Fix the reported security bug. (#159)

manugarg · web-flow · commit 0bf0636de624 · 2023-05-25T08:38:08.000-07:00
See GHSA-62q6-v997-f7v9 for more details on the security bug. Fix: - Use the JS_FunctionCall() API to call the FindProxyForURL() function instead of JS_EvaluateScript() API. - This also does away with the need to str_replace function. Making code simpler. - I've verified the fix with the test cases provided in the security bug.
diff --git a/src/Makefile b/src/Makefile
@@ -87,11 +87,7 @@ jsapi_buildstamp: spidermonkey/js/src
 spidermonkey/libjs.a: spidermonkey/js/src
 	cd spidermonkey && SMCFLAGS="$(SHFLAGS) $(SMCFLAGS)" $(MAKE) jslib
 
-pac_utils_test: pac_utils_test.c pac_utils.h
-	$(CC) $(MAINT_CFLAGS) $(CFLAGS) $(SHFLAGS) pac_utils_test.c -o pac_utils_test -lm -L. -I.
-
-pacparser.o: pacparser.c pac_utils.h pacparser.h pac_utils_test jsapi_buildstamp
-	./pac_utils_test
+pacparser.o: pacparser.c pac_utils.h pacparser.h jsapi_buildstamp
 	$(CC) $(MAINT_CFLAGS) $(CFLAGS) $(SHFLAGS) -c pacparser.c -o pacparser.o
 	touch pymod/pacparser_o_buildstamp
 
diff --git a/src/pac_utils.h b/src/pac_utils.h
@@ -26,9 +26,6 @@
 // Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301,
 // USA
 
-#include <string.h>
-#include <stdlib.h>
-
 static const char *pacUtils =
 "function dnsDomainIs(host, domain) {\n"
 "    return (host.length >= domain.length &&\n"
@@ -335,57 +332,3 @@ static const char *pacUtils =
 "        return FindProxyForURL(url, host);\n"
 "    }\n"
 "}\n";
-
-
-// You must free the result if result is non-NULL.
-char *str_replace(const char *orig, const char *rep, const char *with) {
-    if (orig == NULL || rep == NULL || with == NULL) {
-        return NULL;
-    }
-
-    size_t len_orig  = strnlen(orig, 1024);
-    size_t len_rep  = strnlen(rep, 1024);
-    size_t len_with = strnlen(with, 1024);
-
-    if (len_orig == 0 || len_rep == 0) {
-        char *result = malloc(len_orig + 1);
-        strcpy(result, orig);
-        return result;
-    }
-
-    // Count replacements needed
-    int count;           // number of replacements
-    char const *start = orig;
-    // Cursor moves through the string, looking for rep.
-    char const *cursor;
-    for (count = 0;; ++count) {
-        cursor = strstr(start, rep);
-        if (cursor == NULL) {
-            break;
-        }
-        start = cursor + len_rep;
-    }
-
-    char *tmp;
-    char *result;
-    tmp = result = malloc(len_orig + (len_with - len_rep) * count + 1);
-
-    // first time through the loop, all the variable are set correctly
-    // from here on,
-    //    tmp points to the end of the result string
-    //    ins points to the next occurrence of rep in orig
-    //    orig points to the remainder of orig after "end of rep"
-    while (count--) {
-        const char *ins = strstr(orig, rep);
-        int len_front = (int)(ins - orig); // How far have we moved
-        // Into the tmp, copy everything until we reach the rep.
-        // and move tmp forward.
-        tmp = strncpy(tmp, orig, len_front) + len_front;
-        tmp = strcpy(tmp, with) + len_with;
-        orig += len_front + len_rep; // move to next "end of rep"
-    }
-
-    // Copy the remaining string.
-    strcpy(tmp, orig);
-    return result;
-}
diff --git a/src/pac_utils_test.c b/src/pac_utils_test.c
diff --git a/src/pacparser.c b/src/pacparser.c
@@ -238,7 +238,7 @@ my_ip(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *argv, jsval *r
 // myIpAddressEx in JS context; not available in core JavaScript.
 // returns 127.0.0.1 if not able to determine local ip.
 static JSBool                                  // JS_TRUE or JS_FALSE
-my_ip_ex(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *argv, jsval *rval)
+my_ip_ex(JSContext *cx, JSObject *UNUSED(o), uintN UNUSED(u), jsval *UNUSED(argv), jsval *rval)
 {
   char ipaddr[INET6_ADDRSTRLEN * MAX_IP_RESULTS + MAX_IP_RESULTS];
   char* out;
@@ -451,32 +451,14 @@ pacparser_find_proxy(const char *url, const char *host)
     return NULL;
   }
 
-  // URL-encode "'" as we use single quotes to stick the URL into a temporary script.
-  char *sanitized_url = str_replace(url, "'", "%27");
-  // Hostname shouldn't have single quotes in them
-  if (strchr(host, '\'')) {
-    print_error("%s %s\n", error_prefix,
-      "Invalid hostname: hostname can't have single quotes.");
-    free(sanitized_url);
-    return NULL;
-  }
-
-  script = (char*) malloc(32 + strlen(sanitized_url) + strlen(host));
-  script[0] = '\0';
-  strcat(script, "findProxyForURL('");
-  strcat(script, sanitized_url);
-  strcat(script, "', '");
-  strcat(script, host);
-  strcat(script, "')");
-  if (_debug()) print_error("DEBUG: Executing JavaScript: %s\n", script);
-  if (!JS_EvaluateScript(cx, global, script, strlen(script), NULL, 1, &rval)) {
+  jsval args[2];
+  args[0] = STRING_TO_JSVAL(JS_NewStringCopyZ(cx, url));
+  args[1] = STRING_TO_JSVAL(JS_NewStringCopyZ(cx, host));
+  
+  if (!JS_CallFunctionName(cx, global, "findProxyForURL", 2, args, &rval)) {
     print_error("%s %s\n", error_prefix, "Problem in executing findProxyForURL.");
-    free(sanitized_url);
-    free(script);
     return NULL;
   }
-  free(sanitized_url);
-  free(script);
   return JS_GetStringBytes(JS_ValueToString(cx, rval));
 }
 
diff --git a/tests/proxy.pac b/tests/proxy.pac
@@ -3,41 +3,36 @@
 // Go via proxy for all other hosts.
 
 function FindProxyForURL(url, host) {
-
-  if ((isPlainHostName(host) ||
-      dnsDomainIs(host, ".manugarg.com")) &&
-      !localHostOrDomainIs(host, "www.manugarg.com"))
-    return "plainhost/.manugarg.com";
+  if (
+    (isPlainHostName(host) || dnsDomainIs(host, '.manugarg.com')) &&
+    !localHostOrDomainIs(host, 'www.manugarg.com')
+  )
+    return 'plainhost/.manugarg.com';
 
   // Test single quote handling in URL.
-  if (/.*%27.*/.test(url)) {
-    return "URLHasQuotes";
+  if (/'/.test(url)) {
+    return 'URLHasQuotes';
   }
 
   // Return externaldomain if host matches .*\.externaldomain\.com
-  if (/.*\.externaldomain\.com/.test(host))
-    return "externaldomain";
+  if (/.*\.externaldomain\.com/.test(host)) return 'externaldomain';
 
   // Test if DNS resolving is working as intended
-  if (dnsDomainIs(host, ".google.com") &&
-      isResolvable(host))
-    return "isResolvable";
+  if (dnsDomainIs(host, '.google.com') && isResolvable(host))
+    return 'isResolvable';
 
   // Test if DNS resolving is working as intended
-  if (dnsDomainIs(host, ".notresolvabledomainXXX.com") &&
-      !isResolvable(host))
-    return "isNotResolvable";
+  if (dnsDomainIs(host, '.notresolvabledomainXXX.com') && !isResolvable(host))
+    return 'isNotResolvable';
 
-  if (/^https:\/\/.*$/.test(url))
-    return "secureUrl";
+  if (/^https:\/\/.*$/.test(url)) return 'secureUrl';
 
-  if (isInNet(myIpAddress(), '10.10.0.0', '255.255.0.0'))
-    return '10.10.0.0';
+  if (isInNet(myIpAddress(), '10.10.0.0', '255.255.0.0')) return '10.10.0.0';
 
-  if ((typeof(myIpAddressEx) == "function") &&
-      isInNetEx(myIpAddressEx(), '3ffe:8311:ffff/48'))
+  if (
+    typeof myIpAddressEx == 'function' &&
+    isInNetEx(myIpAddressEx(), '3ffe:8311:ffff/48')
+  )
     return '3ffe:8311:ffff';
-
-  else
-    return "END-OF-SCRIPT";
+  else return 'END-OF-SCRIPT';
 }
