core: Use proper sandbox type per SWF #17756
Conversation
kjarosh
added
security
|
this sounds good, how does this help? |
|
I am really quite curious about how this is going to work in practice. e.g. can SWFs with localWithNetwork load SWFs with localWithFile? I am mostly thinking about the boundary between different SWFs with different sandbox levels. |
| @@ -92,30 +104,38 @@ impl SwfMovie { | |||
| /// `LoaderInfo.bytesTotal` is set to the actual value, but no data is available, | |||
| /// and `LoaderInfo.parameters` is empty. | |||
| pub fn fake_with_compressed_len(swf_version: u8, compressed_len: usize) -> Self { | |||
| let url = "file:///".to_string(); | |||
There was a problem hiding this comment.
Pretty sure this is going to be a problem in the future. We need something like #17717.
There was a problem hiding this comment.
That's right, added TODOs for now, but this will need a lot more tests for sure
kjarosh
force-pushed
the
sandbox-per-swf
branch
from
e2d83c2
to
ef9dc21
Compare
From my testing (if I remember correctly):
I'll be adding some tests (known failures) related to these behaviors along with the thrown exceptions so hopefully I'll cover these cases and even some more. In AVM1 IIRC no exceptions are thrown, actions are canceled/prevented and security sandbox messages are traced. |
It's the first step of implementing the security sandbox and its filesystem/network separation policy. Before that Ruffle assigned `localTrusted` sandbox type for all movies except web, where `remote` was used. The sandbox type also was assigned to the player, and not SWFs as it should. This patch does not introduce any sandbox policies based on the sandbox type, just the proper sandbox type detection. It is also not possible to specify trusted movies, and AIR applications don't use the `application` type yet.
Verifies the sandbox type of a local SWF with network disabled.
Verifies the sandbox type of a local SWF with network enabled.
Verifies the sandbox type of SWFs loaded through network.
Verifies the sandbox type of a local SWF with network disabled.
Verifies the sandbox type of a local SWF with network enabled.
Verifies the sandbox type of SWFs loaded through network.
kjarosh
force-pushed
the
sandbox-per-swf
branch
from
ef9dc21
to
ec84f19
Compare
kjarosh
removed
the
waiting-on-review
It's the first step of implementing the security sandbox and its filesystem/network separation policy. Before that Ruffle assigned
localTrustedsandbox type for all movies except web, whereremotewas used. The sandbox type also was assigned to the player, and not SWFs as it should. This PR does not introduce any sandbox policies based on the sandbox type, just the proper sandbox type detection. It is also not possible to specify trusted movies, and AIR applications don't use theapplicationtype yet.The logic goes as follows. It is detected whether a SWF is local or remote based on its URL (URLs with scheme
fileare treated as local). Every remote SWF receives theremotesandbox type. For local SWFs, their FileAttributes are checked foruseNetwork, which if true will assignlocalWithNetworkand if false will assignlocalWithFilesandbox type.This behavior is covered by the following set of tests:
avm*/sandbox_type_local_network–localWithNetworktype in AVM1/AVM2,avm*/sandbox_type_local_file–localWithFiletype in AVM1/AVM2,avm*/sandbox_type_remote–remotetype in AVM1/AVM2, alocalWithNetworkSWF loads another one from the network.The cases from the tests above were the only cases I found where implementing sandbox policies was not needed for the test to pass.