Block URL request if masterkey is present in parameters

This commit is contained in:
Grégory Soutadé 2017-07-08 08:43:26 +02:00
parent 7a7d2fd724
commit e341963675
6 changed files with 176 additions and 13 deletions

View File

@ -1,3 +1,58 @@
/*
Copyright (C) 2013-2017 Grégory Soutadé
This file is part of gPass.
gPass is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
gPass is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with gPass. If not, see <http://www.gnu.org/licenses/>.
*/
function url_block_callback(details)
{
// console.log(JSON.stringify(details));
if (details.requestBody)
{
if (details.requestBody.formData)
{
for (var key in details.requestBody.formData)
{
for(var idx in details.requestBody.formData[key])
{
value = details.requestBody.formData[key][idx];
if (value.startsWith("@@") ||
value.startsWith("@_"))
return {cancel: true};
}
}
}
/*
// Analyse POST parameters
if (details.method == "POST" && details.requestBody.raw)
{
alert(details.requestBody.raw);
var postedString = decodeURIComponent(String.fromCharCode.apply(null,
new Uint8Array(details.requestBody.raw[0].bytes)));
if (postedString.indexOf("=@@") != -1 ||
postedString.indexOf("=@_") != -1)
return {cancel: true};
}
*/
}
return {cancel: false};
}
chrome.runtime.onMessage.addListener( chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) { function(request, sender, sendResponse) {
@ -14,4 +69,27 @@ chrome.runtime.onMessage.addListener(
window.setTimeout(function() {chrome.notifications.clear("gPass", function(){})}, 2000); window.setTimeout(function() {chrome.notifications.clear("gPass", function(){})}, 2000);
} }
else if (request.type == "block_url")
{
chrome.tabs.getCurrent(function cb(tab) {
if (tab)
{
chrome.webRequest.onBeforeRequest.addListener(
url_block_callback,
{urls:[request.options.url],
"types":["main_frame"],
"tabId":tab.id,
"windowId":tab.windowId
},
["blocking", "requestBody"]);
}
else
{
chrome.webRequest.onBeforeRequest.addListener(
url_block_callback,
{urls:[request.options.url], "types":["main_frame"]},
["blocking", "requestBody"]);
}
});
}
}); });

View File

@ -416,6 +416,8 @@ function on_sumbit(e)
function document_loaded(doc) function document_loaded(doc)
{ {
var has_login_form = false;
// If there is a password in the form, add a "submit" listener // If there is a password in the form, add a "submit" listener
for(var i=0; i<doc.forms.length; i++) for(var i=0; i<doc.forms.length; i++)
{ {
@ -426,11 +428,22 @@ function document_loaded(doc)
var field = fields[a]; var field = fields[a];
if (field.getAttribute("type") == "password") if (field.getAttribute("type") == "password")
{ {
block_url(form.action);
old_cb = form.onsubmit;
if (old_cb)
form.removeEventListener("submit", old_cb);
form.addEventListener("submit", on_sumbit); form.addEventListener("submit", on_sumbit);
if (old_cb)
form.addEventListener("submit", old_cb);
has_login_form = true;
break; break;
} }
} }
} }
/* Request can be sent to another URL... */
if (has_login_form)
block_url("<all_urls>");
} }
document_loaded(document); document_loaded(document);

View File

@ -29,6 +29,12 @@ function notify(text, data)
browser.runtime.sendMessage({type: "notification", options:{"message":text}}); browser.runtime.sendMessage({type: "notification", options:{"message":text}});
} }
function block_url(url)
{
debug("Block URL " + url);
browser.runtime.sendMessage({type: "block_url", options:{"url":url}});
}
// https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers // https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers
function ab2str(buf) { function ab2str(buf) {
return String.fromCharCode.apply(null, new Uint8Array(buf)); return String.fromCharCode.apply(null, new Uint8Array(buf));
@ -119,9 +125,6 @@ function _encrypt(mkey, iv, data)
while ((data.length % 16)) while ((data.length % 16))
data += "\0"; data += "\0";
debug("Encrypt " + data);
debug("Encrypt " + iv.length);
data = str2ab(data); data = str2ab(data);
promise = mkey.then(function(mkey){ promise = mkey.then(function(mkey){
@ -148,8 +151,6 @@ async function _decrypt(mkey, iv, data)
pkcs7_padding = new Uint8Array([16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16]); pkcs7_padding = new Uint8Array([16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16]);
pkcs7_padding = await _encrypt(mkey, nulliv, ab2str(pkcs7_padding)); pkcs7_padding = await _encrypt(mkey, nulliv, ab2str(pkcs7_padding));
debug("Decrypt " + data);
data = str2ab(data + pkcs7_padding); data = str2ab(data + pkcs7_padding);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
@ -173,6 +174,8 @@ async function encrypt_ecb(mkey, data)
{ {
var result = ""; var result = "";
console.log("Encrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16) while (data.length > 16)
@ -192,6 +195,8 @@ async function decrypt_ecb(mkey, data)
{ {
var result = ""; var result = "";
console.log("Decrypt ECB " + data);
nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]);
while (data.length > 16) while (data.length > 16)
@ -209,6 +214,8 @@ async function decrypt_ecb(mkey, data)
async function encrypt_cbc(mkey, iv, data) async function encrypt_cbc(mkey, iv, data)
{ {
console.log("Encrypt CBC " + data);
var result = await _encrypt(mkey, str2ab(iv), data); var result = await _encrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding // Remove PKCS7 padding
@ -217,6 +224,8 @@ async function encrypt_cbc(mkey, iv, data)
async function decrypt_cbc(mkey, iv, data) async function decrypt_cbc(mkey, iv, data)
{ {
console.log("Decrypt CBC " + data);
var result = await _decrypt(mkey, str2ab(iv), data); var result = await _decrypt(mkey, str2ab(iv), data);
// Remove PKCS7 padding // Remove PKCS7 padding

View File

@ -11,7 +11,7 @@
"content_scripts": [ "content_scripts": [
{ {
"matches": ["https://*/*", "http://*/*"], "matches": ["<all_urls>"],
"js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"], "js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"],
"run_at" : "document_idle", "run_at" : "document_idle",
"all_frames" : true "all_frames" : true
@ -19,16 +19,18 @@
], ],
"background": { "background": {
"persistent": false, "persistent": true,
"scripts": ["background.js"] "scripts": ["background.js"]
}, },
"options_page": "options.html", "options_page": "options.html",
"permissions": [ "permissions": [
"https://*/", "<all_urls>",
"http://*/",
"notifications", "notifications",
"webRequest",
"webRequestBlocking",
"tabs",
"storage" "storage"
] ]
} }

View File

@ -1,3 +1,38 @@
function url_block_callback(details)
{
if (details.requestBody)
{
if (details.requestBody.formData)
{
for (var key in details.requestBody.formData)
{
for(var idx in details.requestBody.formData[key])
{
value = details.requestBody.formData[key][idx];
if (value.startsWith("@@") ||
value.startsWith("@_"))
return {cancel: true};
}
}
}
/*
// Analyse POST parameters
if (details.method == "POST" && details.requestBody.raw)
{
alert(details.requestBody.raw);
var postedString = decodeURIComponent(String.fromCharCode.apply(null,
new Uint8Array(details.requestBody.raw[0].bytes)));
if (postedString.indexOf("=@@") != -1 ||
postedString.indexOf("=@_") != -1)
return {cancel: true};
}
*/
}
return {cancel: false};
}
browser.runtime.onMessage.addListener( browser.runtime.onMessage.addListener(
function(request) { function(request) {
@ -14,4 +49,28 @@ browser.runtime.onMessage.addListener(
window.setTimeout(function() {browser.notifications.clear("gPass")}, 2000); window.setTimeout(function() {browser.notifications.clear("gPass")}, 2000);
} }
else if (request.type == "block_url")
{
browser.tabs.getCurrent().then(
function onGot(tab) {
if (tab)
{
browser.webRequest.onBeforeRequest.addListener(
url_block_callback,
{urls:[request.options.url],
"types":["main_frame"],
"tabId":tab.id,
"windowId":tab.windowId
},
["blocking", "requestBody"]);
}
else
{
browser.webRequest.onBeforeRequest.addListener(
url_block_callback,
{urls:[request.options.url], types:["main_frame"]},
["blocking", "requestBody"]);
}
});
}
}); });

View File

@ -11,7 +11,7 @@
"content_scripts": [ "content_scripts": [
{ {
"matches": ["https://*/*", "http://*/*"], "matches": ["<all_urls>"],
"js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"], "js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"],
"run_at" : "document_idle", "run_at" : "document_idle",
"all_frames" : true "all_frames" : true
@ -26,9 +26,11 @@
"options_ui": { "page":"options.html" }, "options_ui": { "page":"options.html" },
"permissions": [ "permissions": [
"https://*/", "<all_urls>",
"http://*/",
"notifications", "notifications",
"webRequest",
"webRequestBlocking",
"tabs",
"storage", "storage",
"activeTab" "activeTab"
] ]