From dae8a5a926f0eeeb67d2ff8cfe8198c37fc200f7 Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Thu, 9 Nov 2023 15:08:36 -0800 Subject: [PATCH 1/7] Check if sender is legitimate based on ID --- .../tool/build_extension.dart | 11 ++++++++++- dwds/debug_extension_mv3/web/background.dart | 5 +++++ dwds/debug_extension_mv3/web/chrome_api.dart | 1 + dwds/debug_extension_mv3/web/copier.dart | 1 + dwds/debug_extension_mv3/web/messaging.dart | 17 +++++++++++++++++ dwds/debug_extension_mv3/web/panel.dart | 2 ++ 6 files changed, 36 insertions(+), 1 deletion(-) diff --git a/dwds/debug_extension_mv3/tool/build_extension.dart b/dwds/debug_extension_mv3/tool/build_extension.dart index 5226e346e..a42c7fd69 100644 --- a/dwds/debug_extension_mv3/tool/build_extension.dart +++ b/dwds/debug_extension_mv3/tool/build_extension.dart @@ -43,7 +43,16 @@ Future run({required bool isProd, required bool isMV3}) async { _logInfo('Compiling extension with dart2js to /compiled directory'); final compileStep = await Process.start( 'dart', - ['run', 'build_runner', 'build', 'web', '--output', 'build', '--release'], + [ + 'run', + 'build_runner', + 'build', + 'web', + '--output', + 'build', + '--release', + '--delete-conflicting-outputs', + ], ); final compileExitCode = await _handleProcess(compileStep); // Terminate early if compilation failed: diff --git a/dwds/debug_extension_mv3/web/background.dart b/dwds/debug_extension_mv3/web/background.dart index 5b7f659d5..29f6ba109 100644 --- a/dwds/debug_extension_mv3/web/background.dart +++ b/dwds/debug_extension_mv3/web/background.dart @@ -79,6 +79,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.isAuthenticated, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (String isAuthenticated) async { final dartTab = sender.tab; if (dartTab == null) { @@ -99,6 +100,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugInfo, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugInfo debugInfo) async { final dartTab = sender.tab; if (dartTab == null) { @@ -128,6 +130,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.debuggerPanel, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugStateChange debugStateChange) { final newState = debugStateChange.newState; final tabId = debugStateChange.tabId; @@ -142,6 +145,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.multipleAppsDetected, expectedSender: Script.detector, expectedRecipient: Script.background, + sender: sender, messageHandler: (String multipleAppsDetected) async { final dartTab = sender.tab; if (dartTab == null) { @@ -163,6 +167,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.appId, expectedSender: Script.copier, expectedRecipient: Script.background, + sender: sender, messageHandler: (String appId) { displayNotification('Copied app ID: $appId'); }, diff --git a/dwds/debug_extension_mv3/web/chrome_api.dart b/dwds/debug_extension_mv3/web/chrome_api.dart index a7e9db0c9..480bb6888 100644 --- a/dwds/debug_extension_mv3/web/chrome_api.dart +++ b/dwds/debug_extension_mv3/web/chrome_api.dart @@ -253,6 +253,7 @@ class MessageSender { external String? get id; external Tab? get tab; external String? get url; + external String? get origin; external factory MessageSender({String? id, String? url, Tab? tab}); } diff --git a/dwds/debug_extension_mv3/web/copier.dart b/dwds/debug_extension_mv3/web/copier.dart index dcd1be86e..87919d443 100644 --- a/dwds/debug_extension_mv3/web/copier.dart +++ b/dwds/debug_extension_mv3/web/copier.dart @@ -32,6 +32,7 @@ void _handleRuntimeMessages( expectedType: MessageType.appId, expectedSender: Script.background, expectedRecipient: Script.copier, + sender: sender, messageHandler: _copyAppId, ); diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index f2993014e..3b2135820 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -89,9 +89,12 @@ void interceptMessage({ required MessageType expectedType, required Script expectedSender, required Script expectedRecipient, + required MessageSender sender, required void Function(T message) messageHandler, }) { if (message == null) return; + if (!_isLegitimateSender(sender)) return; + try { final decodedMessage = Message.fromJSON(message); if (decodedMessage.type != expectedType || @@ -187,3 +190,17 @@ Future _sendMessage({ } return completer.future; } + +// Verify the message sender is either a content script with the Dart app origin +// or from this extension. +bool _isLegitimateSender(MessageSender sender) { + final senderHost = Uri.parse(sender.origin ?? '').host; + final isDartAppHost = senderHost == 'localhost' || + senderHost == '127.0.0.1' || + senderHost.endsWith('.googlers.com'); + if (isDartAppHost) return true; + + final isExtensionHost = + senderHost == Uri.parse(chrome.runtime.getURL('')).host; + return isExtensionHost; +} diff --git a/dwds/debug_extension_mv3/web/panel.dart b/dwds/debug_extension_mv3/web/panel.dart index 7494030be..43f941664 100644 --- a/dwds/debug_extension_mv3/web/panel.dart +++ b/dwds/debug_extension_mv3/web/panel.dart @@ -89,6 +89,7 @@ void _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.background, expectedRecipient: Script.debuggerPanel, + sender: sender, messageHandler: (DebugStateChange debugStateChange) async { if (debugStateChange.tabId != _tabId) { debugWarn( @@ -107,6 +108,7 @@ void _handleRuntimeMessages( expectedType: MessageType.connectFailure, expectedSender: Script.background, expectedRecipient: Script.debuggerPanel, + sender: sender, messageHandler: (ConnectFailure connectFailure) async { debugLog( 'Received connect failure for ${connectFailure.tabId} vs $_tabId', From 8f300cdec3853e19becbe97455554813499c1b2f Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Thu, 9 Nov 2023 15:15:50 -0800 Subject: [PATCH 2/7] Use extension ID instead --- dwds/debug_extension_mv3/web/chrome_api.dart | 2 ++ dwds/debug_extension_mv3/web/messaging.dart | 16 +++------------- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/dwds/debug_extension_mv3/web/chrome_api.dart b/dwds/debug_extension_mv3/web/chrome_api.dart index 480bb6888..bb085cf8e 100644 --- a/dwds/debug_extension_mv3/web/chrome_api.dart +++ b/dwds/debug_extension_mv3/web/chrome_api.dart @@ -191,6 +191,8 @@ class Runtime { external String getURL(String path); + external String get id; + // Note: Not checking the lastError when one occurs throws a runtime exception. external ChromeError? get lastError; diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index 3b2135820..45158ac73 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -191,16 +191,6 @@ Future _sendMessage({ return completer.future; } -// Verify the message sender is either a content script with the Dart app origin -// or from this extension. -bool _isLegitimateSender(MessageSender sender) { - final senderHost = Uri.parse(sender.origin ?? '').host; - final isDartAppHost = senderHost == 'localhost' || - senderHost == '127.0.0.1' || - senderHost.endsWith('.googlers.com'); - if (isDartAppHost) return true; - - final isExtensionHost = - senderHost == Uri.parse(chrome.runtime.getURL('')).host; - return isExtensionHost; -} +// Verify the message sender is our extension. +bool _isLegitimateSender(MessageSender sender) => + sender.id == chrome.runtime.id; From aa3c4e9c531ee43d925f46ea11441538c9c9e803 Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Thu, 9 Nov 2023 16:01:11 -0800 Subject: [PATCH 3/7] Clean up --- dwds/debug_extension_mv3/tool/build_extension.dart | 11 +---------- dwds/debug_extension_mv3/web/chrome_api.dart | 1 - 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/dwds/debug_extension_mv3/tool/build_extension.dart b/dwds/debug_extension_mv3/tool/build_extension.dart index a42c7fd69..5226e346e 100644 --- a/dwds/debug_extension_mv3/tool/build_extension.dart +++ b/dwds/debug_extension_mv3/tool/build_extension.dart @@ -43,16 +43,7 @@ Future run({required bool isProd, required bool isMV3}) async { _logInfo('Compiling extension with dart2js to /compiled directory'); final compileStep = await Process.start( 'dart', - [ - 'run', - 'build_runner', - 'build', - 'web', - '--output', - 'build', - '--release', - '--delete-conflicting-outputs', - ], + ['run', 'build_runner', 'build', 'web', '--output', 'build', '--release'], ); final compileExitCode = await _handleProcess(compileStep); // Terminate early if compilation failed: diff --git a/dwds/debug_extension_mv3/web/chrome_api.dart b/dwds/debug_extension_mv3/web/chrome_api.dart index bb085cf8e..3cdea7763 100644 --- a/dwds/debug_extension_mv3/web/chrome_api.dart +++ b/dwds/debug_extension_mv3/web/chrome_api.dart @@ -255,7 +255,6 @@ class MessageSender { external String? get id; external Tab? get tab; external String? get url; - external String? get origin; external factory MessageSender({String? id, String? url, Tab? tab}); } From 07a71560b68eae2f213f3504a8efe5cc21bd0018 Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Fri, 10 Nov 2023 14:07:57 -0800 Subject: [PATCH 4/7] Check sender origin as well --- dwds/debug_extension_mv3/web/chrome_api.dart | 1 + dwds/debug_extension_mv3/web/messaging.dart | 23 ++++++++++++++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/dwds/debug_extension_mv3/web/chrome_api.dart b/dwds/debug_extension_mv3/web/chrome_api.dart index 3cdea7763..bb085cf8e 100644 --- a/dwds/debug_extension_mv3/web/chrome_api.dart +++ b/dwds/debug_extension_mv3/web/chrome_api.dart @@ -255,6 +255,7 @@ class MessageSender { external String? get id; external Tab? get tab; external String? get url; + external String? get origin; external factory MessageSender({String? id, String? url, Tab? tab}); } diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index 45158ac73..4ad3840f6 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -14,6 +14,7 @@ import 'package:js/js.dart'; import 'chrome_api.dart'; import 'data_serializers.dart'; import 'logger.dart'; +import 'utils.dart'; // A default response for the sendResponse callback. // @@ -192,5 +193,23 @@ Future _sendMessage({ } // Verify the message sender is our extension. -bool _isLegitimateSender(MessageSender sender) => - sender.id == chrome.runtime.id; +bool _isLegitimateSender(MessageSender sender) { + // Check that the sender ID matches our extension ID: + if (sender.id != chrome.runtime.id) return false; + + final senderHost = Uri.parse(sender.origin ?? '').host; + final isDartAppHost = senderHost == 'localhost' || + senderHost == '127.0.0.1' || + senderHost.endsWith('.googlers.com'); + final isExtensionHost = + senderHost == Uri.parse(chrome.runtime.getURL('')).host; + + if (isDartAppHost || isExtensionHost) return true; + + // If the sender's host is unexpected, display an error. + displayNotification( + 'Unexpected sender $senderHost. Please file a bug at https://github.com/dart-lang/webdev', + isError: true, + ); + return false; +} From 3e99296a3984979876f1587ac2340a8a82a12f5b Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Fri, 10 Nov 2023 16:19:43 -0800 Subject: [PATCH 5/7] Check scheme as well --- dwds/debug_extension_mv3/web/messaging.dart | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index 4ad3840f6..82456e455 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -197,18 +197,19 @@ bool _isLegitimateSender(MessageSender sender) { // Check that the sender ID matches our extension ID: if (sender.id != chrome.runtime.id) return false; - final senderHost = Uri.parse(sender.origin ?? '').host; + final senderUri = Uri.parse(sender.origin ?? ''); + final senderHost = senderUri.host; final isDartAppHost = senderHost == 'localhost' || senderHost == '127.0.0.1' || senderHost.endsWith('.googlers.com'); - final isExtensionHost = - senderHost == Uri.parse(chrome.runtime.getURL('')).host; + final isExtensionOrigin = + senderHost == chrome.runtime.id && senderUri.scheme == 'chrome-extension'; - if (isDartAppHost || isExtensionHost) return true; + if (isDartAppHost || isExtensionOrigin) return true; // If the sender's host is unexpected, display an error. displayNotification( - 'Unexpected sender $senderHost. Please file a bug at https://github.com/dart-lang/webdev', + 'Unexpected sender ${sender.origin}. Please file a bug at https://github.com/dart-lang/webdev', isError: true, ); return false; From 7cf56fdff9b5c2a74a9a0cd26dac204d8eba02ba Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Tue, 28 Nov 2023 15:34:56 -0800 Subject: [PATCH 6/7] Allow more Google hosts --- dwds/debug_extension_mv3/web/messaging.dart | 9 +++++++-- dwds/debug_extension_mv3/web/panel.dart | 2 +- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/dwds/debug_extension_mv3/web/messaging.dart b/dwds/debug_extension_mv3/web/messaging.dart index 82456e455..ec8003105 100644 --- a/dwds/debug_extension_mv3/web/messaging.dart +++ b/dwds/debug_extension_mv3/web/messaging.dart @@ -201,7 +201,7 @@ bool _isLegitimateSender(MessageSender sender) { final senderHost = senderUri.host; final isDartAppHost = senderHost == 'localhost' || senderHost == '127.0.0.1' || - senderHost.endsWith('.googlers.com'); + _isGoogleHost(senderHost); final isExtensionOrigin = senderHost == chrome.runtime.id && senderUri.scheme == 'chrome-extension'; @@ -209,8 +209,13 @@ bool _isLegitimateSender(MessageSender sender) { // If the sender's host is unexpected, display an error. displayNotification( - 'Unexpected sender ${sender.origin}. Please file a bug at https://github.com/dart-lang/webdev', + 'Unexpected sender ${sender.origin}. Please file a bug at go/dde-bug or https://github.com/dart-lang/webdev', isError: true, ); return false; } + +bool _isGoogleHost(String host) { + const googleSuffices = ['.googlers.com', '.google.com', '.googleprod.com']; + return googleSuffices.any((suffix) => host.endsWith(suffix)); +} diff --git a/dwds/debug_extension_mv3/web/panel.dart b/dwds/debug_extension_mv3/web/panel.dart index 43f941664..1931db650 100644 --- a/dwds/debug_extension_mv3/web/panel.dart +++ b/dwds/debug_extension_mv3/web/panel.dart @@ -187,7 +187,7 @@ Future _maybeUpdateFileABugLink() async { if (bugLink == null) return; bugLink.setAttribute( 'href', - 'http://b/issues/new?component=775375&template=1791321', + 'http://go/dde-bug', ); } } From 968beae2801f2df408de022c6dfa8bab9c06135a Mon Sep 17 00:00:00 2001 From: Elliott Brooks <21270878+elliette@users.noreply.github.com> Date: Tue, 2 Jan 2024 14:32:49 -0800 Subject: [PATCH 7/7] Resolve analysis error --- dwds/debug_extension_mv3/web/background.dart | 1 + 1 file changed, 1 insertion(+) diff --git a/dwds/debug_extension_mv3/web/background.dart b/dwds/debug_extension_mv3/web/background.dart index 87098bb89..5efd5307f 100644 --- a/dwds/debug_extension_mv3/web/background.dart +++ b/dwds/debug_extension_mv3/web/background.dart @@ -135,6 +135,7 @@ Future _handleRuntimeMessages( expectedType: MessageType.debugStateChange, expectedSender: Script.popup, expectedRecipient: Script.background, + sender: sender, messageHandler: (DebugStateChange debugStateChange) { final newState = debugStateChange.newState; final tabId = debugStateChange.tabId;