Bug 1790542 - [devtools] Do not allow redirects on the 'sourceMappingUrl'...

Bug 1790542 - [devtools] Do not allow redirects on the 'sourceMappingUrl' r=jdescottes,devtools-reviewers - Block redirects on sourceMappingUrl - Add debugger test Differential Revision: https://phabricator.services.mozilla.com/D168648

Bug 1790542 - [devtools] Do not allow redirects on the 'sourceMappingUrl'...
c1590a8a · Hubert Boma Manilla · Pier Angelo Vendrame · 547a86b4 · c1590a8a · c1590a8a
Commit c1590a8a authored 2 years ago by Hubert Boma Manilla Committed by Pier Angelo Vendrame 1 year ago
--- a/devtools/client/debugger/packages/devtools-source-map/src/source-map.js
+++ b/devtools/client/debugger/packages/devtools-source-map/src/source-map.js
@@ -312,6 +312,7 @@ async function getOriginalSourceText(originalSourceId) {
      const response = await networkRequest(url, {
        sourceMapBaseURL: map.sourceMapBaseURL,
        loadFromCache: false,
+        allowsRedirects: false,
      });
      text = response.content;
    } catch (err) {

--- a/devtools/client/debugger/packages/devtools-source-map/src/utils/fetchSourceMap.js
+++ b/devtools/client/debugger/packages/devtools-source-map/src/utils/fetchSourceMap.js
@@ -59,6 +59,9 @@ async function _resolveAndFetch(generatedSource) {

  let fetched = await networkRequest(sourceMapURL, {
    loadFromCache: false,
+    // Blocking redirects on the sourceMappingUrl as its not easy to verify if the
+    // redirect protocol matches the supported ones.
+    allowRedirects: false,
    sourceMapBaseURL: generatedSource.sourceMapBaseURL,
  });


--- a/devtools/client/debugger/packages/devtools-source-map/src/utils/privileged-network-request.js
+++ b/devtools/client/debugger/packages/devtools-source-map/src/utils/privileged-network-request.js
@@ -20,6 +20,7 @@ function networkRequest(url, opts) {

  return fetch(url, {
    cache: opts.loadFromCache ? "default" : "no-cache",
+    redirect: opts.allowRedirects ? "follow" : "error",
  }).then(res => {
    if (res.status >= 200 && res.status < 300) {
      if (res.headers.get("Content-Type") === "application/wasm") {

--- a/devtools/client/debugger/test/mochitest/browser.ini
+++ b/devtools/client/debugger/test/mochitest/browser.ini
@@ -206,6 +206,7 @@ skip-if =
 [browser_dbg-sourcemaps-disabled.js]
 [browser_dbg-sourcemaps-indexed.js]
 skip-if = os == "win" || (verify) # Bug 1434792
+[browser_dbg-sourcemaps-redirect.js]
 [browser_dbg-sourcemaps-reloading.js]
 [browser_dbg-sourcemaps-reloading-quickly.js]
 [browser_dbg-sourcemaps2.js]

--- a/devtools/client/debugger/test/mochitest/browser_dbg-sourcemaps-redirect.js
+++ b/devtools/client/debugger/test/mochitest/browser_dbg-sourcemaps-redirect.js
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at <http://mozilla.org/MPL/2.0/>. */
+
+// Test the redirects on the sourceMappingURL are blocked and not followed.
+
+"use strict";
+
+const httpServer = createTestHTTPServer();
+const BASE_URL = `http://localhost:${httpServer.identity.primaryPort}`;
+
+httpServer.registerContentType("html", "text/html");
+httpServer.registerContentType("js", "application/javascript");
+
+httpServer.registerPathHandler("/index.html", (request, response) => {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.write(`<!doctype html>
+    <html>
+      <head>
+        <script>
+          const foo = 2;
+          console.log(foo);
+          //# sourceMappingURL=${BASE_URL}/redirect
+        </script>
+      </head>
+    </html>
+  `);
+});
+
+httpServer.registerPathHandler("/redirect", (request, response) => {
+  response.setStatusLine(request.httpVersion, 301, "Moved Permanently");
+  response.setHeader("Location", `${BASE_URL}/evil`);
+});
+
+httpServer.registerPathHandler("/evil", (request, response) => {
+  response.setStatusLine(request.httpVersion, 200, "OK");
+  response.write(
+    `{"version":3,"sources":["evil.original.js"],"names":[], "mappings": ""}`
+  );
+});
+
+add_task(async function() {
+  const dbg = await initDebuggerWithAbsoluteURL(`${BASE_URL}/index.html`);
+
+  await getDebuggerSplitConsole(dbg);
+  await hasConsoleMessage(dbg, "Source map error");
+  const { value } = await findConsoleMessage(dbg, "Source map error");
+
+  is(
+    value,
+    `Source map error: Error: NetworkError when attempting to fetch resource.\nResource URL: ${BASE_URL}/index.html\nSource Map URL: ${BASE_URL}/redirect[Learn More]`,
+    "A source map error message is logged indicating the redirect failed"
+  );
+});
--- a/devtools/client/debugger/test/mochitest/shared-head.js
+++ b/devtools/client/debugger/test/mochitest/shared-head.js
@@ -2192,7 +2192,8 @@ async function checkEvaluateInTopFrame(dbg, text, expected) {
 async function findConsoleMessage({ toolbox }, query) {
  const [message] = await findConsoleMessages(toolbox, query);
  const value = message.querySelector(".message-body").innerText;
-  const link = message.querySelector(".frame-link-source").innerText;
+  // There are console messages which might not have a link e.g Error messages
+  const link = message.querySelector(".frame-link-source")?.innerText;
  return { value, link };
 }