[DrJones] redact cross-origin URLs

OrKoN · Devtools-frontend LUCI CQ · commit 160df0eee9be · 2024-10-25T11:52:21.000Z
Fixed: 375546873 Change-Id: I50022cc3e86512a2562624349c9bcc690417b3b2 Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/5965157 Reviewed-by: Mathias Bynens <mathias@chromium.org> Commit-Queue: Alex Rudenko <alexrudenko@chromium.org>
diff --git a/front_end/panels/freestyler/DrJonesNetworkAgent.test.ts b/front_end/panels/freestyler/DrJonesNetworkAgent.test.ts
@@ -15,7 +15,7 @@ import {describeWithMockConnection} from '../../testing/MockConnection.js';
 import {createNetworkPanelForMockConnection} from '../../testing/NetworkHelpers.js';
 import * as Coordinator from '../../ui/components/render_coordinator/render_coordinator.js';
 
-import {allowHeader, DrJonesNetworkAgent, ResponseType} from './freestyler.js';
+import {allowHeader, DrJonesNetworkAgent, formatInitiatorUrl, ResponseType} from './freestyler.js';
 
 const coordinator = Coordinator.RenderCoordinator.RenderCoordinator.instance();
 
@@ -236,7 +236,7 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
             },
             {
               title: 'Request initiator chain',
-              text: `- URL: https://www.initiator.com
+              text: `- URL: <redacted cross-origin initiator URL>
 \t- URL: https://www.example.com
 \t\t- URL: https://www.example.com/1
 \t\t- URL: https://www.example.com/2`,
@@ -246,7 +246,7 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
         {
           type: ResponseType.QUERYING,
           query:
-              '# Selected network request \nRequest: https://www.example.com\n\nRequest headers:\ncontent-type: bar1\n\nResponse headers:\ncontent-type: bar2\nx-forwarded-for: bar3\n\nResponse status: 200 \n\nRequest timing:\nQueued at (timestamp): 0 μs\nStarted at (timestamp): 8.3 min\nQueueing (duration): 8.3 min\nConnection start (stalled) (duration): 800.00 ms\nRequest sent (duration): 100.00 ms\nDuration (duration): 8.3 min\n\nRequest initiator chain:\n- URL: https://www.initiator.com\n\t- URL: https://www.example.com\n\t\t- URL: https://www.example.com/1\n\t\t- URL: https://www.example.com/2\n\n# User request\n\ntest',
+              '# Selected network request \nRequest: https://www.example.com\n\nRequest headers:\ncontent-type: bar1\n\nResponse headers:\ncontent-type: bar2\nx-forwarded-for: bar3\n\nResponse status: 200 \n\nRequest timing:\nQueued at (timestamp): 0 μs\nStarted at (timestamp): 8.3 min\nQueueing (duration): 8.3 min\nConnection start (stalled) (duration): 800.00 ms\nRequest sent (duration): 100.00 ms\nDuration (duration): 8.3 min\n\nRequest initiator chain:\n- URL: <redacted cross-origin initiator URL>\n\t- URL: https://www.example.com\n\t\t- URL: https://www.example.com/1\n\t\t- URL: https://www.example.com/2\n\n# User request\n\ntest',
         },
         {
           type: ResponseType.ANSWER,
@@ -277,7 +277,7 @@ Request sent (duration): 100.00 ms
 Duration (duration): 8.3 min
 
 Request initiator chain:
-- URL: https://www.initiator.com
+- URL: <redacted cross-origin initiator URL>
 \t- URL: https://www.example.com
 \t\t- URL: https://www.example.com/1
 \t\t- URL: https://www.example.com/2
@@ -305,4 +305,51 @@ test`,
       assert.isFalse(allowHeader({name: 'authorization', value: 'foo'}));
     });
   });
+
+  describe('formatInitiatorUrl', () => {
+    const tests = [
+      {
+        allowedResource: 'https://example.test',
+        targetResource: 'https://example.test',
+        shouldBeRedacted: false,
+      },
+      {
+        allowedResource: 'https://example.test',
+        targetResource: 'https://another-example.test',
+        shouldBeRedacted: true,
+      },
+      {
+        allowedResource: 'file://test',
+        targetResource: 'https://another-example.test',
+        shouldBeRedacted: true,
+      },
+      {
+        allowedResource: 'https://another-example.test',
+        targetResource: 'file://test',
+        shouldBeRedacted: true,
+      },
+      {
+        allowedResource: 'https://test.example.test',
+        targetResource: 'https://example.test',
+        shouldBeRedacted: true,
+      },
+      {
+        allowedResource: 'https://test.example.test:9900',
+        targetResource: 'https://test.example.test:9901',
+        shouldBeRedacted: true,
+      },
+    ];
+
+    for (const t of tests) {
+      it(`${t.targetResource} test when allowed resource is ${t.allowedResource}`, () => {
+        const formatted = formatInitiatorUrl(new URL(t.targetResource).origin, new URL(t.allowedResource).origin);
+        if (t.shouldBeRedacted) {
+          assert.strictEqual(
+              formatted, '<redacted cross-origin initiator URL>', `${JSON.stringify(t)} was not redacted`);
+        } else {
+          assert.strictEqual(formatted, t.targetResource, `${JSON.stringify(t)} was redacted`);
+        }
+      });
+    }
+  });
 });
diff --git a/front_end/panels/freestyler/DrJonesNetworkAgent.ts b/front_end/panels/freestyler/DrJonesNetworkAgent.ts
@@ -324,38 +324,54 @@ export function formatNetworkRequestTiming(request: SDK.NetworkRequest.NetworkRe
   return labels.filter(label => Boolean(label.value)).map(label => `${label.label}: ${label.value}`).join('\n');
 }
 
+export function formatInitiatorUrl(initiatorUrl: string, allowedOrigin: string): string {
+  const initiatorOrigin = new URL(initiatorUrl).origin;
+  if (initiatorOrigin === allowedOrigin) {
+    return initiatorUrl;
+  }
+  return '<redacted cross-origin initiator URL>';
+}
+
 function formatRequestInitiated(
-    request: SDK.NetworkRequest.NetworkRequest, initiatorChain: string, lineStart: string): string {
+    request: SDK.NetworkRequest.NetworkRequest, initiatorChain: string, lineStart: string,
+    allowedOrigin: string): string {
   const initiated = Logs.NetworkLog.NetworkLog.instance().initiatorGraphForRequest(request).initiated;
   initiated.forEach((v, initiatedRequest) => {
     if (request === v) {
-      initiatorChain = initiatorChain + lineStart + initiatedRequest.url() + '\n';
-      initiatorChain = formatRequestInitiated(initiatedRequest, initiatorChain, '\t' + lineStart);
+      initiatorChain = initiatorChain + lineStart + formatInitiatorUrl(initiatedRequest.url(), allowedOrigin) + '\n';
+      initiatorChain = formatRequestInitiated(initiatedRequest, initiatorChain, '\t' + lineStart, allowedOrigin);
     }
   });
   return initiatorChain;
 }
 
+/**
+ * Note: nothing here should include information from origins other than
+ * the request's origin.
+ */
 function formatRequestInitiatorChain(request: SDK.NetworkRequest.NetworkRequest): string {
+  const allowedOrigin = new URL(request.url()).origin;
   let initiatorChain = '';
   let lineStart = '- URL: ';
   const initiators = Logs.NetworkLog.NetworkLog.instance().initiatorGraphForRequest(request).initiators;
 
   for (const initator of Array.from(initiators).reverse()) {
-    initiatorChain = initiatorChain + lineStart + initator.url() + '\n';
+    initiatorChain = initiatorChain + lineStart + formatInitiatorUrl(initator.url(), allowedOrigin) + '\n';
     lineStart = '\t' + lineStart;
     if (initator === request) {
-      initiatorChain = formatRequestInitiated(initator, initiatorChain, lineStart);
+      initiatorChain = formatRequestInitiated(initator, initiatorChain, lineStart, allowedOrigin);
       break;
     }
   }
 
   return initiatorChain.trim();
 }
 
+/**
+ * Note: nothing here should include information from origins other than
+ * the request's origin.
+ */
 export function formatNetworkRequest(request: SDK.NetworkRequest.NetworkRequest): string {
-  // TODO: anything else that might be relavant?
-  // TODO: handle missing headers
   return `Request: ${request.url()}
 
 ${formatHeaders('Request headers:', request.requestHeaders())}
