Improve trivialize-rules to detect compex rules

RReverser · Hainish · commit e66896fab97e · 2017-08-31T17:47:07.000-07:00
Explode regular expressions and see if it results in a small list of static URLs
that can be trivialized.

Note: rulesets with &lt;securecookie /&gt; are skipped for now because trivializing
those can lead to certain hosts being removed from targets even though cookies
should still be secured there. In future, we can analyze securecookie as well
to detect static matches and trivialize more rulesets.
diff --git a/utils/trivialize-rules/explode-regexp.js b/utils/trivialize-rules/explode-regexp.js
@@ -0,0 +1,87 @@
+/* eslint-env es6, node */
+
+const { parse } = require('regulex');
+
+class UnsupportedRegExp extends Error {}
+
+function explodeRegExp(re, callback) {
+  (function buildUrls(str, items) {
+    if (items.length === 0) {
+      callback(str + '*');
+      return;
+    }
+
+    let [first, ...rest] = items;
+
+    if (first.repeat) {
+      let repeat = first.repeat;
+      if (repeat.max !== 1) throw new UnsupportedRegExp(first.raw);
+      delete first.repeat;
+      if (repeat.min === 0) {
+        buildUrls(str, rest);
+      }
+      return buildUrls(str, items);
+    }
+
+    switch (first.type) {
+      case 'group': {
+        return buildUrls(str, first.sub.concat(rest));
+      }
+
+      case 'assert': {
+        if (first.assertionType === 'AssertBegin') {
+          if (str !== '*') return; // can't match begin not at the beginning
+          return buildUrls('', rest);
+        }
+        if (first.assertionType === 'AssertEnd') {
+          callback(str);
+          return;
+        }
+        if (first.assertionType === 'AssertLookahead' && rest.length === 0) {
+          return buildUrls(str, first.sub.concat(rest));
+        }
+        break;
+      }
+
+      case 'choice': {
+        for (let branch of first.branches) {
+          buildUrls(str, branch.concat(rest));
+        }
+        return;
+      }
+
+      case 'exact': {
+        return buildUrls(str + first.chars, rest);
+      }
+
+      case 'charset': {
+        if (first.ranges.length === 1) {
+          let range = first.ranges[0];
+          let from = range.charCodeAt(0);
+          let to = range.charCodeAt(1);
+          if (to - from < 10) {
+            // small range, probably won't explode
+            for (; from <= to; from++) {
+              buildUrls(str + String.fromCharCode(from), rest);
+            }
+            first.ranges.length = 0;
+          }
+        }
+        if (!first.classes.length && !first.exclude && !first.ranges.length) {
+          for (let c of first.chars) {
+            buildUrls(str + c, rest);
+          }
+          return;
+        }
+        break;
+      }
+    }
+
+    throw new UnsupportedRegExp(first.raw);
+  })('*', parse(re).tree);
+};
+
+module.exports = {
+  UnsupportedRegExp,
+  explodeRegExp
+};
diff --git a/utils/trivialize-rules/package.json b/utils/trivialize-rules/package.json
@@ -3,9 +3,9 @@
   "version": "1.0.0",
   "main": "trivialize-rules.js",
   "dependencies": {
+    "chalk": "^2.1.0",
     "highland": "^2.7.1",
-    "progress": "^1.1.8",
-    "verbal-expressions": "^0.2.1",
+    "regulex": "0.0.2",
     "xml2js": "^0.4.16"
   },
   "devDependencies": {},
diff --git a/utils/trivialize-rules/trivialize-rules.js b/utils/trivialize-rules/trivialize-rules.js
@@ -1,39 +1,18 @@
-"use strict";
+/* eslint-env es6, node */
+
+'use strict';
+
 const _ = require('highland');
 const fs = require('fs');
 const readDir = _.wrapCallback(fs.readdir);
 const readFile = _.wrapCallback(fs.readFile);
 const writeFile = _.wrapCallback(fs.writeFile);
 const parseXML = _.wrapCallback(require('xml2js').parseString);
-const ProgressBar = require('progress');
-const VerEx = require('verbal-expressions');
-let bar;
+const { explodeRegExp, UnsupportedRegExp } = require('./explode-regexp');
+const chalk = require('chalk');
 
 const rulesDir = `${__dirname}/../../src/chrome/content/rules`;
 
-const hostPartRe = VerEx().anyOf(/\w\-/).oneOrMore();
-const hostPartWithDotRe = VerEx().find(hostPartRe).then('\\.');
-
-const staticRegExp = VerEx()
-  .startOfLine()
-  .then('^http://(')
-  .beginCapture()
-  .multiple(VerEx().find(hostPartWithDotRe).then('|'))
-  .then(hostPartWithDotRe)
-  .endCapture()
-  .then(')')
-  .beginCapture()
-  .maybe('?')
-  .endCapture()
-  .beginCapture()
-  .multiple(hostPartWithDotRe)
-  .then(hostPartRe)
-  .endCapture()
-  .then('/')
-  .endOfLine()
-  .stopAtFirst()
-  .searchOneLine();
-
 const tagsRegExps = new Map();
 
 function createTagsRegexp(tag) {
@@ -47,25 +26,30 @@ function createTagsRegexp(tag) {
 }
 
 function replaceXML(source, tag, newXML) {
-  let pos;
+  let pos, indent;
   let re = createTagsRegexp(tag);
+
   source = source.replace(re, (match, index) => {
+    if (source.lastIndexOf('<!--', index) > source.lastIndexOf('-->', index)) {
+      // inside a comment
+      return match;
+    }
     if (pos === undefined) {
       pos = index;
+      indent = source.slice(source.lastIndexOf('\n', index) + 1, index);
     }
     return '';
   });
+
   if (pos === undefined) {
     throw new Error(`${re}: <${tag} /> was not found in ${source}`);
   }
-  return source.slice(0, pos) + newXML + source.slice(pos);
+
+  return source.slice(0, pos) + newXML.join('\n' + indent) + source.slice(pos);
 }
 
 const files =
         readDir(rulesDir)
-          .tap(rules => {
-            bar = new ProgressBar(':bar', { total: rules.length, stream: process.stdout });
-          })
           .sequence()
           .filter(name => name.endsWith('.xml'));
 
@@ -95,73 +79,112 @@ function isTrivial(rule) {
 }
 
 files.fork().zipAll([ sources.fork(), rules ]).map(([name, source, ruleset]) => {
-  bar.tick();
+  function createTag(tagName, colour, print) {
+    return (strings, ...values) => {
+      let result = `[${tagName}] ${chalk.bold(name)}: ${strings[0]}`;
+      for (let i = 1; i < strings.length; i++) {
+        let value = values[i - 1];
+        value = Array.isArray(value) ? value.join(', ') : value.toString();
+        result += chalk.blue(value) + strings[i];
+      }
+      print(colour(result));
+    };
+  }
+
+  const warn = createTag('WARN', chalk.yellow, console.warn);
+  const info = createTag('INFO', chalk.green, console.info);
+  const fail = createTag('FAIL', chalk.red, console.error);
+
+  if (ruleset.securecookie) {
+    return;
+  }
 
-  let target = ruleset.target.map(target => target.$.host);
-  let rule = ruleset.rule.map(rule => rule.$);
+  let targets = ruleset.target.map(target => target.$.host);
+  let rules = ruleset.rule.map(rule => rule.$);
 
-  if (rule.length === 1 && isTrivial(rule[0])) {
+  if (rules.length === 1 && isTrivial(rules[0])) {
     return;
   }
 
-  let targetRe = new RegExp(`^${target.map(target => `(${target.replace(/\./g, '\\.').replace(/\*/g, '.*')})`).join('|')}$`);
+  let targetRe = new RegExp(`^(?:${targets.map(target => target.replace(/\./g, '\\.').replace(/\*/g, '.*')).join('|')})$`);
   let domains = [];
 
   function isStatic(rule) {
     if (isTrivial(rule)) {
-      domains = domains.concat(target);
+      domains = domains.concat(targets);
       return true;
     }
 
     const { from, to } = rule;
-                
-    const match = from.match(staticRegExp);
-
-    if (!match) {
-      // console.error(from);
+    const fromRe = new RegExp(from);
+    let localDomains = [];
+    let unknownDomains = [];
+    let nonTrivialUrls = [];
+    let suspiciousStrings = [];
+
+    try {
+      explodeRegExp(from, url => {
+        let parsed = url.match(/^http(s?):\/\/(.+?)(?::(\d+))?\/(.*)$/);
+        if (!parsed) {
+          suspiciousStrings.push(url);
+          return;
+        }
+        let [, secure, host, port = '80', path] = parsed;
+        if (!targetRe.test(host)) {
+          unknownDomains.push(host);
+        } else if (!secure && port === '80' && path === '*' && url.replace(fromRe, to) === url.replace(/^http:/, 'https:')) {
+          localDomains.push(host);
+        } else {
+          nonTrivialUrls.push(url);
+        }
+      });
+    } catch (e) {
+      if (!(e instanceof UnsupportedRegExp)) {
+        throw e;
+      }
+      if (e.message === '/*' || e.message === '/+') {
+        fail`Suspicious ${e.message} while traversing ${from} => ${to}`;
+      } else {
+        warn`Unsupported regexp part ${e.message} while traversing ${from} => ${to}`;
+      }
       return false;
     }
 
-    const subDomains = match[1].split('|').map(item => item.slice(0, -2));
-    const baseDomain = match[3].replace(/\\(.)/g, '$1');
-    const localDomains = subDomains.map(sub => `${sub}.${baseDomain}`);
-                
-    if (to !== `https://$1${baseDomain}/`) {
-      console.error(from, to);
-      return false;
+    if (suspiciousStrings.length > 0) {
+      fail`${from} matches ${suspiciousStrings} which don't look like URLs`;
     }
-                
-    let mismatch = false;
-                
-    for (const domain of localDomains) {
-      if (!targetRe.test(domain)) {
-        console.error(target, domain, from);
-        mismatch = true;
-      }
+
+    if (unknownDomains.length > 0) {
+      fail`${from} matches ${unknownDomains} which are not in targets ${targets}`;
     }
 
-    if (mismatch) {
+    if (suspiciousStrings.length > 0 || unknownDomains.length > 0) {
       return false;
     }
 
-    if (match[2] || targetRe.test(baseDomain)) {
-      localDomains.unshift(baseDomain);
+    if (nonTrivialUrls.length > 0) {
+      if (localDomains.length > 0) {
+        warn`${from} => ${to} can trivialize ${localDomains} but not urls like ${nonTrivialUrls}`;
+      }
+      return false;
     }
-                
+
     domains = domains.concat(localDomains);
-                
+
     return true;
   }
 
-  if (!rule.every(isStatic)) return;
-        
+  if (!rules.every(isStatic)) return;
+
+  info`trivialized`;
+
   domains = Array.from(new Set(domains));
 
-  if (domains.slice().sort().join('\n') !== target.sort().join('\n')) {
-    source = replaceXML(source, 'target', domains.map(domain => `<target host="${domain}" />`).join('\n\t'));
+  if (domains.slice().sort().join('\n') !== targets.sort().join('\n')) {
+    source = replaceXML(source, 'target', domains.map(domain => `<target host="${domain}" />`));
   }
 
-  source = replaceXML(source, 'rule', '<rule from="^http:" to="https:" />');
+  source = replaceXML(source, 'rule', ['<rule from="^http:" to="https:" />']);
 
   return writeFile(`${rulesDir}/${name}`, source);
 
