zulip/zerver/lib/unminify.py

import os
import re
from typing import Dict, List, Optional

import sourcemap

from zerver.lib.pysa import mark_sanitized


class SourceMap:
    """Map (line, column) pairs from generated to source file."""

    def __init__(self, sourcemap_dirs: List[str]) -> None:
        self._dirs = sourcemap_dirs
        self._indices: Dict[str, sourcemap.SourceMapDecoder] = {}

    def _index_for(self, minified_src: str) -> Optional[sourcemap.SourceMapDecoder]:
        """Return the source map index for minified_src, loading it if not
        already loaded."""

        # Prevent path traversal
        assert ".." not in minified_src and "/" not in minified_src

        if minified_src not in self._indices:
            for source_dir in self._dirs:
                filename = os.path.join(source_dir, minified_src + ".map")
                if os.path.isfile(filename):
                    # Use 'mark_sanitized' to force Pysa to ignore the fact that
                    # 'filename' is user controlled. While putting user
                    # controlled data into a filesystem operation is bad, in
                    # this case it's benign because 'filename' can't traverse
                    # directories outside of the pre-configured 'sourcemap_dirs'
                    # (due to the above assertions) and will always end in
                    # '.map'. Additionally, the result of this function is used
                    # for error logging and not returned to the user, so
                    # controlling the loaded file would not be useful to an
                    # attacker.
                    with open(mark_sanitized(filename)) as fp:
                        self._indices[minified_src] = sourcemap.load(fp)
                        break

        return self._indices.get(minified_src)

    def annotate_stacktrace(self, stacktrace: str) -> str:
        out: str = ""
        for ln in stacktrace.splitlines():
            out += ln + "\n"
            match = re.search(r"/static/webpack-bundles/([^:]+):(\d+):(\d+)", ln)
            if match:
                # Get the appropriate source map for the minified file.
                minified_src = match.groups()[0]
                index = self._index_for(minified_src)
                if index is None:
                    out += "       [Unable to look up in source map]\n"
                    continue

                gen_line, gen_col = list(map(int, match.groups()[1:3]))
                # The sourcemap lib is 0-based, so subtract 1 from line and col.
                try:
                    result = index.lookup(line=gen_line - 1, column=gen_col - 1)
                    display_src = result.src
                    if display_src is not None:
                        webpack_prefix = "webpack:///"
                        if display_src.startswith(webpack_prefix):
                            display_src = display_src[len(webpack_prefix) :]
                        out += f"       = {display_src} line {result.src_line+1} column {result.src_col+1}\n"
                except IndexError:
                    out += "       [Unable to look up in source map]\n"

            if ln.startswith("    at"):
                out += "\n"
        return out
linter: Add lint rule banning 'import os.path' 2017-09-22 18:30:18 +02:00			`import os`
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`import re`
unminify: Fix lookup if source map does not exist in disk. If the client has an old version of the code which is not present on the server, don't throw a 500; instead, default to the same `unable to look up in source map` message is used when the line numbers don't line up. 2021-03-15 20:30:58 +01:00			`from typing import Dict, List, Optional`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
python: Sort imports with isort. Fixes #2665. Regenerated by tabbott with `lint --fix` after a rebase and change in parameters. Note from tabbott: In a few cases, this converts technical debt in the form of unsorted imports into different technical debt in the form of our largest files having very long, ugly import sequences at the start. I expect this change will increase pressure for us to split those files, which isn't a bad thing. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2020-06-11 00:54:34 +02:00			`import sourcemap`

pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00			`from zerver.lib.pysa import mark_sanitized`

Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
zerver/lib: Remove inheritance from object. 2017-11-05 11:37:41 +01:00			`class SourceMap:`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`"""Map (line, column) pairs from generated to source file."""`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
zerver/lib: Change use of typing.Text to str. 2018-05-10 19:13:36 +02:00			`def __init__(self, sourcemap_dirs: List[str]) -> None:`
Fix browser error reporting to find webpack source map files. When we switched to using webpack, source map files weren't being logged in the expected place. 2017-07-28 20:32:57 +02:00			`self._dirs = sourcemap_dirs`
python: Convert assignment type annotations to Python 3.6 style. This commit was split by tabbott; this piece covers the vast majority of files in Zulip, but excludes scripts/, tools/, and puppet/ to help ensure we at least show the right error messages for Xenial systems. We can likely further refine the remaining pieces with some testing. Generated by com2ann, with whitespace fixes and various manual fixes for runtime issues: - invoiced_through: Optional[LicenseLedger] = models.ForeignKey( + invoiced_through: Optional["LicenseLedger"] = models.ForeignKey( -_apns_client: Optional[APNsClient] = None +_apns_client: Optional["APNsClient"] = None - notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - signup_notifications_stream: Optional[Stream] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) + signup_notifications_stream: Optional["Stream"] = models.ForeignKey('Stream', related_name='+', null=True, blank=True, on_delete=CASCADE) - author: Optional[UserProfile] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) + author: Optional["UserProfile"] = models.ForeignKey('UserProfile', blank=True, null=True, on_delete=CASCADE) - bot_owner: Optional[UserProfile] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) + bot_owner: Optional["UserProfile"] = models.ForeignKey('self', null=True, on_delete=models.SET_NULL) - default_sending_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) - default_events_register_stream: Optional[Stream] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_sending_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) + default_events_register_stream: Optional["Stream"] = models.ForeignKey('zerver.Stream', null=True, related_name='+', on_delete=CASCADE) -descriptors_by_handler_id: Dict[int, ClientDescriptor] = {} +descriptors_by_handler_id: Dict[int, "ClientDescriptor"] = {} -worker_classes: Dict[str, Type[QueueProcessingWorker]] = {} -queues: Dict[str, Dict[str, Type[QueueProcessingWorker]]] = {} +worker_classes: Dict[str, Type["QueueProcessingWorker"]] = {} +queues: Dict[str, Dict[str, Type["QueueProcessingWorker"]]] = {} -AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional[LDAPSearch] = None +AUTH_LDAP_REVERSE_EMAIL_SEARCH: Optional["LDAPSearch"] = None Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2020-04-22 01:09:50 +02:00			`self._indices: Dict[str, sourcemap.SourceMapDecoder] = {}`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
unminify: Fix lookup if source map does not exist in disk. If the client has an old version of the code which is not present on the server, don't throw a 500; instead, default to the same `unable to look up in source map` message is used when the line numbers don't line up. 2021-03-15 20:30:58 +01:00			`def _index_for(self, minified_src: str) -> Optional[sourcemap.SourceMapDecoder]:`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`"""Return the source map index for minified_src, loading it if not`
			`already loaded."""`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00
			`# Prevent path traversal`
			`assert ".." not in minified_src and "/" not in minified_src`

Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00			`if minified_src not in self._indices:`
Fix browser error reporting to find webpack source map files. When we switched to using webpack, source map files weren't being logged in the expected place. 2017-07-28 20:32:57 +02:00			`for source_dir in self._dirs:`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`filename = os.path.join(source_dir, minified_src + ".map")`
Fix browser error reporting to find webpack source map files. When we switched to using webpack, source map files weren't being logged in the expected place. 2017-07-28 20:32:57 +02:00			`if os.path.isfile(filename):`
pysa: Introduce sanitizers, models, and inline marking safe. This commit adds three `.pysa` model files: `false_positives.pysa` for ruling out false positive flows with `Sanitize` annotations, `req_lib.pysa` for educating pysa about Zulip's `REQ()` pattern for extracting user input, and `redirects.pysa` for capturing the risk of open redirects within Zulip code. Additionally, this commit introduces `mark_sanitized`, an identity function which can be used to selectively clear taint in cases where `Sanitize` models will not work. This commit also puts `mark_sanitized` to work removing known false postive flows. 2019-12-20 00:00:45 +01:00			`# Use 'mark_sanitized' to force Pysa to ignore the fact that`
			`# 'filename' is user controlled. While putting user`
			`# controlled data into a filesystem operation is bad, in`
			`# this case it's benign because 'filename' can't traverse`
			`# directories outside of the pre-configured 'sourcemap_dirs'`
			`# (due to the above assertions) and will always end in`
			`# '.map'. Additionally, the result of this function is used`
			`# for error logging and not returned to the user, so`
			`# controlling the loaded file would not be useful to an`
			`# attacker.`
			`with open(mark_sanitized(filename)) as fp:`
Fix browser error reporting to find webpack source map files. When we switched to using webpack, source map files weren't being logged in the expected place. 2017-07-28 20:32:57 +02:00			`self._indices[minified_src] = sourcemap.load(fp)`
			`break`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
unminify: Fix lookup if source map does not exist in disk. If the client has an old version of the code which is not present on the server, don't throw a 500; instead, default to the same `unable to look up in source map` message is used when the line numbers don't line up. 2021-03-15 20:30:58 +01:00			`return self._indices.get(minified_src)`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
zerver/lib: Change use of typing.Text to str. 2018-05-10 19:13:36 +02:00			`def annotate_stacktrace(self, stacktrace: str) -> str:`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`out: str = ""`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00			`for ln in stacktrace.splitlines():`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`out += ln + "\n"`
			`match = re.search(r"/static/webpack-bundles/([^:]+):(\d+):(\d+)", ln)`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00			`if match:`
Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00			`# Get the appropriate source map for the minified file.`
unminify: Update for webpack chunk splitting. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-11-02 01:19:39 +01:00			`minified_src = match.groups()[0]`
Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00			`index = self._index_for(minified_src)`
unminify: Fix lookup if source map does not exist in disk. If the client has an old version of the code which is not present on the server, don't throw a 500; instead, default to the same `unable to look up in source map` message is used when the line numbers don't line up. 2021-03-15 20:30:58 +01:00			`if index is None:`
			`out += " [Unable to look up in source map]\n"`
			`continue`
Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00
unminify: Update for webpack chunk splitting. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-11-02 01:19:39 +01:00			`gen_line, gen_col = list(map(int, match.groups()[1:3]))`
Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00			`# The sourcemap lib is 0-based, so subtract 1 from line and col.`
			`try:`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`result = index.lookup(line=gen_line - 1, column=gen_col - 1)`
unminify: Clean up unnecessary repetition of webpack:/// URLs. This takes stacktrace lines that used to look like this: n@https://chat.zulip.org/static/webpack-bundles/app.2385793af60f0b082ee9.js:1:12680 = webpack:///./static/js/blueslip.js line 241 column 1 dispatch@https://chat.zulip.org/static/webpack-bundles/app.2385793af60f0b082ee9.js:52:37878 = webpack:////srv/zulip-npm-cache/8ea4cd291dd23441aec0f298b77b6ddc0d0a7a56/node_modules/jquery/dist/jquery.js line 5182 column 1 to have the even-numbered lines look like this: = ./static/js/blueslip.js line 241 column 1 dispatch@https://chat.zulip.org/static/webpack-bundles/app.2385793af60f0b082ee9.js:52:37878 = /srv/zulip-npm-cache/8ea4cd291dd23441aec0f298b77b6ddc0d0a7a56/node_modules/jquery/dist/jquery.js line 5182 column 1 2018-07-31 07:12:08 +02:00			`display_src = result.src`
unminify: Update for webpack chunk splitting. Signed-off-by: Anders Kaseorg <anders@zulipchat.com> 2019-11-02 01:19:39 +01:00			`if display_src is not None:`
			`webpack_prefix = "webpack:///"`
			`if display_src.startswith(webpack_prefix):`
python: Reformat with Black, except quotes. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:19:30 +01:00			`display_src = display_src[len(webpack_prefix) :]`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`out += f" = {display_src} line {result.src_line+1} column {result.src_col+1}\n"`
Make stack trace annotation work The code now unminifies all calls in the stack, including those outside of app.js. This requires the Python package sourcemap, recently added as a dependency. (imported from commit 550c73ad5bfe78a2c7169c11da0c95cbaac238d7) 2013-07-12 22:01:31 +02:00			`except IndexError:`
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`out += " [Unable to look up in source map]\n"`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00
python: Normalize quotes with Black. Signed-off-by: Anders Kaseorg <anders@zulip.com> 2021-02-12 08:20:45 +01:00			`if ln.startswith(" at"):`
			`out += "\n"`
Split out source map processing into a library (imported from commit 345efcc703dc1049e31fd38a6a062bf39a589eb6) 2013-03-28 18:48:37 +01:00			`return out`