Mirrors/overte
3
0
Fork 0
mirror of https://github.com/overte-org/overte.git synced 2025-04-07 21:33:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Script security fixes and cleanups

Browse source
This commit is contained in:
ksuprynowicz 2024-04-14 20:22:22 +02:00
parent e57874a2bd
commit 1887a82b4b
6 changed files with 49 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
interface/resources/qml/hifi/dialogs/security/ScriptSecurity.qml
View file

@ -29,44 +29,24 @@ Rectangle {
function getWhitelistAsText() {
var whitelist = Settings.getValue("private/scriptPermissionGetAvatarURLSafeURLs");
var arrayWhitelist = whitelist.split(",").join("\n");
var arrayWhitelist = whitelist.replace(",", "\n");
return arrayWhitelist;
}
function setWhitelistAsText(whitelistText) {
Settings.setValue("private/scriptPermissionGetAvatarURLSafeURLs", whitelistText.text);
var originalSetString = whitelistText.text;
var originalSet = originalSetString.split(' ').join('');
var check = Settings.getValue("private/scriptPermissionGetAvatarURLSafeURLs");
var arrayCheck = check.split(",").join("\n");
setWhitelistSuccess(arrayCheck === originalSet);
notificationText.text = "Whitelist saved.";
}
function setWhitelistSuccess(success) {
if (success) {
notificationText.text = "Successfully saved settings.";
} else {
notificationText.text = "Error! Settings not saved.";
}
}
function toggleWhitelist(enabled) {
function setAvatarProtection(enabled) {
Settings.setValue("private/scriptPermissionGetAvatarURLEnable", enabled);
console.info("Toggling Protect Avatar URLs to:", enabled);
console.info("Setting Protect Avatar URLs to:", enabled);
}
function initCheckbox() {
var check = Settings.getValue("private/scriptPermissionGetAvatarURLEnable", true);
if (check) {
whitelistEnabled.toggle();
}
whitelistEnabled.checked = Settings.getValue("private/scriptPermissionGetAvatarURLEnable", true);
}
anchors.fill: parent
width: parent.width;
height: 120;
@ -99,7 +79,7 @@ Rectangle {
anchors.top: parent.top;
anchors.topMargin: 10;
onToggled: {
toggleWhitelist(whitelistEnabled.checked)
setAvatarProtection(whitelistEnabled.checked)
}
Label {

2
interface/src/CrashRecoveryHandler.cpp
View file

@ -281,7 +281,6 @@ void CrashRecoveryHandler::handleCrash(CrashRecoveryHandler::Action action) {
// Display name and avatar
settings.beginGroup(AVATAR_GROUP);
settings.setValue(DISPLAY_NAME_KEY, displayName);
settings.setValue(FULL_AVATAR_URL_KEY, fullAvatarURL);
settings.setValue(FULL_AVATAR_MODEL_NAME_KEY, fullAvatarModelName);
settings.endGroup();
@ -291,4 +290,3 @@ void CrashRecoveryHandler::handleCrash(CrashRecoveryHandler::Action action) {
settings.setValue(TUTORIAL_COMPLETE_FLAG_KEY, tutorialComplete);
}
}

12
interface/src/scripting/SettingsScriptingInterface.cpp
View file

@ -21,24 +21,24 @@ SettingsScriptingInterface* SettingsScriptingInterface::getInstance() {
}
QVariant SettingsScriptingInterface::getValue(const QString& setting) {
if (_restrictPrivateValues && setting.startsWith(SETTINGS_FULL_PRIVATE_GROUP_NAME + "/")) {
return {""};
}
QVariant value = Setting::Handle<QVariant>(setting).get();
if (!value.isValid()) {
value = "";
}
if (_restrictPrivateValues && setting.startsWith(SETTINGS_FULL_PRIVATE_GROUP_NAME + "/")) {
value = "";
}
return value;
}
QVariant SettingsScriptingInterface::getValue(const QString& setting, const QVariant& defaultValue) {
if (_restrictPrivateValues && setting.startsWith(SETTINGS_FULL_PRIVATE_GROUP_NAME + "/")) {
return {""};
}
QVariant value = Setting::Handle<QVariant>(setting, defaultValue).get();
if (!value.isValid()) {
value = "";
}
if (_restrictPrivateValues && setting.startsWith(SETTINGS_FULL_PRIVATE_GROUP_NAME + "/")) {
value = "";
}
return value;
}

2
libraries/avatars/src/AvatarData.h
View file

@ -610,6 +610,8 @@ public:
AvatarData();
virtual ~AvatarData();
virtual bool isMyAvatarURLProtected() const { return false; } // This needs to be here because both MyAvatar and AvatarData inherit from MyAvatar
static const QUrl& defaultFullAvatarModelUrl();
const QUuid getSessionUUID() const { return getID(); }

55
libraries/script-engine/src/ScriptPermissions.cpp
View file

@ -60,24 +60,32 @@ bool ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission per
}
std::vector<QString> urlsToCheck;
QString scriptURL = manager->getAbsoluteFilename();
if (scriptURL.startsWith("about:Entities")) {
// This is entity script manager, we need to find the file name of the current script instead
scriptURL = Scriptable::context()->currentFileName();
// If this is an entity script manager, we need to find the file name of the current script instead
if (!scriptURL.startsWith("about:Entities")) {
urlsToCheck.push_back(scriptURL);
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: filename: " << scriptURL;
}
auto parentContext = Scriptable::context()->parentContext();
while (parentContext) {
}
auto currentURL = Scriptable::context()->currentFileName();
if (!currentURL.isEmpty() && currentURL != scriptURL) {
urlsToCheck.push_back(currentURL);
}
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: filename: " << scriptURL;
}
auto parentContext = Scriptable::context()->parentContext();
while (parentContext) {
QString parentFilename = parentContext->currentFileName();
if (!parentFilename.isEmpty()) {
urlsToCheck.push_back(parentContext->currentFileName());
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: parent filename: " << parentContext->currentFileName();
}
parentContext = parentContext->parentContext();
}
} else {
urlsToCheck.push_back(scriptURL);
parentContext = parentContext->parentContext();
}
// Check if the script is allowed:
QList<QString> safeURLPrefixes = { "file:///", "qrc:/", NetworkingConstants::OVERTE_COMMUNITY_APPLICATIONS,
NetworkingConstants::OVERTE_TUTORIAL_SCRIPTS, "about:console"};
@ -88,19 +96,26 @@ bool ScriptPermissions::isCurrentScriptAllowed(ScriptPermissions::Permission per
safeURLPrefixes.push_back(entry);
}
for (const auto& str : safeURLPrefixes) {
if (!str.isEmpty() && scriptURL.startsWith(str)) {
for (auto urlToCheck : urlsToCheck) {
bool urlIsAllowed = false;
for (const auto& str : safeURLPrefixes) {
if (!str.isEmpty() && urlToCheck.startsWith(str)) {
urlIsAllowed = true;
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: " << scriptPermissionNames[permissionIndex]
<< " for script " << urlToCheck << " accepted with rule: " << str;
}
}
}
if (!urlIsAllowed) {
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: " << scriptPermissionNames[permissionIndex]
<< " for script " << scriptURL << " accepted with rule: " << str;
<< " for script " << urlToCheck << " rejected.";
}
return true;
return false;
}
}
if (PERMISSIONS_DEBUG_ENABLED) {
qDebug() << "ScriptPermissions::isCurrentScriptAllowed: " << scriptPermissionNames[permissionIndex] << " for script "
<< scriptURL << " rejected.";
}
return false;
return true;
}

1
libraries/shared/src/SpatiallyNestable.h
View file

@ -47,7 +47,6 @@ public:
virtual void setParentID(const QUuid& parentID);
virtual bool isMyAvatar() const { return false; }
virtual bool isMyAvatarURLProtected() const { return false; } // This needs to be here because both MyAvatar and AvatarData inherit from MyAvatar
virtual quint16 getParentJointIndex() const { return _parentJointIndex; }
virtual void setParentJointIndex(quint16 parentJointIndex);