[DrJones] Implement an allowlist for headers

Fixed: 375118590
Change-Id: Ic42195f9f4d6aaeffa3dc69206c6258709126afe
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/5965016
Commit-Queue: Alex Rudenko <[email protected]>
Reviewed-by: Mathias Bynens <[email protected]>

Author: OrKoN

front_end/panels/freestyler/DrJonesNetworkAgent.test.ts

@@ -15,7 +15,7 @@ import {describeWithMockConnection} from '../../testing/MockConnection.js';
 import {createNetworkPanelForMockConnection} from '../../testing/NetworkHelpers.js';
 import * as Coordinator from '../../ui/components/render_coordinator/render_coordinator.js';
 
-import {DrJonesNetworkAgent, ResponseType} from './freestyler.js';
+import {allowHeader, DrJonesNetworkAgent, ResponseType} from './freestyler.js';
 
 const coordinator = Coordinator.RenderCoordinator.RenderCoordinator.instance();
 
@@ -146,8 +146,9 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
           'requestId' as Protocol.Network.RequestId, 'https://www.example.com' as Platform.DevToolsPath.UrlString,
           '' as Platform.DevToolsPath.UrlString, null, null, null);
       selectedNetworkRequest.statusCode = 200;
-      selectedNetworkRequest.setRequestHeaders([{name: 'foo1', value: 'bar1'}]);
-      selectedNetworkRequest.responseHeaders = [{name: 'foo2', value: 'bar2'}, {name: 'foo3', value: 'bar3'}];
+      selectedNetworkRequest.setRequestHeaders([{name: 'content-type', value: 'bar1'}]);
+      selectedNetworkRequest.responseHeaders =
+          [{name: 'content-type', value: 'bar2'}, {name: 'x-forwarded-for', value: 'bar3'}];
       selectedNetworkRequest.timing = timingInfo;
 
       const initiatorNetworkRequest = SDK.NetworkRequest.NetworkRequest.create(
@@ -222,11 +223,11 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
           details: [
             {
               title: 'Request',
-              text: 'Request URL: https://www.example.com\n\nRequest Headers\nfoo1: bar1',
+              text: 'Request URL: https://www.example.com\n\nRequest Headers\ncontent-type: bar1',
             },
             {
               title: 'Response',
-              text: 'Response Status: 200 \n\nResponse Headers\nfoo2: bar2\nfoo3: bar3',
+              text: 'Response Status: 200 \n\nResponse Headers\ncontent-type: bar2\nx-forwarded-for: bar3',
             },
             {
               title: 'Timing',
@@ -245,7 +246,7 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
         {
           type: ResponseType.QUERYING,
           query:
-              '# Selected network request \nRequest: https://www.example.com\n\nRequest headers:\nfoo1: bar1\n\nResponse headers:\nfoo2: bar2\nfoo3: bar3\n\nResponse status: 200 \n\nRequest timing:\nQueued at (timestamp): 0 μs\nStarted at (timestamp): 8.3 min\nQueueing (duration): 8.3 min\nConnection start (stalled) (duration): 800.00 ms\nRequest sent (duration): 100.00 ms\nDuration (duration): 8.3 min\n\nRequest initiator chain:\n- URL: https://www.initiator.com\n\t- URL: https://www.example.com\n\t\t- URL: https://www.example.com/1\n\t\t- URL: https://www.example.com/2\n\n# User request\n\ntest',
+              '# Selected network request \nRequest: https://www.example.com\n\nRequest headers:\ncontent-type: bar1\n\nResponse headers:\ncontent-type: bar2\nx-forwarded-for: bar3\n\nResponse status: 200 \n\nRequest timing:\nQueued at (timestamp): 0 μs\nStarted at (timestamp): 8.3 min\nQueueing (duration): 8.3 min\nConnection start (stalled) (duration): 800.00 ms\nRequest sent (duration): 100.00 ms\nDuration (duration): 8.3 min\n\nRequest initiator chain:\n- URL: https://www.initiator.com\n\t- URL: https://www.example.com\n\t\t- URL: https://www.example.com/1\n\t\t- URL: https://www.example.com/2\n\n# User request\n\ntest',
         },
         {
           type: ResponseType.ANSWER,
@@ -260,11 +261,11 @@ describeWithMockConnection('DrJonesNetworkAgent', () => {
           text: `# Selected network request \nRequest: https://www.example.com
 
 Request headers:
-foo1: bar1
+content-type: bar1
 
 Response headers:
-foo2: bar2
-foo3: bar3
+content-type: bar2
+x-forwarded-for: bar3
 
 Response status: 200 \n
 Request timing:
@@ -292,4 +293,16 @@ test`,
       ]);
     });
   });
+
+  describe('allowHeader', () => {
+    it('allows a header from the list', () => {
+      assert.isTrue(allowHeader({name: 'content-type', value: 'foo'}));
+    });
+
+    it('disallows headers not on the list', () => {
+      assert.isFalse(allowHeader({name: 'cookie', value: 'foo'}));
+      assert.isFalse(allowHeader({name: 'set-cookie', value: 'foo'}));
+      assert.isFalse(allowHeader({name: 'authorization', value: 'foo'}));
+    });
+  });
 });

front_end/panels/freestyler/DrJonesNetworkAgent.ts

@@ -159,20 +159,113 @@ function formatLines(title: string, lines: string[], maxLength: number): string
   return result && title ? title + '\n' + result : result;
 }
 
+// Header names that could be included in the prompt, lowercase.
+const allowedHeaders = new Set([
+  'a-im',
+  'accept-ch',
+  'accept-charset',
+  'accept-datetime',
+  'accept-encoding',
+  'accept-language',
+  'accept-patch',
+  'accept-ranges',
+  'accept',
+  'access-control-allow-credentials',
+  'access-control-allow-headers',
+  'access-control-allow-methods',
+  'access-control-allow-origin',
+  'access-control-expose-headers',
+  'access-control-max-age',
+  'access-control-request-headers',
+  'access-control-request-method',
+  'age',
+  'allow',
+  'alt-svc',
+  'cache-control',
+  'connection',
+  'content-disposition',
+  'content-encoding',
+  'content-language',
+  'content-length',
+  'content-location',
+  'content-md5',
+  'content-range',
+  'content-security-policy',
+  'content-type',
+  'correlation-id',
+  'date',
+  'delta-base',
+  'dnt',
+  'etag',
+  'expect-ct',
+  'expect',
+  'expires',
+  'forwarded',
+  'front-end-https',
+  'host',
+  'http2-settings',
+  'if-match',
+  'if-modified-since',
+  'if-none-match',
+  'if-range',
+  'if-unmodified-source',
+  'im',
+  'last-modified',
+  'link',
+  'location',
+  'max-forwards',
+  'nel',
+  'origin',
+  'permissions-policy',
+  'pragma',
+  'preference-applied',
+  'proxy-connection',
+  'public-key-pins',
+  'range',
+  'referer',
+  'refresh',
+  'report-to',
+  'retry-after',
+  'save-data',
+  'sec-gpc',
+  'server',
+  'status',
+  'strict-transport-security',
+  'te',
+  'timing-allow-origin',
+  'tk',
+  'trailer',
+  'transfer-encoding',
+  'upgrade-insecure-requests',
+  'upgrade',
+  'user-agent',
+  'vary',
+  'via',
+  'warning',
+  'www-authenticate',
+  'x-att-deviceid',
+  'x-content-duration',
+  'x-content-security-policy',
+  'x-content-type-options',
+  'x-correlation-id',
+  'x-forwarded-for',
+  'x-forwarded-host',
+  'x-forwarded-proto',
+  'x-frame-options',
+  'x-http-method-override',
+  'x-powered-by',
+  'x-redirected-by',
+  'x-request-id',
+  'x-requested-with',
+  'x-ua-compatible',
+  'x-uidh',
+  'x-wap-profile',
+  'x-webkit-csp',
+  'x-xss-protection',
+]);
+
 export function allowHeader(header: SDK.NetworkRequest.NameValue): boolean {
-  const normalizedName = header.name.toLowerCase().trim();
-  // Skip custom headers.
-  if (normalizedName.startsWith('x-')) {
-    return false;
-  }
-  // Skip cookies as they might contain auth.
-  if (normalizedName === 'cookie' || normalizedName === 'set-cookie') {
-    return false;
-  }
-  if (normalizedName === 'authorization') {
-    return false;
-  }
-  return true;
+  return allowedHeaders.has(header.name.toLowerCase().trim());
 }
 
 export function formatHeaders(title: string, headers: SDK.NetworkRequest.NameValue[]): string {