hardening update code for #334

Author: gorhill

background.html

@@ -6,6 +6,7 @@
 <body>
 <script src="lib/punycode.min.js"></script>
 <script src="lib/publicsuffixlist.min.js"></script>
+<script src="lib/md5omatic.min.js"></script>
 <script src="js/types.js"></script>
 <script src="js/usersettings.js"></script>
 <script src="js/lists.js"></script>

js/asset-updater.js

@@ -39,13 +39,13 @@ var getUpdateList = function(msg) {
         }
         switch ( request.what ) {
         case 'assetManagerLocalChecksumsLoaded':
-            localChecksumsText = request.error ? 'Error' : request.content;
+            localChecksumsText = validateChecksums(request);
             if ( remoteChecksumsText !== '' ) {
                 compareChecksums();
             }
             break;
         case 'assetManagerRemoteChecksumsLoaded':
-            remoteChecksumsText = request.error ? 'Error' : request.content;
+            remoteChecksumsText = validateChecksums(request);
             if ( localChecksumsText !== '' ) {
                 compareChecksums();
             }
@@ -55,6 +55,16 @@ var getUpdateList = function(msg) {
         }
     };
 
+    var validateChecksums = function(request) {
+        if ( request.error || request.content === '' ) {
+            return 'Error';
+        }
+        if ( /^(?:[0-9a-f]{32}\s+\S+(\s+|$))+/.test(request.content) ) {
+            return request.content;
+        }
+        return 'Error';
+    };
+
     var compareChecksums = function() {
         chrome.runtime.onMessage.removeListener(onMessage);
 
@@ -179,9 +189,7 @@ var updateList = function(list) {
 
     var onAllLocalAssetUpdated = function(details) {
         chrome.runtime.onMessage.removeListener(onMessage);
-        chrome.runtime.sendMessage({
-            'what': 'allLocalAssetsUpdated'
-        });
+        chrome.runtime.sendMessage({ 'what': 'allLocalAssetsUpdated' });
     };
 
     chrome.runtime.onMessage.addListener(onMessage);
@@ -193,13 +201,19 @@ var updateList = function(list) {
         }
         entry = list[path];
         if ( entry.status === 'Added' || entry.status === 'Changed' ) {
-            HTTPSB.assets.update(path, 'assetManagerLocalAssetUpdated');
-        } else {
-            if ( entry.status === 'Unchanged' ) {
-                updatedAssetChecksums.push(entry.localChecksum + ' ' + path);
-            }
-            assetToUpdateCount -= 1;
+            HTTPSB.assets.update(
+                {
+                    path: path,
+                    md5: entry.remoteChecksum
+                },
+                'assetManagerLocalAssetUpdated'
+            );
+            continue;
         }
+        if ( entry.status === 'Unchanged' ) {
+            updatedAssetChecksums.push(entry.localChecksum + ' ' + path);
+        }
+        assetToUpdateCount -= 1;
     }
 };
 

js/assets.js

@@ -61,7 +61,7 @@ File system structure:
 /******************************************************************************/
 
 var fileSystem;
-var fileSystemQuota = 30 * 1024 * 1024;
+var fileSystemQuota = 40 * 1024 * 1024;
 var remoteRoot = HTTPSB.projectServerRoot;
 
 /******************************************************************************/
@@ -359,33 +359,45 @@ var writeLocalFile = function(path, content, msg) {
 
 /******************************************************************************/
 
-var updateFromRemote = function(path, msg) {
+var updateFromRemote = function(details, msg) {
     // 'httpsb=...' is to skip browser cache
-    var remoteURL = remoteRoot + path + '?httpsb=' + Date.now();
+    var remoteURL = remoteRoot + details.path + '?httpsb=' + Date.now();
+
+    var sendErrorMessage = function() {
+        chrome.runtime.sendMessage({
+            'what': msg,
+            'path': details.path,
+            'error': 'Error'
+        });
+    };
 
     var onRemoteFileLoaded = function() {
-        // console.log('HTTP Switchboard> updateFromRemote() / onRemoteFileLoaded()');
-        if ( this.responseText && this.responseText.length ) {
-            writeLocalFile(path, this.responseText, msg);
-        }
         this.onload = this.onerror = null;
+        // console.log('HTTPSB> updateFromRemote("%s") / onRemoteFileLoaded()', remoteURL);
+        if ( typeof this.responseText !== 'string' ) {
+            console.error('HTTPSB> updateFromRemote("%s") / onRemoteFileLoaded(): no response', remoteURL);
+            sendErrorMessage();
+            return;
+        }
+        if ( typeof details.md5 === 'string' && details.md5 !== md5omatic(this.responseText) ) {
+            console.error('HTTPSB> updateFromRemote("%s") / onRemoteFileLoaded(): bad md5 checksum', remoteURL);
+            sendErrorMessage();
+            return;
+        }
+        writeLocalFile(details.path, this.responseText, msg);
     };
 
     var onRemoteFileError = function(ev) {
-        console.error('HTTP Switchboard> updateFromRemote() / onRemoteFileError("%s"):', remoteURL, this.statusText);
-        chrome.runtime.sendMessage({
-            'what': msg,
-            'path': path,
-            'error': 'Error'
-        });
         this.onload = this.onerror = null;
+        console.error('HTTPSB> updateFromRemote() / onRemoteFileError("%s"):', remoteURL, this.statusText);
+        sendErrorMessage();
     };
 
     getTextFileFromURL(
         remoteURL,
         onRemoteFileLoaded,
         onRemoteFileError
-        );
+    );
 };
 
 /******************************************************************************/