From e341963675f8f79513921007349e83e505da5342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gr=C3=A9gory=20Soutad=C3=A9?= Date: Sat, 8 Jul 2017 08:43:26 +0200 Subject: [PATCH] Block URL request if masterkey is present in parameters --- chrome_addon/background.js | 78 ++++++++++++++++++++++++++++++ chrome_addon/lib/main.js | 13 +++++ chrome_addon/lib/misc.js | 21 +++++--- chrome_addon/manifest.json | 10 ++-- firefox_webextension/background.js | 59 ++++++++++++++++++++++ firefox_webextension/manifest.json | 8 +-- 6 files changed, 176 insertions(+), 13 deletions(-) diff --git a/chrome_addon/background.js b/chrome_addon/background.js index b8dc7a9..6689fdd 100644 --- a/chrome_addon/background.js +++ b/chrome_addon/background.js @@ -1,3 +1,58 @@ +/* + Copyright (C) 2013-2017 Grégory Soutadé + + This file is part of gPass. + + gPass is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + gPass is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with gPass. If not, see . +*/ + +function url_block_callback(details) +{ + // console.log(JSON.stringify(details)); + if (details.requestBody) + { + if (details.requestBody.formData) + { + for (var key in details.requestBody.formData) + { + for(var idx in details.requestBody.formData[key]) + { + value = details.requestBody.formData[key][idx]; + if (value.startsWith("@@") || + value.startsWith("@_")) + return {cancel: true}; + } + } + } + + /* + // Analyse POST parameters + if (details.method == "POST" && details.requestBody.raw) + { + alert(details.requestBody.raw); + var postedString = decodeURIComponent(String.fromCharCode.apply(null, + new Uint8Array(details.requestBody.raw[0].bytes))); + if (postedString.indexOf("=@@") != -1 || + postedString.indexOf("=@_") != -1) + return {cancel: true}; + } +*/ + } + + return {cancel: false}; +} + chrome.runtime.onMessage.addListener( function(request, sender, sendResponse) { @@ -14,4 +69,27 @@ chrome.runtime.onMessage.addListener( window.setTimeout(function() {chrome.notifications.clear("gPass", function(){})}, 2000); } + else if (request.type == "block_url") + { + chrome.tabs.getCurrent(function cb(tab) { + if (tab) + { + chrome.webRequest.onBeforeRequest.addListener( + url_block_callback, + {urls:[request.options.url], + "types":["main_frame"], + "tabId":tab.id, + "windowId":tab.windowId + }, + ["blocking", "requestBody"]); + } + else + { + chrome.webRequest.onBeforeRequest.addListener( + url_block_callback, + {urls:[request.options.url], "types":["main_frame"]}, + ["blocking", "requestBody"]); + } + }); + } }); diff --git a/chrome_addon/lib/main.js b/chrome_addon/lib/main.js index 8e6363a..c4ef613 100644 --- a/chrome_addon/lib/main.js +++ b/chrome_addon/lib/main.js @@ -416,6 +416,8 @@ function on_sumbit(e) function document_loaded(doc) { + var has_login_form = false; + // If there is a password in the form, add a "submit" listener for(var i=0; i"); } document_loaded(document); diff --git a/chrome_addon/lib/misc.js b/chrome_addon/lib/misc.js index 14ea1f3..73f9ac8 100644 --- a/chrome_addon/lib/misc.js +++ b/chrome_addon/lib/misc.js @@ -29,6 +29,12 @@ function notify(text, data) browser.runtime.sendMessage({type: "notification", options:{"message":text}}); } +function block_url(url) +{ + debug("Block URL " + url); + browser.runtime.sendMessage({type: "block_url", options:{"url":url}}); +} + // https://stackoverflow.com/questions/6965107/converting-between-strings-and-arraybuffers function ab2str(buf) { return String.fromCharCode.apply(null, new Uint8Array(buf)); @@ -119,9 +125,6 @@ function _encrypt(mkey, iv, data) while ((data.length % 16)) data += "\0"; - debug("Encrypt " + data); - debug("Encrypt " + iv.length); - data = str2ab(data); promise = mkey.then(function(mkey){ @@ -148,8 +151,6 @@ async function _decrypt(mkey, iv, data) pkcs7_padding = new Uint8Array([16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16, 16]); pkcs7_padding = await _encrypt(mkey, nulliv, ab2str(pkcs7_padding)); - debug("Decrypt " + data); - data = str2ab(data + pkcs7_padding); nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); @@ -173,6 +174,8 @@ async function encrypt_ecb(mkey, data) { var result = ""; + console.log("Encrypt ECB " + data); + nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); while (data.length > 16) @@ -191,6 +194,8 @@ async function encrypt_ecb(mkey, data) async function decrypt_ecb(mkey, data) { var result = ""; + + console.log("Decrypt ECB " + data); nulliv = new Uint8Array([0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]); @@ -208,7 +213,9 @@ async function decrypt_ecb(mkey, data) } async function encrypt_cbc(mkey, iv, data) -{ +{ + console.log("Encrypt CBC " + data); + var result = await _encrypt(mkey, str2ab(iv), data); // Remove PKCS7 padding @@ -217,6 +224,8 @@ async function encrypt_cbc(mkey, iv, data) async function decrypt_cbc(mkey, iv, data) { + console.log("Decrypt CBC " + data); + var result = await _decrypt(mkey, str2ab(iv), data); // Remove PKCS7 padding diff --git a/chrome_addon/manifest.json b/chrome_addon/manifest.json index ed3bfae..45f76bc 100644 --- a/chrome_addon/manifest.json +++ b/chrome_addon/manifest.json @@ -11,7 +11,7 @@ "content_scripts": [ { - "matches": ["https://*/*", "http://*/*"], + "matches": [""], "js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"], "run_at" : "document_idle", "all_frames" : true @@ -19,16 +19,18 @@ ], "background": { - "persistent": false, + "persistent": true, "scripts": ["background.js"] }, "options_page": "options.html", "permissions": [ - "https://*/", - "http://*/", + "", "notifications", + "webRequest", + "webRequestBlocking", + "tabs", "storage" ] } diff --git a/firefox_webextension/background.js b/firefox_webextension/background.js index f818f62..03068dc 100644 --- a/firefox_webextension/background.js +++ b/firefox_webextension/background.js @@ -1,3 +1,38 @@ +function url_block_callback(details) +{ + if (details.requestBody) + { + if (details.requestBody.formData) + { + for (var key in details.requestBody.formData) + { + for(var idx in details.requestBody.formData[key]) + { + value = details.requestBody.formData[key][idx]; + if (value.startsWith("@@") || + value.startsWith("@_")) + return {cancel: true}; + } + } + } + + /* + // Analyse POST parameters + if (details.method == "POST" && details.requestBody.raw) + { + alert(details.requestBody.raw); + var postedString = decodeURIComponent(String.fromCharCode.apply(null, + new Uint8Array(details.requestBody.raw[0].bytes))); + if (postedString.indexOf("=@@") != -1 || + postedString.indexOf("=@_") != -1) + return {cancel: true}; + } +*/ + } + + return {cancel: false}; +} + browser.runtime.onMessage.addListener( function(request) { @@ -14,4 +49,28 @@ browser.runtime.onMessage.addListener( window.setTimeout(function() {browser.notifications.clear("gPass")}, 2000); } + else if (request.type == "block_url") + { + browser.tabs.getCurrent().then( + function onGot(tab) { + if (tab) + { + browser.webRequest.onBeforeRequest.addListener( + url_block_callback, + {urls:[request.options.url], + "types":["main_frame"], + "tabId":tab.id, + "windowId":tab.windowId + }, + ["blocking", "requestBody"]); + } + else + { + browser.webRequest.onBeforeRequest.addListener( + url_block_callback, + {urls:[request.options.url], types:["main_frame"]}, + ["blocking", "requestBody"]); + } + }); + } }); diff --git a/firefox_webextension/manifest.json b/firefox_webextension/manifest.json index d494b7a..1c38a8b 100644 --- a/firefox_webextension/manifest.json +++ b/firefox_webextension/manifest.json @@ -11,7 +11,7 @@ "content_scripts": [ { - "matches": ["https://*/*", "http://*/*"], + "matches": [""], "js": ["lib/parseuri.js", "lib/misc.js", "compat.js", "lib/main.js"], "run_at" : "document_idle", "all_frames" : true @@ -26,9 +26,11 @@ "options_ui": { "page":"options.html" }, "permissions": [ - "https://*/", - "http://*/", + "", "notifications", + "webRequest", + "webRequestBlocking", + "tabs", "storage", "activeTab" ]