[PM-1397] Display a warning when a user attempts to auto-fill an iframe (#4994)

* add settingsService.getEquivalentDomains * check that an iframe URL matches cipher.login.uris before autofilling * disable autofill on page load if it doesn't match * show a warning to the user on regular autofill if it doesn't match --------- Co-authored-by: Todd Martin <106564991+trmartin4@users.noreply.github.com> Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com>
2023-03-15 11:19:16 +10:00 · 2023-03-15 11:19:16 +10:00 · 0d85bdc931
parent 6cbfdcf90a
commit 0d85bdc931
13 changed files with 188 additions and 17 deletions
--- a/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts
+++ b/apps/browser/src/autofill/background/service_factories/autofill-service.factory.ts
@ -15,6 +15,10 @@ import {
  logServiceFactory,
  LogServiceInitOptions,
 } from "../../../background/service_factories/log-service.factory";
+import {
+  settingsServiceFactory,
+  SettingsServiceInitOptions,
+} from "../../../background/service_factories/settings-service.factory";
 import {
  stateServiceFactory,
  StateServiceInitOptions,
@ -33,7 +37,8 @@ export type AutoFillServiceInitOptions = AutoFillServiceOptions &
  StateServiceInitOptions &
  TotpServiceInitOptions &
  EventCollectionServiceInitOptions &
-  LogServiceInitOptions;
+  LogServiceInitOptions &
+  SettingsServiceInitOptions;

 export function autofillServiceFactory(
  cache: { autofillService?: AbstractAutoFillService } & CachedServices,
@ -49,7 +54,8 @@ export function autofillServiceFactory(
        await stateServiceFactory(cache, opts),
        await totpServiceFactory(cache, opts),
        await eventCollectionServiceFactory(cache, opts),
-        await logServiceFactory(cache, opts)
+        await logServiceFactory(cache, opts),
+        await settingsServiceFactory(cache, opts)
      )
  );
 }
--- a/apps/browser/src/autofill/content/autofill.js
+++ b/apps/browser/src/autofill/content/autofill.js
@ -524,7 +524,6 @@
              title: theDoc.title,
              url: theView.location.href,
              documentUrl: theDoc.location.href,
-              tabUrl: theView.location.href,
              forms: function (forms) {
                  var formObj = {};
                  forms.forEach(function (f) {
@ -912,6 +911,19 @@
              return;
          }

+          if (fillScript.untrustedIframe) {
+            // confirm() is blocked by sandboxed iframes, but we don't want to fill sandboxed iframes anyway.
+            // If this occurs, confirm() returns false without displaying the dialog box, and autofill will be aborted.
+            // The browser may print a message to the console, but this is not a standard error that we can handle.
+            var acceptedIframeWarning = confirm("The form is hosted by a different domain than the URI " +
+                "of your saved login. Choose OK to auto-fill anyway, or Cancel to stop. " +
+                "To prevent this warning in the future, save this URI, " +
+                window.location.hostname + ", to your login.");
+            if (!acceptedIframeWarning) {
+              return;
+            }
+          }
+
          doOperation = function (ops, theOperation) {
              var op = ops[0];
              if (void 0 === op) {
--- a/apps/browser/src/autofill/models/autofill-page-details.ts
+++ b/apps/browser/src/autofill/models/autofill-page-details.ts
@ -12,7 +12,6 @@ export default class AutofillPageDetails {
  title: string;
  url: string;
  documentUrl: string;
-  tabUrl: string;
  /**
   * A collection of all of the forms in the page DOM, keyed by their `opid`
   */
--- a/apps/browser/src/autofill/models/autofill-script.ts
+++ b/apps/browser/src/autofill/models/autofill-script.ts
@ -6,6 +6,7 @@ export default class AutofillScript {
  metadata: any = {};
  autosubmit: any = null;
  savedUrls: string[];
+  untrustedIframe: boolean;

  constructor(documentUUID: string) {
    this.documentUUID = documentUUID;
--- a/apps/browser/src/autofill/services/abstractions/autofill.service.ts
+++ b/apps/browser/src/autofill/services/abstractions/autofill.service.ts
@ -1,3 +1,4 @@
+import { UriMatchType } from "@bitwarden/common/enums/uriMatchType";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";

 import AutofillField from "../../models/autofill-field";
@ -20,6 +21,7 @@ export interface AutoFillOptions {
  onlyVisibleFields?: boolean;
  fillNewPassword?: boolean;
  skipLastUsed?: boolean;
+  allowUntrustedIframe?: boolean;
 }

 export interface FormData {
@ -38,4 +40,9 @@ export abstract class AutofillService {
    fromCommand: boolean
  ) => Promise<string>;
  doAutoFillActiveTab: (pageDetails: PageDetail[], fromCommand: boolean) => Promise<string>;
+  iframeUrlMatches: (
+    pageUrl: string,
+    loginItem: CipherView,
+    defaultUriMatch: UriMatchType
+  ) => boolean;
 }
--- a/apps/browser/src/autofill/services/autofill.service.ts
+++ b/apps/browser/src/autofill/services/autofill.service.ts
@ -1,14 +1,17 @@
 import { EventCollectionService } from "@bitwarden/common/abstractions/event/event-collection.service";
 import { LogService } from "@bitwarden/common/abstractions/log.service";
+import { SettingsService } from "@bitwarden/common/abstractions/settings.service";
 import { TotpService } from "@bitwarden/common/abstractions/totp.service";
 import { EventType } from "@bitwarden/common/enums/eventType";
 import { FieldType } from "@bitwarden/common/enums/fieldType";
 import { UriMatchType } from "@bitwarden/common/enums/uriMatchType";
+import { Utils } from "@bitwarden/common/misc/utils";
 import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
 import { CipherRepromptType } from "@bitwarden/common/vault/enums/cipher-reprompt-type";
 import { CipherType } from "@bitwarden/common/vault/enums/cipher-type";
 import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
 import { FieldView } from "@bitwarden/common/vault/models/view/field.view";
+import { LoginUriView } from "@bitwarden/common/vault/models/view/login-uri.view";

 import { BrowserApi } from "../../browser/browserApi";
 import { BrowserStateService } from "../../services/abstractions/browser-state.service";
@ -34,6 +37,8 @@ export interface GenerateFillScriptOptions {
  onlyVisibleFields: boolean;
  fillNewPassword: boolean;
  cipher: CipherView;
+  tabUrl: string;
+  defaultUriMatch: UriMatchType;
 }

 export default class AutofillService implements AutofillServiceInterface {
@ -42,7 +47,8 @@ export default class AutofillService implements AutofillServiceInterface {
    private stateService: BrowserStateService,
    private totpService: TotpService,
    private eventCollectionService: EventCollectionService,
-    private logService: LogService
+    private logService: LogService,
+    private settingsService: SettingsService
  ) {}

  getFormsWithPasswordFields(pageDetails: AutofillPageDetails): FormData[] {
@ -84,7 +90,12 @@ export default class AutofillService implements AutofillServiceInterface {
    return formData;
  }

-  async doAutoFill(options: AutoFillOptions) {
+  /**
+   * Autofills a given tab with a given login item
+   * @param options Instructions about the autofill operation, including tab and login item
+   * @returns The TOTP code of the successfully autofilled login, if any
+   */
+  async doAutoFill(options: AutoFillOptions): Promise<string> {
    const tab = options.tab;
    if (!tab || !options.cipher || !options.pageDetails || !options.pageDetails.length) {
      throw new Error("Nothing to auto-fill.");
@ -93,6 +104,8 @@ export default class AutofillService implements AutofillServiceInterface {
    let totpPromise: Promise<string> = null;

    const canAccessPremium = await this.stateService.getCanAccessPremium();
+    const defaultUriMatch = (await this.stateService.getDefaultUriMatch()) ?? UriMatchType.Domain;
+
    let didAutofill = false;
    options.pageDetails.forEach((pd) => {
      // make sure we're still on correct tab
@ -106,12 +119,23 @@ export default class AutofillService implements AutofillServiceInterface {
        onlyVisibleFields: options.onlyVisibleFields || false,
        fillNewPassword: options.fillNewPassword || false,
        cipher: options.cipher,
+        tabUrl: tab.url,
+        defaultUriMatch: defaultUriMatch,
      });

      if (!fillScript || !fillScript.script || !fillScript.script.length) {
        return;
      }

+      if (
+        fillScript.untrustedIframe &&
+        options.allowUntrustedIframe != undefined &&
+        !options.allowUntrustedIframe
+      ) {
+        this.logService.info("Auto-fill on page load was blocked due to an untrusted iframe.");
+        return;
+      }
+
      // Add a small delay between operations
      fillScript.properties.delay_between_operations = 20;

@ -159,7 +183,18 @@ export default class AutofillService implements AutofillServiceInterface {
    }
  }

-  async doAutoFillOnTab(pageDetails: PageDetail[], tab: chrome.tabs.Tab, fromCommand: boolean) {
+  /**
+   * Autofills the specified tab with the next login item from the cache
+   * @param pageDetails The data scraped from the page
+   * @param tab The tab to be autofilled
+   * @param fromCommand Whether the autofill is triggered by a keyboard shortcut (`true`) or autofill on page load (`false`)
+   * @returns The TOTP code of the successfully autofilled login, if any
+   */
+  async doAutoFillOnTab(
+    pageDetails: PageDetail[],
+    tab: chrome.tabs.Tab,
+    fromCommand: boolean
+  ): Promise<string> {
    let cipher: CipherView;
    if (fromCommand) {
      cipher = await this.cipherService.getNextCipherForUrl(tab.url);
@ -188,6 +223,7 @@ export default class AutofillService implements AutofillServiceInterface {
      onlyEmptyFields: !fromCommand,
      onlyVisibleFields: !fromCommand,
      fillNewPassword: fromCommand,
+      allowUntrustedIframe: fromCommand,
    });

    // Update last used index as autofill has succeed
@ -198,7 +234,13 @@ export default class AutofillService implements AutofillServiceInterface {
    return totpCode;
  }

-  async doAutoFillActiveTab(pageDetails: PageDetail[], fromCommand: boolean) {
+  /**
+   * Autofills the active tab with the next login item from the cache
+   * @param pageDetails The data scraped from the page
+   * @param fromCommand Whether the autofill is triggered by a keyboard shortcut (`true`) or autofill on page load (`false`)
+   * @returns The TOTP code of the successfully autofilled login, if any
+   */
+  async doAutoFillActiveTab(pageDetails: PageDetail[], fromCommand: boolean): Promise<string> {
    const tab = await this.getActiveTab();
    if (!tab || !tab.url) {
      return;
@ -309,6 +351,10 @@ export default class AutofillService implements AutofillServiceInterface {
    fillScript.savedUrls =
      login?.uris?.filter((u) => u.match != UriMatchType.Never).map((u) => u.uri) ?? [];

+    const inIframe = pageDetails.url !== options.tabUrl;
+    fillScript.untrustedIframe =
+      inIframe && !this.iframeUrlMatches(pageDetails.url, options.cipher, options.defaultUriMatch);
+
    if (!login.password || login.password === "") {
      // No password for this login. Maybe they just wanted to auto-fill some custom fields?
      fillScript = AutofillService.setFillScriptForFocus(filledFields, fillScript);
@ -742,6 +788,84 @@ export default class AutofillService implements AutofillServiceInterface {
    return fillScript;
  }

+  /**
+   * Determines whether to warn the user about filling an iframe
+   * @param pageUrl The url of the page/iframe, usually from AutofillPageDetails
+   * @param tabUrl The url of the tab, usually from the message sender (should not come from a content script because
+   *  that is likely to be incorrect in the case of iframes)
+   * @param loginItem The cipher to be filled
+   * @returns `true` if the iframe is untrusted and the warning should be shown, `false` otherwise
+   */
+  iframeUrlMatches(pageUrl: string, loginItem: CipherView, defaultUriMatch: UriMatchType): boolean {
+    // Check the pageUrl against cipher URIs using the configured match detection.
+    // If we are in this function at all, it is assumed that the tabUrl already matches a URL for `loginItem`,
+    // need to verify the pageUrl also matches one of the saved URIs using the match detection selected.
+    const uriMatched = loginItem.login.uris?.some((uri) =>
+      this.uriMatches(uri, pageUrl, defaultUriMatch)
+    );
+
+    return uriMatched;
+  }
+
+  // TODO should this be put in a common place (Utils maybe?) to be used both here and by CipherService?
+  private uriMatches(uri: LoginUriView, url: string, defaultUriMatch: UriMatchType): boolean {
+    const matchType = uri.match ?? defaultUriMatch;
+
+    const matchDomains = [Utils.getDomain(url)];
+    const equivalentDomains = this.settingsService.getEquivalentDomains(url);
+    if (equivalentDomains != null) {
+      matchDomains.push(...equivalentDomains);
+    }
+
+    switch (matchType) {
+      case UriMatchType.Domain:
+        if (url != null && uri.domain != null && matchDomains.includes(uri.domain)) {
+          if (Utils.DomainMatchBlacklist.has(uri.domain)) {
+            const domainUrlHost = Utils.getHost(url);
+            if (!Utils.DomainMatchBlacklist.get(uri.domain).has(domainUrlHost)) {
+              return true;
+            }
+          } else {
+            return true;
+          }
+        }
+        break;
+      case UriMatchType.Host: {
+        const urlHost = Utils.getHost(url);
+        if (urlHost != null && urlHost === Utils.getHost(uri.uri)) {
+          return true;
+        }
+        break;
+      }
+      case UriMatchType.Exact:
+        if (url === uri.uri) {
+          return true;
+        }
+        break;
+      case UriMatchType.StartsWith:
+        if (url.startsWith(uri.uri)) {
+          return true;
+        }
+        break;
+      case UriMatchType.RegularExpression:
+        try {
+          const regex = new RegExp(uri.uri, "i");
+          if (regex.test(url)) {
+            return true;
+          }
+        } catch (e) {
+          this.logService.error(e);
+          return false;
+        }
+        break;
+      case UriMatchType.Never:
+      default:
+        break;
+    }
+
+    return false;
+  }
+
  private fieldAttrsContain(field: AutofillField, containsVal: string) {
    if (!field) {
      return false;
--- a/apps/browser/src/background/main.background.ts
+++ b/apps/browser/src/background/main.background.ts
@ -443,7 +443,8 @@ export default class MainBackground {
      this.stateService,
      this.totpService,
      this.eventCollectionService,
-      this.logService
+      this.logService,
+      this.settingsService
    );
    this.containerService = new ContainerService(this.cryptoService, this.encryptService);
    this.auditService = new AuditService(this.cryptoFunctionService, this.apiService);
--- a/libs/common/src/abstractions/settings.service.ts
+++ b/libs/common/src/abstractions/settings.service.ts
@ -6,5 +6,6 @@ export abstract class SettingsService {
  settings$: Observable<AccountSettingsSettings>;

  setEquivalentDomains: (equivalentDomains: string[][]) => Promise<any>;
+  getEquivalentDomains: (url: string) => string[];
  clear: (userId?: string) => Promise<void>;
 }
--- a/libs/common/src/abstractions/state.service.ts
+++ b/libs/common/src/abstractions/state.service.ts
@ -245,7 +245,7 @@ export abstract class StateService<T extends Account = Account> {
  setEntityType: (value: string, options?: StorageOptions) => Promise<void>;
  getEnvironmentUrls: (options?: StorageOptions) => Promise<EnvironmentUrls>;
  setEnvironmentUrls: (value: EnvironmentUrls, options?: StorageOptions) => Promise<void>;
-  getEquivalentDomains: (options?: StorageOptions) => Promise<any>;
+  getEquivalentDomains: (options?: StorageOptions) => Promise<string[][]>;
  setEquivalentDomains: (value: string, options?: StorageOptions) => Promise<void>;
  getEventCollection: (options?: StorageOptions) => Promise<EventData[]>;
  setEventCollection: (value: EventData[], options?: StorageOptions) => Promise<void>;
--- a/libs/common/src/misc/utils.ts
+++ b/libs/common/src/misc/utils.ts
@ -32,6 +32,9 @@ export class Utils {
    /(?:[\u231A\u231B\u23E9-\u23EC\u23F0\u23F3\u25FD\u25FE\u2614\u2615\u2648-\u2653\u267F\u2693\u26A1\u26AA\u26AB\u26BD\u26BE\u26C4\u26C5\u26CE\u26D4\u26EA\u26F2\u26F3\u26F5\u26FA\u26FD\u2705\u270A\u270B\u2728\u274C\u274E\u2753-\u2755\u2757\u2795-\u2797\u27B0\u27BF\u2B1B\u2B1C\u2B50\u2B55]|\uD83C[\uDC04\uDCCF\uDD8E\uDD91-\uDD9A\uDDE6-\uDDFF\uDE01\uDE1A\uDE2F\uDE32-\uDE36\uDE38-\uDE3A\uDE50\uDE51\uDF00-\uDF20\uDF2D-\uDF35\uDF37-\uDF7C\uDF7E-\uDF93\uDFA0-\uDFCA\uDFCF-\uDFD3\uDFE0-\uDFF0\uDFF4\uDFF8-\uDFFF]|\uD83D[\uDC00-\uDC3E\uDC40\uDC42-\uDCFC\uDCFF-\uDD3D\uDD4B-\uDD4E\uDD50-\uDD67\uDD7A\uDD95\uDD96\uDDA4\uDDFB-\uDE4F\uDE80-\uDEC5\uDECC\uDED0-\uDED2\uDED5-\uDED7\uDEEB\uDEEC\uDEF4-\uDEFC\uDFE0-\uDFEB]|\uD83E[\uDD0C-\uDD3A\uDD3C-\uDD45\uDD47-\uDD78\uDD7A-\uDDCB\uDDCD-\uDDFF\uDE70-\uDE74\uDE78-\uDE7A\uDE80-\uDE86\uDE90-\uDEA8\uDEB0-\uDEB6\uDEC0-\uDEC2\uDED0-\uDED6])/g;
  static readonly validHosts: string[] = ["localhost"];
  static readonly minimumPasswordLength = 12;
+  static readonly DomainMatchBlacklist = new Map<string, Set<string>>([
+    ["google.com", new Set(["script.google.com"])],
+  ]);

  static init() {
    if (Utils.inited) {
--- a/libs/common/src/services/settings.service.ts
+++ b/libs/common/src/services/settings.service.ts
@ -40,6 +40,27 @@ export class SettingsService implements SettingsServiceAbstraction {
    await this.stateService.setSettings(settings);
  }

+  getEquivalentDomains(url: string): string[] {
+    const domain = Utils.getDomain(url);
+    if (domain == null) {
+      return null;
+    }
+
+    const settings = this._settings.getValue();
+
+    let result: string[] = [];
+
+    if (settings?.equivalentDomains != null) {
+      settings.equivalentDomains
+        .filter((ed) => ed.length > 0 && ed.includes(domain))
+        .forEach((ed) => {
+          result = result.concat(ed);
+        });
+    }
+
+    return result;
+  }
+
  async clear(userId?: string): Promise<void> {
    if (userId == null || userId == (await this.stateService.getUserId())) {
      this._settings.next({});
--- a/libs/common/src/services/state.service.ts
+++ b/libs/common/src/services/state.service.ts
@ -1585,7 +1585,7 @@ export class StateService<
    );
  }

-  async getEquivalentDomains(options?: StorageOptions): Promise<any> {
+  async getEquivalentDomains(options?: StorageOptions): Promise<string[][]> {
    return (
      await this.getAccount(this.reconcileOptions(options, await this.defaultOnDiskOptions()))
    )?.settings?.equivalentDomains;
--- a/libs/common/src/vault/services/cipher.service.ts
+++ b/libs/common/src/vault/services/cipher.service.ts
@ -49,10 +49,6 @@ import { CipherView } from "../models/view/cipher.view";
 import { FieldView } from "../models/view/field.view";
 import { PasswordHistoryView } from "../models/view/password-history.view";

-const DomainMatchBlacklist = new Map<string, Set<string>>([
-  ["google.com", new Set(["script.google.com"])],
-]);
-
 export class CipherService implements CipherServiceAbstraction {
  private sortedCiphersCache: SortedCiphersCache = new SortedCiphersCache(
    this.sortCiphersByLastUsed
@ -456,9 +452,9 @@ export class CipherService implements CipherServiceAbstraction {
          switch (match) {
            case UriMatchType.Domain:
              if (domain != null && u.domain != null && matchingDomains.indexOf(u.domain) > -1) {
-                if (DomainMatchBlacklist.has(u.domain)) {
+                if (Utils.DomainMatchBlacklist.has(u.domain)) {
                  const domainUrlHost = Utils.getHost(url);
-                  if (!DomainMatchBlacklist.get(u.domain).has(domainUrlHost)) {
+                  if (!Utils.DomainMatchBlacklist.get(u.domain).has(domainUrlHost)) {
                    return true;
                  }
                } else {