summaryrefslogtreecommitdiff
path: root/src/xss/InjectionCheckWorker.js
blob: 47f007dd8746589310a5a834033bae385a856b4f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
let include = src => {
  if (Array.isArray(src)) importScripts(...src);
  else importScripts(src);
}

let XSS = {};
include("/lib/log.js");

for (let logType of ["log", "debug", "error"]) {
  this[logType] = (...log) => {
    postMessage({log, logType});
  }
}

include("InjectionChecker.js");
Entities = {
  convertAll(s) { return s },
};

{
  let timingsMap = new Map();

  let Handlers = {
    async check({xssReq, skip}) {
      let {destUrl, unparsedRequest: request, debugging} = xssReq;
      let {
        skipParams,
        skipRx
      } = skip;
      let ic = new (await XSS.InjectionChecker)();

      if (debugging) {
        ic.logEnabled = true;
        debug("[XSS] InjectionCheckWorker started in %s ms (%s).",
          Date.now() - xssReq.timestamp, destUrl);
      } else {
        debug = () => {};
      }

      let {timing} = ic;
      timingsMap.set(request.requestId, timing);
      timing.fatalTimeout = true;

      let postInjection = xssReq.isPost &&
          request.requestBody && request.requestBody.formData &&
          await ic.checkPost(request.requestBody.formData, skipParams);

      let protectName = ic.nameAssignment;
      let urlInjection = await ic.checkUrl(destUrl, skipRx);
      protectName = protectName || ic.nameAssignment;
      if (timing.tooLong) {
        log("[XSS] Long check (%s ms) - %s", timing.elapsed, JSON.stringify(xssReq));
      } else if (debugging) {
        debug("[XSS] InjectionCheckWorker done in %s ms (%s).",
          Date.now() - xssReq.timestamp, destUrl);
      }

      postMessage(!(protectName || postInjection || urlInjection) ? null
        : { protectName, postInjection, urlInjection }
      );
    },

    requestDone({requestId}) {
      let timing = timingsMap.get(requestId);
      if (timing) {
        timing.interrupted = true;
        timingsMap.delete(requestId);
      }
    }
  }

  onmessage = async e => {
    let msg = e.data;
    if (msg.handler in Handlers) try {
      await Handlers[msg.handler](msg);
    } catch (e) {
      postMessage({error: e});
    }
  }

}