1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
let include = src => {
if (Array.isArray(src)) importScripts(...src);
else importScripts(src);
}
let XSS = {};
include("/lib/log.js");
for (let logType of ["log", "debug", "error"]) {
this[logType] = (...log) => {
postMessage({log, logType});
}
}
include("InjectionChecker.js");
Entities = {
convertAll(s) { return s },
};
{
let timingsMap = new Map();
let Handlers = {
async check({xssReq, skip}) {
let {destUrl, unparsedRequest: request, debugging} = xssReq;
let {
skipParams,
skipRx
} = skip;
let ic = new (await XSS.InjectionChecker)();
if (debugging) {
ic.logEnabled = true;
debug("[XSS] InjectionCheckWorker started in %s ms (%s).",
Date.now() - xssReq.timestamp, destUrl);
} else {
debug = () => {};
}
let {timing} = ic;
timingsMap.set(request.requestId, timing);
timing.fatalTimeout = true;
let postInjection = xssReq.isPost &&
request.requestBody && request.requestBody.formData &&
await ic.checkPost(request.requestBody.formData, skipParams);
let protectName = ic.nameAssignment;
let urlInjection = await ic.checkUrl(destUrl, skipRx);
protectName = protectName || ic.nameAssignment;
if (timing.tooLong) {
log("[XSS] Long check (%s ms) - %s", timing.elapsed, JSON.stringify(xssReq));
} else if (debugging) {
debug("[XSS] InjectionCheckWorker done in %s ms (%s).",
Date.now() - xssReq.timestamp, destUrl);
}
postMessage(!(protectName || postInjection || urlInjection) ? null
: { protectName, postInjection, urlInjection }
);
},
requestDone({requestId}) {
let timing = timingsMap.get(requestId);
if (timing) {
timing.interrupted = true;
timingsMap.delete(requestId);
}
}
}
onmessage = async e => {
let msg = e.data;
if (msg.handler in Handlers) try {
await Handlers[msg.handler](msg);
} catch (e) {
postMessage({error: e});
}
}
}
|