Do not pass file urls to language plugins

Unless the owning extension has filesystem access enabled.

Bug: none
Change-Id: I3d71f635974cc348d3741fd8335cdf63fbc7fec0
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/5999725
Commit-Queue: Philip Pfaffe <[email protected]>
Reviewed-by: Danil Somsikov <[email protected]>

Author: pfaffe

front_end/models/extensions/BUILD.gn

@@ -64,6 +64,7 @@ ts_library("unittests") {
   sources = [
     "ExtensionServer.test.ts",
     "HostUrlPattern.test.ts",
+    "LanguageExtensionEndpoint.test.ts",
     "RecorderPluginManager.test.ts",
   ]
 

front_end/models/extensions/ExtensionServer.test.ts

@@ -787,6 +787,47 @@ describeWithDevtoolsExtension('Wasm extension API', {}, context => {
   });
 });
 
+class StubLanguageExtension implements Chrome.DevTools.LanguageExtensionPlugin {
+  async addRawModule(): Promise<string[]|{missingSymbolFiles: string[]}> {
+    return [];
+  }
+  async sourceLocationToRawLocation(): Promise<Chrome.DevTools.RawLocationRange[]> {
+    return [];
+  }
+  async rawLocationToSourceLocation(): Promise<Chrome.DevTools.SourceLocation[]> {
+    return [];
+  }
+  async getScopeInfo(): Promise<Chrome.DevTools.ScopeInfo> {
+    throw new Error('Method not implemented.');
+  }
+  async listVariablesInScope(): Promise<Chrome.DevTools.Variable[]> {
+    return [];
+  }
+  async removeRawModule(): Promise<void> {
+  }
+  async getFunctionInfo(): Promise<{frames: Array<Chrome.DevTools.FunctionInfo>, missingSymbolFiles: Array<string>}|
+                                   {missingSymbolFiles: Array<string>}|{frames: Array<Chrome.DevTools.FunctionInfo>}> {
+    return {frames: []};
+  }
+  async getInlinedFunctionRanges(): Promise<Chrome.DevTools.RawLocationRange[]> {
+    return [];
+  }
+  async getInlinedCalleesRanges(): Promise<Chrome.DevTools.RawLocationRange[]> {
+    return [];
+  }
+  async getMappedLines(): Promise<number[]|undefined> {
+    return undefined;
+  }
+  async evaluate(): Promise<Chrome.DevTools.RemoteObject|Chrome.DevTools.ForeignObject|null> {
+    return null;
+  }
+  async getProperties(): Promise<Chrome.DevTools.PropertyDescriptor[]> {
+    return [];
+  }
+  async releaseObject(): Promise<void> {
+  }
+}
+
 describeWithDevtoolsExtension('Language Extension API', {}, context => {
   it('reports loaded resources', async () => {
     const target = createTarget();
@@ -814,3 +855,47 @@ describeWithDevtoolsExtension('Language Extension API', {}, context => {
     assert.deepEqual(resource, expectedResource);
   });
 });
+
+for (const allowFileAccess of [true, false]) {
+  describeWithDevtoolsExtension(
+      `Language Extension API with {allowFileAccess: ${allowFileAccess}}`, {allowFileAccess}, context => {
+        let target: SDK.Target.Target;
+        beforeEach(() => {
+          target = createTarget();
+          const targetManager = target.targetManager();
+          const workspace = Workspace.Workspace.WorkspaceImpl.instance();
+          const resourceMapping = new Bindings.ResourceMapping.ResourceMapping(targetManager, workspace);
+          target.setInspectedURL('http://example.com' as Platform.DevToolsPath.UrlString);
+          const debuggerWorkspaceBinding = Bindings.DebuggerWorkspaceBinding.DebuggerWorkspaceBinding.instance(
+              {forceNew: true, targetManager, resourceMapping});
+          Bindings.IgnoreListManager.IgnoreListManager.instance({forceNew: true, debuggerWorkspaceBinding});
+        });
+
+        it('passes allowFileAccess to the LanguageExtensionEndpoint', async () => {
+          const endpointSpy =
+              sinon.spy(Extensions.LanguageExtensionEndpoint.LanguageExtensionEndpoint.prototype, 'handleScript');
+          const plugin = new StubLanguageExtension();
+          await context.chrome.devtools?.languageServices.registerLanguageExtensionPlugin(plugin, 'plugin', {
+            language: Protocol.Debugger.ScriptLanguage.JavaScript,
+            symbol_types: [Protocol.Debugger.DebugSymbolsType.SourceMap],
+          });
+
+          const debuggerModel = target.model(SDK.DebuggerModel.DebuggerModel);
+          assert.isOk(debuggerModel);
+          debuggerModel.parsedScriptSource(
+              '0' as Protocol.Runtime.ScriptId, 'file:///source/url' as Platform.DevToolsPath.UrlString, 0, 0, 100, 100,
+              0, '', {}, false, 'file:///source/url.map', false, false, 200, true, null, null,
+              Protocol.Debugger.ScriptLanguage.JavaScript, [{
+                type: Protocol.Debugger.DebugSymbolsType.SourceMap,
+                externalURL: 'file:///source/url.map',
+              }],
+              null);
+
+          assert.isTrue(endpointSpy.calledOnce);
+          assert.strictEqual(
+              (endpointSpy.thisValues[0] as Extensions.LanguageExtensionEndpoint.LanguageExtensionEndpoint)
+                  .allowFileAccess,
+              allowFileAccess);
+        });
+      });
+}

front_end/models/extensions/ExtensionServer.ts

@@ -313,8 +313,12 @@ export class ExtensionServer extends Common.ObjectWrapper.ObjectWrapper<EventTyp
     const symbol_types_array =
         (Array.isArray(symbol_types) && symbol_types.every(e => typeof e === 'string') ? symbol_types : []);
     const extensionOrigin = this.getExtensionOrigin(_shared_port);
-    const endpoint =
-        new LanguageExtensionEndpoint(extensionOrigin, pluginName, {language, symbol_types: symbol_types_array}, port);
+    const registration = this.registeredExtensions.get(extensionOrigin);
+    if (!registration) {
+      throw new Error('Received a message from an unregistered extension');
+    }
+    const endpoint = new LanguageExtensionEndpoint(
+        registration.allowFileAccess, extensionOrigin, pluginName, {language, symbol_types: symbol_types_array}, port);
     pluginManager.addPlugin(endpoint);
     return this.status.OK();
   }

front_end/models/extensions/LanguageExtensionEndpoint.test.ts

@@ -0,0 +1,59 @@
+// Copyright 2024 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+import type * as Platform from '../../core/platform/platform.js';
+import * as SDK from '../../core/sdk/sdk.js';
+import * as Protocol from '../../generated/protocol.js';
+
+import * as Extensions from './extensions.js';
+
+for (const allowFileAccess of [true, false]) {
+  describe(`LanguageExtensionEndpoint ${allowFileAccess ? 'with' : 'without'} file access`, () => {
+    let endpoint: Extensions.LanguageExtensionEndpoint.LanguageExtensionEndpoint;
+    beforeEach(() => {
+      const channel = new MessageChannel();
+      endpoint = new Extensions.LanguageExtensionEndpoint.LanguageExtensionEndpoint(
+          allowFileAccess, '', '', {language: 'lang', symbol_types: [Protocol.Debugger.DebugSymbolsType.SourceMap]},
+          channel.port1);
+    });
+
+    it('canAccessURL respects allowFileAccess correctly', () => {
+      assert.isTrue(endpoint.canAccessURL('http://example.com'));
+      assert.strictEqual(endpoint.canAccessURL('file:///file'), allowFileAccess);
+    });
+
+    it('handleScript respects allowFileAccess correctly', () => {
+      const script = sinon.createStubInstance(SDK.Script.Script);
+      script.debugSymbols = {type: Protocol.Debugger.DebugSymbolsType.SourceMap};
+      script.scriptLanguage.returns('lang');
+
+      script.contentURL.returns('file:///file' as Platform.DevToolsPath.UrlString);
+      assert.strictEqual(endpoint.handleScript(script), allowFileAccess);
+      script.contentURL.returns('http://example.com' as Platform.DevToolsPath.UrlString);
+      assert.isTrue(endpoint.handleScript(script));
+
+      script.hasSourceURL = true;
+      script.sourceURL = 'file:///file' as Platform.DevToolsPath.UrlString;
+      assert.strictEqual(endpoint.handleScript(script), allowFileAccess);
+      script.sourceURL = 'http://example.com' as Platform.DevToolsPath.UrlString;
+      assert.isTrue(endpoint.handleScript(script));
+
+      script.debugSymbols.externalURL = 'file:///file';
+      assert.strictEqual(endpoint.handleScript(script), allowFileAccess);
+      script.debugSymbols.externalURL = 'http://example.com';
+      assert.isTrue(endpoint.handleScript(script));
+    });
+
+    it('addRawModule respects allowFileAccess correctly', async () => {
+      const endpointProxyStub = sinon.stub(Extensions.ExtensionEndpoint.ExtensionEndpoint.prototype, 'sendRequest');
+      endpointProxyStub.resolves([]);
+      await endpoint.addRawModule('', 'file:///file', {url: 'http://example.com'});
+      assert.strictEqual(endpointProxyStub.calledOnce, allowFileAccess);
+      await endpoint.addRawModule('', 'http://example.com', {url: 'file:///file'});
+      assert.strictEqual(endpointProxyStub.calledTwice, allowFileAccess);
+      await endpoint.addRawModule('', 'http://example.com', {url: 'http://example.com'});
+      assert.lengthOf(endpointProxyStub.getCalls(), allowFileAccess ? 3 : 1);
+    });
+  });
+}

front_end/models/extensions/LanguageExtensionEndpoint.ts

@@ -31,18 +31,17 @@ class LanguageExtensionEndpointImpl extends ExtensionEndpoint {
 export class LanguageExtensionEndpoint implements Bindings.DebuggerLanguagePlugins.DebuggerLanguagePlugin {
   private readonly supportedScriptTypes: {
     language: string,
-    // TODO(crbug.com/1172300) Ignored during the jsdoc to ts migration
     // eslint-disable-next-line @typescript-eslint/naming-convention
     symbol_types: Array<string>,
   };
-  private endpoint: LanguageExtensionEndpointImpl;
-  private extensionOrigin: string;
-  name: string;
+  private readonly endpoint: LanguageExtensionEndpointImpl;
+  private readonly extensionOrigin: string;
+  readonly allowFileAccess: boolean;
+  readonly name: string;
 
   constructor(
-      extensionOrigin: string, name: string, supportedScriptTypes: {
+      allowFileAccess: boolean, extensionOrigin: string, name: string, supportedScriptTypes: {
         language: string,
-        // TODO(crbug.com/1172300) Ignored during the jsdoc to ts migration
         // eslint-disable-next-line @typescript-eslint/naming-convention
         symbol_types: Array<string>,
       },
@@ -51,9 +50,26 @@ export class LanguageExtensionEndpoint implements Bindings.DebuggerLanguagePlugi
     this.extensionOrigin = extensionOrigin;
     this.supportedScriptTypes = supportedScriptTypes;
     this.endpoint = new LanguageExtensionEndpointImpl(this, port);
+    this.allowFileAccess = allowFileAccess;
+  }
+
+  canAccessURL(url: string): boolean {
+    try {
+      return this.allowFileAccess || new URL(url).protocol !== 'file:';
+    } catch (e) {
+      return false;
+    }
   }
 
   handleScript(script: SDK.Script.Script): boolean {
+    try {
+      if (!this.canAccessURL(script.contentURL()) || (script.hasSourceURL && !this.canAccessURL(script.sourceURL)) ||
+          (script.debugSymbols?.externalURL && !this.canAccessURL(script.debugSymbols.externalURL))) {
+        return false;
+      }
+    } catch (e) {
+      return false;
+    }
     const language = script.scriptLanguage();
     return language !== null && script.debugSymbols !== null && language === this.supportedScriptTypes.language &&
         this.supportedScriptTypes.symbol_types.includes(script.debugSymbols.type);
@@ -71,6 +87,9 @@ export class LanguageExtensionEndpoint implements Bindings.DebuggerLanguagePlugi
   /** Notify the plugin about a new script
    */
   addRawModule(rawModuleId: string, symbolsURL: string, rawModule: Chrome.DevTools.RawModule): Promise<string[]> {
+    if (!this.canAccessURL(symbolsURL) || !this.canAccessURL(rawModule.url)) {
+      return Promise.resolve([]);
+    }
     return this.endpoint.sendRequest(
                PrivateAPI.LanguageExtensionPluginCommands.AddRawModule, {rawModuleId, symbolsURL, rawModule}) as
         Promise<string[]>;

front_end/models/extensions/extensions.ts

@@ -3,19 +3,23 @@
 // found in the LICENSE file.
 
 import * as ExtensionAPI from './ExtensionAPI.js';
+import * as ExtensionEndpoint from './ExtensionEndpoint.js';
 import * as ExtensionPanel from './ExtensionPanel.js';
 import * as ExtensionServer from './ExtensionServer.js';
 import * as ExtensionView from './ExtensionView.js';
 import * as HostUrlPattern from './HostUrlPattern.js';
+import * as LanguageExtensionEndpoint from './LanguageExtensionEndpoint.js';
 import * as RecorderExtensionEndpoint from './RecorderExtensionEndpoint.js';
 import * as RecorderPluginManager from './RecorderPluginManager.js';
 
 export {
   ExtensionAPI,
+  ExtensionEndpoint,
   ExtensionPanel,
   ExtensionServer,
   ExtensionView,
   HostUrlPattern,
+  LanguageExtensionEndpoint,
   RecorderExtensionEndpoint,
   RecorderPluginManager,
 };