[extensions] Allow arbitrary protocol in 'sourceURL' magic comments

Currently, the extension API disallows interacting with resources from
certain protocol (e.g. 'chrome://'). The check works by allow-listing
only a narrow set of protocols, such as 'https://' and 'http://'.

The problem is that this check also prevents access to JavaScript
scripts, that are valid to access. E.g. webpack bundles that use
'eval' + 'sourceURL' results in scripts with a 'webpack://' prefix.
Or react server rendering results in scripts with 'reactsr://'.

This CL softens the check slightly by allowing extensions to list
and modify resources that stem from 'sourceURL' magic comments
provided the inspected target is itself allowed to be inspected.

As DevTools unifies UISourceCode's under the hood, this also
means that ALL targets that provide the same script resource
need to be inspectable.

[email protected]

Fixed: 416196401
Change-Id: I68616cde318bcb986b4999fafb8a3b04d90dfd02
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/6822154
Reviewed-by: Philip Pfaffe <[email protected]>
Commit-Queue: Simon Zünd <[email protected]>

Author: szuend

front_end/models/extensions/ExtensionServer.test.ts

@@ -687,15 +687,14 @@ describeWithDevtoolsExtension('Runtime hosts policy', {hostsPolicy}, context =>
   });
 
   async function createUISourceCode(
-      project: Bindings.ContentProviderBasedProject.ContentProviderBasedProject, url: Platform.DevToolsPath.UrlString) {
+      project: Bindings.ContentProviderBasedProject.ContentProviderBasedProject, url: Platform.DevToolsPath.UrlString,
+      contentType = Common.ResourceType.resourceTypes.Document) {
     const mimeType = 'text/html';
     const dataProvider = () =>
         Promise.resolve(new TextUtils.ContentData.ContentData('content', /* isBase64 */ false, mimeType));
     project.addUISourceCodeWithProvider(
-        new Workspace.UISourceCode.UISourceCode(project, url, Common.ResourceType.resourceTypes.Document),
-        new TextUtils.StaticContentProvider.StaticContentProvider(
-            url, Common.ResourceType.resourceTypes.Document, dataProvider),
-        null, mimeType);
+        new Workspace.UISourceCode.UISourceCode(project, url, contentType),
+        new TextUtils.StaticContentProvider.StaticContentProvider(url, contentType, dataProvider), null, mimeType);
     await project.uiSourceCodeForURL(url)?.requestContentData();
   }
 
@@ -726,6 +725,32 @@ describeWithDevtoolsExtension('Runtime hosts policy', {hostsPolicy}, context =>
     ]);
   });
 
+  it('allows arbitrary schemes in sourceURL comments, as long as the inspected target is allowed', async () => {
+    const target = createTarget({id: 'target' as Protocol.Target.TargetID});
+    target.setInspectedURL(allowedUrl);
+
+    const script = sinon.createStubInstance(SDK.Script.Script, {target, contentURL: blockedUrl});
+    script.hasSourceURL = true;
+    const workspaceBinding = sinon.createStubInstance(Bindings.DebuggerWorkspaceBinding.DebuggerWorkspaceBinding);
+    workspaceBinding.scriptsForUISourceCode.callsFake(uiSourceCode => {
+      if (uiSourceCode.contentURL() === blockedUrl) {
+        return [script];
+      }
+      return [];
+    });
+    sinon.stub(Bindings.DebuggerWorkspaceBinding.DebuggerWorkspaceBinding, 'instance').returns(workspaceBinding);
+    const project = new Bindings.ContentProviderBasedProject.ContentProviderBasedProject(
+        Workspace.Workspace.WorkspaceImpl.instance(), target.id(), Workspace.Workspace.projectTypes.Network, '',
+        false /* isServiceProject */);
+    await createUISourceCode(project, blockedUrl, Common.ResourceType.resourceTypes.Script);
+    await createUISourceCode(project, allowedUrl, Common.ResourceType.resourceTypes.Script);
+
+    assert.exists(context.chrome.devtools);
+    const resources =
+        await new Promise<Chrome.DevTools.Resource[]>(r => context.chrome.devtools?.inspectedWindow.getResources(r));
+    assert.deepEqual(resources.map(r => r.url), [blockedUrl, allowedUrl]);
+  });
+
   function createRequest(
       networkManager: SDK.NetworkManager.NetworkManager, frameId: Protocol.Page.FrameId,
       requestId: Protocol.Network.RequestId, url: Platform.DevToolsPath.UrlString): void {

front_end/models/extensions/ExtensionServer.ts

@@ -463,14 +463,11 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
     if (!scriptUrl || !ranges?.length) {
       return this.status.E_BADARG('command', 'expected valid scriptUrl and non-empty NamedFunctionRanges');
     }
-    if (!this.extensionAllowedOnURL(scriptUrl as Platform.DevToolsPath.UrlString, port)) {
-      return this.status.E_FAILED('Permission denied');
-    }
-    const uiSourceCode =
-        Workspace.Workspace.WorkspaceImpl.instance().uiSourceCodeForURL(scriptUrl as Platform.DevToolsPath.UrlString);
-    if (!uiSourceCode) {
-      return this.status.E_NOTFOUND(scriptUrl);
+    const resource = this.lookupAllowedUISourceCode(scriptUrl as Platform.DevToolsPath.UrlString, port);
+    if ('error' in resource) {
+      return resource.error;
     }
+    const {uiSourceCode} = resource;
     if (!uiSourceCode.contentType().isScript() || !uiSourceCode.contentType().isFromSourceMap()) {
       return this.status.E_BADARG('command', `expected a source map script resource for url: ${scriptUrl}`);
     }
@@ -865,17 +862,18 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
   private handleOpenURL(
       port: MessagePort, contentProviderOrUrl: TextUtils.ContentProvider.ContentProvider|string, lineNumber?: number,
       columnNumber?: number): void {
-    let url: Platform.DevToolsPath.UrlString;
     let resource: {url: string, type: string};
+    let isAllowed: boolean;
     if (typeof contentProviderOrUrl !== 'string') {
-      url = contentProviderOrUrl.contentURL();
       resource = this.makeResource(contentProviderOrUrl);
+      isAllowed = this.extensionAllowedOnContentProvider(contentProviderOrUrl, port);
     } else {
-      url = contentProviderOrUrl as Platform.DevToolsPath.UrlString;
+      const url = contentProviderOrUrl as Platform.DevToolsPath.UrlString;
       resource = {url, type: Common.ResourceType.resourceTypes.Other.name()};
+      isAllowed = this.extensionAllowedOnURL(url, port);
     }
 
-    if (this.extensionAllowedOnURL(url, port)) {
+    if (isAllowed) {
       port.postMessage({
         command: 'open-resource',
         resource,
@@ -891,6 +889,58 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
     return Boolean(extension?.isAllowedOnTarget(url));
   }
 
+  /**
+   * Slightly more permissive as {@link extensionAllowedOnURL}: This method also permits
+   * UISourceCodes that originate from a {@link SDK.Script.Script} with a sourceURL magic comment as
+   * long as the corresponding target is permitted.
+   */
+  private extensionAllowedOnContentProvider(
+      contentProvider: TextUtils.ContentProvider.ContentProvider, port: MessagePort): boolean {
+    if (!(contentProvider instanceof Workspace.UISourceCode.UISourceCode)) {
+      return this.extensionAllowedOnURL(contentProvider.contentURL(), port);
+    }
+
+    if (contentProvider.contentType() !== Common.ResourceType.resourceTypes.Script) {
+      // We only check sourceURL magic comments for scripts (excluding ones coming from source maps).
+      return this.extensionAllowedOnURL(contentProvider.contentURL(), port);
+    }
+
+    const scripts =
+        Bindings.DebuggerWorkspaceBinding.DebuggerWorkspaceBinding.instance().scriptsForUISourceCode(contentProvider);
+    if (scripts.length === 0) {
+      return this.extensionAllowedOnURL(contentProvider.contentURL(), port);
+    }
+
+    return scripts.every(script => {
+      if (script.hasSourceURL) {
+        return this.extensionAllowedOnTarget(script.target(), port);
+      }
+      return this.extensionAllowedOnURL(script.contentURL(), port);
+    });
+  }
+
+  /**
+   * This method prefers returning 'Permission denied' errors if restricted resources are not found,
+   * rather then NOTFOUND. This prevents extensions from being able to fish for restricted resources.
+   */
+  private lookupAllowedUISourceCode(url: Platform.DevToolsPath.UrlString, port: MessagePort):
+      {uiSourceCode: Workspace.UISourceCode.UISourceCode}|{
+    error: Record,
+  }
+  {
+    const uiSourceCode = Workspace.Workspace.WorkspaceImpl.instance().uiSourceCodeForURL(url);
+    if (!uiSourceCode && !this.extensionAllowedOnURL(url, port)) {
+      return {error: this.status.E_FAILED('Permission denied')};
+    }
+    if (!uiSourceCode) {
+      return {error: this.status.E_NOTFOUND(url)};
+    }
+    if (!this.extensionAllowedOnContentProvider(uiSourceCode, port)) {
+      return {error: this.status.E_FAILED('Permission denied')};
+    }
+    return {uiSourceCode};
+  }
+
   private extensionAllowedOnTarget(target: SDK.Target.Target, port: MessagePort): boolean {
     return this.extensionAllowedOnURL(target.inspectedURL(), port);
   }
@@ -980,7 +1030,7 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
     function pushResourceData(
         this: ExtensionServer, contentProvider: TextUtils.ContentProvider.ContentProvider): boolean {
       if (!resources.has(contentProvider.contentURL()) &&
-          this.extensionAllowedOnURL(contentProvider.contentURL(), port)) {
+          this.extensionAllowedOnContentProvider(contentProvider, port)) {
         resources.set(contentProvider.contentURL(), this.makeResource(contentProvider));
       }
       return false;
@@ -1003,7 +1053,7 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
   private async getResourceContent(
       contentProvider: TextUtils.ContentProvider.ContentProvider, message: PrivateAPI.ExtensionServerRequestMessage,
       port: MessagePort): Promise<void> {
-    if (!this.extensionAllowedOnURL(contentProvider.contentURL(), port)) {
+    if (!this.extensionAllowedOnContentProvider(contentProvider, port)) {
       this.dispatchCallback(message.requestId, port, this.status.E_FAILED('Permission denied'));
       return undefined;
     }
@@ -1053,20 +1103,16 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
       return this.status.E_FAILED('Expected a source map URL but got null');
     }
 
-    const url = message.contentUrl as Platform.DevToolsPath.UrlString;
-    if (!this.extensionAllowedOnURL(url, port)) {
-      return this.status.E_FAILED('Permission denied');
-    }
-    const contentProvider = Workspace.Workspace.WorkspaceImpl.instance().uiSourceCodeForURL(url);
-    if (!contentProvider) {
-      return this.status.E_NOTFOUND(url);
+    const resource = this.lookupAllowedUISourceCode(message.contentUrl as Platform.DevToolsPath.UrlString, port);
+    if ('error' in resource) {
+      return resource.error;
     }
 
     const debuggerBindingsInstance = Bindings.DebuggerWorkspaceBinding.DebuggerWorkspaceBinding.instance();
-    const scriptFiles = debuggerBindingsInstance.scriptsForUISourceCode(contentProvider);
+    const scriptFiles = debuggerBindingsInstance.scriptsForUISourceCode(resource.uiSourceCode);
     if (scriptFiles.length > 0) {
       for (const script of scriptFiles) {
-        const resourceFile = debuggerBindingsInstance.scriptFile(contentProvider, script.debuggerModel);
+        const resourceFile = debuggerBindingsInstance.scriptFile(resource.uiSourceCode, script.debuggerModel);
         resourceFile?.addSourceMapURL(message.sourceMapURL as Platform.DevToolsPath.UrlString);
       }
     }
@@ -1084,13 +1130,13 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
       const response = error ? this.status.E_FAILED(error) : this.status.OK();
       this.dispatchCallback(requestId, port, response);
     }
-    if (!this.extensionAllowedOnURL(url as Platform.DevToolsPath.UrlString, port)) {
-      return this.status.E_FAILED('Permission denied');
-    }
 
-    const uiSourceCode =
-        Workspace.Workspace.WorkspaceImpl.instance().uiSourceCodeForURL(url as Platform.DevToolsPath.UrlString);
-    if (!uiSourceCode?.contentType().isDocumentOrScriptOrStyleSheet()) {
+    const resource = this.lookupAllowedUISourceCode(url as Platform.DevToolsPath.UrlString, port);
+    if ('error' in resource) {
+      return resource.error;
+    }
+    const {uiSourceCode} = resource;
+    if (!uiSourceCode.contentType().isDocumentOrScriptOrStyleSheet()) {
       const resource = SDK.ResourceTreeModel.ResourceTreeModel.resourceForURL(url as Platform.DevToolsPath.UrlString);
       if (!resource) {
         return this.status.E_NOTFOUND(url);