[XSS] Fixed false positives and timeouts (thanks riaggren for report).

hackademix · hackademix · commit 1e01979e4190 · 2020-04-19T23:43:28.000+02:00
diff --git a/src/bg/main.js b/src/bg/main.js
@@ -296,7 +296,7 @@
 
     async collectSeen(tabId) {
       try {
-        let seen = Array.from(await Messages.send("collect", {}, {tabId, frameId: 0}));
+        let seen = Array.from(await Messages.send("collect", {uiid: ns.local.uiid}, {tabId, frameId: 0}));
         debug("Collected seen", seen);
         return seen;
       } catch (e) {
diff --git a/src/xss/InjectionCheckWorker.js b/src/xss/InjectionCheckWorker.js
@@ -74,7 +74,7 @@ Entities = {
     if (msg.handler in Handlers) try {
       await Handlers[msg.handler](msg);
     } catch (e) {
-      postMessage({error: e});
+      postMessage({error: e.message});
     }
   }
 
diff --git a/src/xss/InjectionChecker.js b/src/xss/InjectionChecker.js
@@ -327,7 +327,7 @@ XSS.InjectionChecker = (async () => {
     _assignmentRx: /^(?:[^()="'\s]+=(?:[^(='"\[+]+|[?a-zA-Z_0-9;,&=/]+|[\d.|]+))$/,
     _badRightHandRx: /=[\s\S]*(?:_QS_\b|[|.][\s\S]*source\b|<[\s\S]*\/[^>]*>)/,
     _wikiParensRx: /^(?:[\w.|-]+\/)*\(*[\w\s-]+\([\w\s-]+\)[\w\s-]*\)*$/,
-    _neutralDotsRx: /(?:^|[\/;&#])[\w-]+\.[\w-]+[\?;\&#]/g,
+    _neutralDotsOrParensRx: /(?:^|[\/;&#])(?:[\w-]+\.[\w-]+[\?;\&#]|[\s\d]*\()/g,
     _openIdRx: /^scope=(?:\w+\+)\w/, // OpenID authentication scope parameter, see http://forums.informaction.com/viewtopic.php?p=69851#p69851
     _gmxRx: /\$\(clientName\)-\$\(dataCenter\)\.(\w+\.)+\w+/, // GMX webmail, see http://forums.informaction.com/viewtopic.php?p=69700#p69700
 
@@ -354,7 +354,7 @@ XSS.InjectionChecker = (async () => {
         return this._singleAssignmentRx.test(expr) || this._riskyAssignmentRx.test(expr) && this._nameRx.test(expr);
 
       return this._riskyParensRx.test(expr) ||
-        this._maybeJSRx.test(expr.replace(this._neutralDotsRx, '')) &&
+        this._maybeJSRx.test(expr.replace(this._neutralDotsOrParensRx, '')) &&
         !this._wikiParensRx.test(expr);
 
     },
@@ -457,7 +457,7 @@ XSS.InjectionChecker = (async () => {
     checkLastFunction: function() {
       var fn = this.syntax.lastFunction;
       if (!fn) return false;
-      var m = fn.toSource().match(/\{([\s\S]*)\}/);
+      var m = fn.toString().match(/\{([\s\S]*)\}/);
       if (!m) return false;
       var expr = this.stripLiteralsAndComments(m[1]);
       return /=[\s\S]*cookie|\b(?:setter|document|location|(?:inn|out)erHTML|\.\W*src)[\s\S]*=|[\w$\u0080-\uffff\)\]]\s*[\[\(]/.test(expr) ||
@@ -778,7 +778,7 @@ XSS.InjectionChecker = (async () => {
       if (ret) {
         let msg = "JavaScript Injection in " + s;
         if (this.syntax.lastFunction) {
-          msg += "\n" + this.syntax.lastFunction.toSource();
+          msg += `\n${this.syntax.lastFunction}`;
         }
         this.escalate(msg);
       }

Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,7 @@ Entities = {`
`74`	`74`	`if (msg.handler in Handlers) try {`
`75`	`75`	`await Handlers[msg.handler](msg);`
`76`	`76`	`} catch (e) {`
`77`		`- postMessage({error: e});`
	`77`	`+ postMessage({error: e.message});`
`78`	`78`	`}`
`79`	`79`	`}`
`80`	`80`