/proxy.pac b/tests/proxy.pac index 7c8c6e55..749ee6da 100644 --- a/tests/proxy.pac +++ b/tests/proxy.pac @@ -3,41 +3,36 @@ // Go via proxy for all other hosts. function FindProxyForURL(url, host) { - - if ((isPlainHostName(host) || - dnsDomainIs(host, ".manugarg.com")) && - !localHostOrDomainIs(host, "www.manugarg.com")) - return "plainhost/.manugarg.com"; + if ( + (isPlainHostName(host) || dnsDomainIs(host, '.manugarg.com')) && + !localHostOrDomainIs(host, 'www.manugarg.com') + ) + return 'plainhost/.manugarg.com'; // Test single quote handling in URL. - if (/.*%27.*/.test(url)) { - return "URLHasQuotes"; + if (/'/.test(url)) { + return 'URLHasQuotes'; } // Return externaldomain if host matches .*\.externaldomain\.com - if (/.*\.externaldomain\.com/.test(host)) - return "externaldomain"; + if (/.*\.externaldomain\.com/.test(host)) return 'externaldomain'; // Test if DNS resolving is working as intended - if (dnsDomainIs(host, ".google.com") && - isResolvable(host)) - return "isResolvable"; + if (dnsDomainIs(host, '.google.com') && isResolvable(host)) + return 'isResolvable'; // Test if DNS resolving is working as intended - if (dnsDomainIs(host, ".notresolvabledomainXXX.com") && - !isResolvable(host)) - return "isNotResolvable"; + if (dnsDomainIs(host, '.notresolvabledomainXXX.com') && !isResolvable(host)) + return 'isNotResolvable'; - if (/^https:\/\/.*$/.test(url)) - return "secureUrl"; + if (/^https:\/\/.*$/.test(url)) return 'secureUrl'; - if (isInNet(myIpAddress(), '10.10.0.0', '255.255.0.0')) - return '10.10.0.0'; + if (isInNet(myIpAddress(), '10.10.0.0', '255.255.0.0')) return '10.10.0.0'; - if ((typeof(myIpAddressEx) == "function") && - isInNetEx(myIpAddressEx(), '3ffe:8311:ffff/48')) + if ( + typeof myIpAddressEx == 'function' && + isInNetEx(myIpAddressEx(), '3ffe:8311:ffff/48') + ) return '3ffe:8311:ffff'; - - else - return "END-OF-SCRIPT"; + else return 'END-OF-SCRIPT'; }