/* -*- Mode: C++; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- * vim: set ts=4 sw=4 et tw=99: * * This Source Code Form is subject to the terms of the Mozilla Public * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ #ifndef jswrapper_h___ #define jswrapper_h___ #include "mozilla/Attributes.h" #include "jsapi.h" #include "jsproxy.h" namespace js { class DummyFrameGuard; /* * A wrapper is a proxy with a target object to which it generally forwards * operations, but may restrict access to certain operations or instrument * the trap operations in various ways. A wrapper is distinct from a Direct Proxy * Handler in the sense that it can be "unwrapped" in C++, exposing the underlying * object (Direct Proxy Handlers have an underlying target object, but don't * expect to expose this object via any kind of unwrapping operation). Callers * should be careful to avoid unwrapping security wrappers in the wrong context. */ class JS_FRIEND_API(Wrapper) : public DirectProxyHandler { unsigned mFlags; bool mSafeToUnwrap; public: enum Action { GET, SET, CALL }; enum Flags { CROSS_COMPARTMENT = 1 << 0, LAST_USED_FLAG = CROSS_COMPARTMENT }; /* * Wrappers can explicitly specify that they are unsafe to unwrap from a * security perspective (as is the case for SecurityWrappers). If a wrapper * is not safe to unwrap, operations requiring full access to the underlying * object (via UnwrapObjectChecked) will throw. Otherwise, they will succeed. */ void setSafeToUnwrap(bool safe) { mSafeToUnwrap = safe; } bool isSafeToUnwrap() { return mSafeToUnwrap; } static JSObject *New(JSContext *cx, JSObject *obj, JSObject *proto, JSObject *parent, Wrapper *handler); static JSObject *Renew(JSContext *cx, JSObject *existing, JSObject *obj, Wrapper *handler); static Wrapper *wrapperHandler(RawObject wrapper); static JSObject *wrappedObject(RawObject wrapper); unsigned flags() const { return mFlags; } /* Policy enforcement traps. * * enter() allows the policy to specify whether the caller may perform |act| * on the underlying object's |id| property. In the case when |act| is CALL, * |id| is generally JSID_VOID. * * The |act| parameter to enter() specifies the action being performed. */ virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, Action act, bool *bp); explicit Wrapper(unsigned flags, bool hasPrototype = false); virtual ~Wrapper(); /* ES5 Harmony fundamental wrapper traps. */ virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool defineProperty(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc) MOZ_OVERRIDE; virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; virtual bool delete_(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool enumerate(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; /* ES5 Harmony derived wrapper traps. */ virtual bool has(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool hasOwn(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool get(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, Value *vp) MOZ_OVERRIDE; virtual bool set(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, bool strict, Value *vp) MOZ_OVERRIDE; virtual bool keys(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; virtual bool iterate(JSContext *cx, JSObject *wrapper, unsigned flags, Value *vp) MOZ_OVERRIDE; /* Spidermonkey extensions. */ virtual bool call(JSContext *cx, JSObject *wrapper, unsigned argc, Value *vp) MOZ_OVERRIDE; virtual bool construct(JSContext *cx, JSObject *wrapper, unsigned argc, Value *argv, Value *rval) MOZ_OVERRIDE; virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, CallArgs args) MOZ_OVERRIDE; virtual bool hasInstance(JSContext *cx, HandleObject wrapper, MutableHandleValue v, bool *bp) MOZ_OVERRIDE; virtual JSString *obj_toString(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE; virtual JSString *fun_toString(JSContext *cx, JSObject *wrapper, unsigned indent) MOZ_OVERRIDE; virtual bool defaultValue(JSContext *cx, JSObject *wrapper_, JSType hint, Value *vp) MOZ_OVERRIDE; static Wrapper singleton; static Wrapper singletonWithPrototype; static void *getWrapperFamily(); }; /* Base class for all cross compartment wrapper handlers. */ class JS_FRIEND_API(CrossCompartmentWrapper) : public Wrapper { public: CrossCompartmentWrapper(unsigned flags, bool hasPrototype = false); virtual ~CrossCompartmentWrapper(); /* ES5 Harmony fundamental wrapper traps. */ virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool defineProperty(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc) MOZ_OVERRIDE; virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; virtual bool delete_(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool enumerate(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; /* ES5 Harmony derived wrapper traps. */ virtual bool has(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool hasOwn(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool get(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, Value *vp) MOZ_OVERRIDE; virtual bool set(JSContext *cx, JSObject *wrapper, JSObject *receiver, jsid id, bool strict, Value *vp) MOZ_OVERRIDE; virtual bool keys(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; virtual bool iterate(JSContext *cx, JSObject *wrapper, unsigned flags, Value *vp) MOZ_OVERRIDE; /* Spidermonkey extensions. */ virtual bool call(JSContext *cx, JSObject *wrapper, unsigned argc, Value *vp) MOZ_OVERRIDE; virtual bool construct(JSContext *cx, JSObject *wrapper, unsigned argc, Value *argv, Value *rval) MOZ_OVERRIDE; virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, CallArgs args) MOZ_OVERRIDE; virtual bool hasInstance(JSContext *cx, HandleObject wrapper, MutableHandleValue v, bool *bp) MOZ_OVERRIDE; virtual JSString *obj_toString(JSContext *cx, JSObject *wrapper) MOZ_OVERRIDE; virtual JSString *fun_toString(JSContext *cx, JSObject *wrapper, unsigned indent) MOZ_OVERRIDE; virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE; virtual bool defaultValue(JSContext *cx, JSObject *wrapper, JSType hint, Value *vp) MOZ_OVERRIDE; virtual bool getPrototypeOf(JSContext *cx, JSObject *proxy, JSObject **protop); static CrossCompartmentWrapper singleton; static CrossCompartmentWrapper singletonWithPrototype; }; /* * Base class for security wrappers. A security wrapper is potentially hiding * all or part of some wrapped object thus SecurityWrapper defaults to denying * access to the wrappee. This is the opposite of Wrapper which tries to be * completely transparent. * * NB: Currently, only a few ProxyHandler operations are overridden to deny * access, relying on derived SecurityWrapper to block access when necessary. */ template class JS_FRIEND_API(SecurityWrapper) : public Base { public: SecurityWrapper(unsigned flags); virtual bool enter(JSContext *cx, JSObject *wrapper, jsid id, Wrapper::Action act, bool *bp) MOZ_OVERRIDE; virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, CallArgs args) MOZ_OVERRIDE; virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx) MOZ_OVERRIDE; virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g) MOZ_OVERRIDE; /* * Allow our subclasses to select the superclass behavior they want without * needing to specify an exact superclass. */ typedef Base Permissive; typedef SecurityWrapper Restrictive; }; typedef SecurityWrapper SameCompartmentSecurityWrapper; typedef SecurityWrapper CrossCompartmentSecurityWrapper; class JS_FRIEND_API(DeadObjectProxy) : public BaseProxyHandler { public: static int sDeadObjectFamily; explicit DeadObjectProxy(); /* ES5 Harmony fundamental wrapper traps. */ virtual bool getPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool getOwnPropertyDescriptor(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc, unsigned flags) MOZ_OVERRIDE; virtual bool defineProperty(JSContext *cx, JSObject *wrapper, jsid id, PropertyDescriptor *desc) MOZ_OVERRIDE; virtual bool getOwnPropertyNames(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; virtual bool delete_(JSContext *cx, JSObject *wrapper, jsid id, bool *bp) MOZ_OVERRIDE; virtual bool enumerate(JSContext *cx, JSObject *wrapper, AutoIdVector &props) MOZ_OVERRIDE; /* Spidermonkey extensions. */ virtual bool call(JSContext *cx, JSObject *proxy, unsigned argc, Value *vp); virtual bool construct(JSContext *cx, JSObject *proxy, unsigned argc, Value *argv, Value *rval); virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, CallArgs args) MOZ_OVERRIDE; virtual bool hasInstance(JSContext *cx, HandleObject proxy, MutableHandleValue v, bool *bp); virtual bool objectClassIs(JSObject *obj, ESClassValue classValue, JSContext *cx); virtual JSString *obj_toString(JSContext *cx, JSObject *proxy); virtual JSString *fun_toString(JSContext *cx, JSObject *proxy, unsigned indent); virtual bool regexp_toShared(JSContext *cx, JSObject *proxy, RegExpGuard *g); virtual bool defaultValue(JSContext *cx, JSObject *obj, JSType hint, Value *vp); virtual bool getElementIfPresent(JSContext *cx, JSObject *obj, JSObject *receiver, uint32_t index, Value *vp, bool *present); virtual bool getPrototypeOf(JSContext *cx, JSObject *proxy, JSObject **protop); static DeadObjectProxy singleton; }; extern JSObject * TransparentObjectWrapper(JSContext *cx, JSObject *existing, JSObject *obj, JSObject *wrappedProto, JSObject *parent, unsigned flags); // Proxy family for wrappers. Public so that IsWrapper() can be fully inlined by // jsfriendapi users. extern JS_FRIEND_DATA(int) sWrapperFamily; inline bool IsWrapper(RawObject obj) { return IsProxy(obj) && GetProxyHandler(obj)->family() == &sWrapperFamily; } // Given a JSObject, returns that object stripped of wrappers. If // stopAtOuter is true, then this returns the outer window if it was // previously wrapped. Otherwise, this returns the first object for // which JSObject::isWrapper returns false. JS_FRIEND_API(JSObject *) UnwrapObject(JSObject *obj, bool stopAtOuter = true, unsigned *flagsp = NULL); // Given a JSObject, returns that object stripped of wrappers. At each stage, // the security wrapper has the opportunity to veto the unwrap. Since checked // code should never be unwrapping outer window wrappers, we always stop at // outer windows. JS_FRIEND_API(JSObject *) UnwrapObjectChecked(RawObject obj); // Unwrap only the outermost security wrapper, with the same semantics as // above. This is the checked version of Wrapper::wrappedObject. JS_FRIEND_API(JSObject *) UnwrapOneChecked(RawObject obj); JS_FRIEND_API(bool) IsCrossCompartmentWrapper(RawObject obj); bool IsDeadProxyObject(RawObject obj); JSObject * NewDeadProxyObject(JSContext *cx, JSObject *parent); void NukeCrossCompartmentWrapper(JSContext *cx, JSObject *wrapper); bool RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget); JS_FRIEND_API(bool) RemapAllWrappersForObject(JSContext *cx, JSObject *oldTarget, JSObject *newTarget); // API to recompute all cross-compartment wrappers whose source and target // match the given filters. JS_FRIEND_API(bool) RecomputeWrappers(JSContext *cx, const CompartmentFilter &sourceFilter, const CompartmentFilter &targetFilter); /* * This auto class should be used around any code, such as brain transplants, * that may touch dead compartments. Brain transplants can cause problems * because they operate on all compartments, whether live or dead. A brain * transplant can cause a formerly dead object to be "reanimated" by causing a * read or write barrier to be invoked on it during the transplant. In this way, * a compartment becomes a zombie, kept alive by repeatedly consuming * (transplanted) brains. * * To work around this issue, we observe when mark bits are set on objects in * dead compartments. If this happens during a brain transplant, we do a full, * non-incremental GC at the end of the brain transplant. This will clean up any * objects that were improperly marked. */ struct JS_FRIEND_API(AutoMaybeTouchDeadCompartments) { // The version that takes an object just uses it for its runtime. AutoMaybeTouchDeadCompartments(JSContext *cx); AutoMaybeTouchDeadCompartments(JSObject *obj); ~AutoMaybeTouchDeadCompartments(); private: JSRuntime *runtime; unsigned markCount; bool inIncremental; bool manipulatingDeadCompartments; }; } /* namespace js */ #endif