From 60d46daab127b57b7e151dc6b89fa88d0a3bea0b Mon Sep 17 00:00:00 2001
From: Marco Castelluccio <mcastelluccio@mozilla.com>
Date: Sat, 30 Nov 2019 00:13:36 +0000
Subject: [PATCH] Bug 1596058 [wpt PR 20228] - [Trusted Types] Cover attribute
 node manipulation with Trusted Types checks., a=testonly

Automatic update from web-platform-tests
[Trusted Types] Cover attribute node manipulation with Trusted Types checks.

Element::setAttribute will perform trusted types checks, which (currently)
can be circumvented by obtaining the DOM's attribute node and setting the
value directly. This fixes this bypass, by performing identical checks when
the attribute node values are set, and/or the attribute node is attached to
an element.

Bug: 1008012
Bug: https://github.com/w3c/webappsec-trusted-types/issues/47
Change-Id: I1d8ead85b3fa11821c329e1f4af60c1e85ea8298
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1911215
Commit-Queue: Daniel Vogelheim <vogelheimchromium.org>
Reviewed-by: Mike West <mkwstchromium.org>
Cr-Commit-Position: refs/heads/master{#716193}

--

wpt-commits: 36362f1a77faf18831c8b596e7b5bee081629817
wpt-pr: 20228

UltraBlame original commit: 5765ef6d9f1a1d561d37a365cda5c2084245145f
---
 .../TrustedType-AttributeNodes.tentative.html | 93 +++++++++++++++++++
 1 file changed, 93 insertions(+)
 create mode 100644 testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.html

diff --git a/testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.html b/testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.html
new file mode 100644
index 0000000000000..77eef9cf39e42
--- /dev/null
+++ b/testing/web-platform/tests/trusted-types/TrustedType-AttributeNodes.tentative.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html>
+<head>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="trusted-types *">
+</head>
+<body>
+<script>
+  // This is a set of tests that try to make sure various ways of setting
+  // attributes (directly; via an attribute node; etc.) are all being treated
+  // identically. For background, se::
+  // https://github.com/w3c/webappsec-trusted-types/issues/47
+
+  const elems = ["div", "script", "embed", "iframe"];
+  const attrs = ["src", "srcdoc", "onclick", "bla"];
+
+  const policy_callback = s => ("" + s + " [policy]");
+  const policy = trustedTypes.createPolicy("policy", {
+    "createHTML": policy_callback,
+    "createScript": policy_callback,
+    "createScriptURL": policy_callback,
+  });
+
+  // Returns either the string-ified result value of fn, or an exception type.
+  function try_get(fn) {
+    try {
+      return "" + fn();
+    } catch(e) {
+      return "" + e.name;
+    }
+  }
+
+  // Returns a 'trusted' version of value, if element.attribute requires it.
+  function trusted(element, attribute, value) {
+    switch (trustedTypes.getAttributeType(element, attribute)) {
+      case 'TrustedHTML': value = policy.createHTML(value); break;
+      case 'TrustedScript': value = policy.createScript(value); break;
+      case 'TrustedScriptURL': value = policy.createScriptURL(value); break;
+    }
+    return value;
+  }
+
+  for (elem of elems) {
+    for (attr of attrs) {
+      const reference = try_get(_ => {
+        const e = document.createElement(elem);
+        e.setAttribute(attr, "hello");
+        return e.getAttribute(attr);
+      });
+
+      // Event handlers (like "onclick") apply to all elements, so we don't
+      // really have 'harmless' element we can attach them to. Hence this test
+      // case doesn't apply.
+      if (attr != "onclick") {
+        test(t => {
+          const harmless = document.createElement("div");
+          harmless.setAttribute(attr, "hello");
+          const node = harmless.getAttributeNode(attr);
+          harmless.removeAttributeNode(node);
+
+          const actual = try_get(_ => {
+            const e = document.createElement(elem);
+            e.setAttributeNode(node);
+            return e.getAttribute(attr);
+          });
+          assert_equals(actual, reference);
+        }, `Set attribute via attribute node on ${elem}.${attr}.`);
+      }
+
+      test(t => {
+        const e = document.createElement(elem);
+        e.setAttribute(attr, trusted(elem, attr, "123"));
+        const actual = try_get(_ => {
+          e.getAttributeNode(attr).value = "hello";
+          return e.getAttribute(attr);
+        });
+        assert_equals(actual, reference);
+      }, `Set attribute via attributenode.value on ${elem}.${attr}.`);
+
+      test(t => {
+        const e = document.createElement(elem);
+        const attrnode = document.createAttribute(attr);
+        attrnode.value = "hello";
+        const actual = try_get(_ => {
+          e.attributes.setNamedItem(attrnode);
+          return e.getAttribute(attr);
+        });
+        assert_equals(actual, reference);
+      }, `Set attribute via NamedNodeMap.setNamedItem on ${elem}.${attr}.`);
+    }
+  }
+</script>
+</body>