0.1.13-stack.19 with Issue #266 Block access to hook.utils.createHash/HTMLParser via automation

Author: t2ym

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "thin-hook",
-  "version": "0.1.13-stack.18",
+  "version": "0.1.13-stack.19",
   "description": "Thin Hook Preprocessor",
   "main": "hook.min.js",
   "authors": [

demo/cache-bundle.js

@@ -196,6 +196,7 @@ if (enableCacheBundle) {
     cacheBundle();
   }
   else if (self.constructor.name === 'Window' && top === self) {
+    const createHash = hook.utils.createHash;
     const CACHE_STATUS_PSEUDO_URL = 'https://thin-hook.localhost.localdomain/cache-status.json';
     const AUTOMATION_PSEUDO_URL = 'https://thin-hook.localhost.localdomain/automation.json';
     const PSEUDO_URL_PREFIX = 'https://thin-hook.localhost.localdomain/';
@@ -219,7 +220,7 @@ if (enableCacheBundle) {
       */
       const scriptURL = new URL(currentScript.src, href);
       const authorization = scriptURL.searchParams.get('authorization');
-      let hash = hook.utils.createHash('sha256');
+      let hash = createHash('sha256');
       hash.update(status.serverSecret + status.script);
       let digest = hash.digest('hex');
       if (digest === authorization) {

demo/cache-bundle.json

@@ -127,303 +127,4 @@ default:
   console.log(cacheBundlePath, 'version = ', cacheBundle.version,' length = ', cacheBundleJSON.length, ' bytes with ', keys.length, ' files = \n', JSON.stringify(keys, null, 2));
 
   browser.close();
-
-  await new Promise(resolve => setTimeout(resolve, 4000));
-  console.log('wait 4000');
-
-  browser = await puppeteer.launch({ headless: true, args: [ '--disable-gpu' ], executablePath: chromePath });
-  page = await browser.newPage();
-  await page.setViewport({ width: 1200, height: 800 });
-
-  // tests
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getNavigatorViaHook() {
-    try {
-      return __hook__('.', this, ['navigator'], 'context').constructor.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getNavigatorViaHook:', result);
-  chai.assert.equal(result, '__hook__: invalid context', 'cannot access navigator via __hook__');
-  result = await page.evaluate(function getNavigatorViaHook2() {
-    try {
-      return __hook__('.', this, ['navigator'], Symbol.for('context')).constructor.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getNavigatorViaHook2:', result);
-  chai.assert.equal(result, 'Cannot read property \'for\' of undefined', 'cannot access navigator via __hook__');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getGoogleCharts() {
-    try {
-      return typeof google.charts + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getGoogleCharts:', result);
-  chai.assert.equal(result, 'Cannot read property \'charts\' of undefined', 'cannot access caches');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getCaches() {
-    try {
-      return caches.constructor.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getCaches:', result);
-  chai.assert.equal(result, 'Cannot read property \'constructor\' of undefined', 'cannot access caches');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getObjectIndirect() {
-    try {
-      let result = this.__proto__.__proto__.__proto__.__proto__.constructor.name;
-      return result + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getObjectIndirect:', result);
-  chai.assert.equal(result, 'Cannot read property \'__proto__\' of undefined', 'cannot access Object via prototype chain');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getPolymer() {
-    try {
-      return Polymer.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getPolymer:', result);
-  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access non-native global property Polymer');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getLookupGetter() {
-    try {
-      return __lookupGetter__.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getLookupGetter:', result);
-  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access __lookupGetter__');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(function getAddEventListener() {
-    try {
-      return addEventListener.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getAddEventListener:', result);
-  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access addEventListener from EventTarget.prototype');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(async function getPrototypeLookupGetter() {
-    try {
-      return this.__proto__.__proto__.__proto__.__proto__.__lookupGetter__.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getPrototypeLookupGetter:', result);
-  chai.assert.equal(result, 'Cannot read property \'__proto__\' of undefined', 'cannot access __lookupGetter__ via __proto__');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(async function getMathLookupGetter() {
-    try {
-      return Math.__lookupGetter__.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getMathLookupGetter:', result);
-  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access __lookupGetter__ via Math');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(async function getMathAbsLookupGetter() {
-    try {
-      return Math.abs.__lookupGetter__.name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getMathAbsLookupGetter:', result);
-  chai.assert.equal(result, 'Cannot read property \'name\' of undefined', 'cannot access __lookupGetter__ via Math.abs');
-  await page.waitFor(1000);
-  result = await page.evaluate(function checkLocation() {
-    try {
-      return location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: checkLocation:', result);
-  chai.assert.equal(result, 'about:blank', 'location is about:blank');
-
-  await page.goto(targetURL);
-  console.log('goto', targetURL);
-  await page.waitFor(15000);
-  console.log('waitFor(15000)');
-  result = await page.evaluate(async function getEvalObject() {
-    try {
-      return hook.eval('__hook__')('Object').name + ' at ' + location.href;
-    }
-    catch (error) {
-      return error.message;
-    }
-  });
-  console.log('test: getEvalObject:', result);
-  chai.assert.equal(result, 'unknown error', 'cannot access Object via hook.eval');
-
-  // end of tests
-
-  browser.close();
-
 })();

demo/cacheBundleGeneration.js

@@ -6,7 +6,7 @@
 <html>
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&no-hook-authorization=e0caf52b9fdf38d3fc4e2d0a42772b663c2cdfa1e4760f2f4e8e91df27eeb01e,log-no-hook-authorization"></script>
+  <script src="../../thin-hook/hook.min.js?no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&no-hook-authorization=081933c56ca58fd683f5d64b7ebc949777a16481c564f6760497aae63e658360,log-no-hook-authorization"></script>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
   <script context-generator src="bootstrap.js?no-hook=true"></script>

demo/empty-document.html

@@ -35,6 +35,8 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
   const Symbol = self.Symbol;
   const JSON = self.JSON;
   const URL = self.URL;
+  const createHash = hook.utils.createHash;
+  const HTMLParser = hook.utils.HTMLParser;
   let wrapGlobalProperty; // = function (object, property, objectName); assigned at the bottom of this script
   class Stack {
     constructor(stack) {
@@ -1743,7 +1745,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
             if (result) {
               if (opType === 'w') {
                 //console.log('set innerHTML: context = ' + hookArgs[3]);
-                let stream = new hook.utils.HTMLParser.WritableStream({
+                let stream = new HTMLParser.WritableStream({
                   onopentag(name, attributes) {
                     //console.log('set innerHTML: tagName = ' + name);
                     // TODO: Apply ACL for attributes as well with normalization of attributes to properties (mostly identical)
@@ -7898,6 +7900,7 @@ Copyright (c) 2017, 2018, Tetsuya Mori <[email protected]>. All rights reserv
                              'removeEventListener',
                              'dispatchEvent',
                            ],             'window',          _window ],
+      [ hook.utils, '*', 'hook.utils' ],
     ].forEach(wrapGlobalProperty);
   }
 }

demo/hook-callback.js

@@ -15,7 +15,7 @@
 <html lang="en">
 <head>
   <meta charset="utf-8">
-  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=e0caf52b9fdf38d3fc4e2d0a42772b663c2cdfa1e4760f2f4e8e91df27eeb01e,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
+  <script src="../../thin-hook/hook.min.js?version=496&no-hook-authorization=081933c56ca58fd683f5d64b7ebc949777a16481c564f6760497aae63e658360,a578e741369d927f693fedc88c75b1a90f1a79465e2bb9774a3f68ffc6e011e6,log-no-hook-authorization&sw-root=/&no-hook=true&hook-name=__hook__&context-generator-name=method&discard-hook-errors=false&fallback-page=index-fb.html&hook-property=true&hook-global=true&hook-prefix=_uNpREdiC4aB1e_&compact=true&service-worker-ready=false"></script></head></html>
   <script context-generator src="no-hook-authorization.js?no-hook=true"></script>
   <script context-generator src="disable-devtools.js?no-hook=true"></script>
   <script context-generator src="context-generator.js?no-hook=true"></script>
@@ -48,7 +48,7 @@
     };
   }
   </script>
-  <script context-generator src="cache-bundle.js?no-hook=true&authorization=3d0b8b8f73016346c8485cd76c2ad0a32194a7cf32fe355618f6787763c468de"></script>
+  <script context-generator src="cache-bundle.js?no-hook=true&authorization=37a313e0afc31af75a8acf38436218aa77e4567a894ceb1c307235b215f17e56"></script>
   <script src="hook-callback.js?no-hook=true"></script><!--<C!-- end of mandatory no-hook scripts --C>
   <script src="../../webcomponentsjs/webcomponents-lite.js"></script>
   <C!-- <script no-hook>