From b5e6da4d543eeed7b8c66d3ca741dbb68ac4f2fa Mon Sep 17 00:00:00 2001
From: Martin Probst <martin@probst.io>
Date: Thu, 20 Oct 2016 19:56:48 -0700
Subject: [PATCH] fix(security): do not auto-bootstrap when loaded from an
 extension.

Extension URIs (`resource://...`) bypass Content-Security-Policy in Chrome and
Firefox and can always be loaded. Now if a site already has a XSS bug, and uses
CSP to protect itself, but the user has an extension installed that uses
Angular, an attacked can load Angular from the extension, and Angular's
auto-bootstrapping can be used to bypass the victim site's CSP protection.

Notes:
- `isAutoBootstrapAllowed` must be initialized on load, so that `currentScript`
  is set correctly.
- The tests are a bit indirect as reproducing the actual scenario is too
  complicated to reproduce (requires signing an extension etc). I have confirmed
  this to be working manually.
---
 src/Angular.js      | 25 +++++++++++++++++++++++++
 test/AngularSpec.js | 21 +++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/src/Angular.js b/src/Angular.js
index dced06cc28b2..885456eedebb 100644
--- a/src/Angular.js
+++ b/src/Angular.js
@@ -1444,6 +1444,26 @@ function getNgAttribute(element, ngAttr) {
   return null;
 }
 
+function allowAutoBootstrap(document) {
+  if (!document.currentScript) {
+    return true;
+  }
+  var src = document.currentScript.getAttribute('src');
+  var link = document.createElement('a');
+  link.href = src;
+  var scriptProtocol = link.protocol;
+  var docLoadProtocol = document.location.protocol;
+  if ((scriptProtocol === 'resource:' ||
+       scriptProtocol === 'chrome-extension:') &&
+      docLoadProtocol !== scriptProtocol) {
+    return false;
+  }
+  return true;
+}
+
+// Cached as it has to run during loading so that document.currentScript is available.
+var isAutoBootstrapAllowed = allowAutoBootstrap(window.document);
+
 /**
  * @ngdoc directive
  * @name ngApp
@@ -1602,6 +1622,11 @@ function angularInit(element, bootstrap) {
     }
   });
   if (appElement) {
+    if (!isAutoBootstrapAllowed) {
+      console.error('Angular: disabling automatic bootstrap. <script> protocol indicates an ' +
+          'extension, document.href does not match.');
+      return;
+    }
     config.strictDi = getNgAttribute(appElement, 'strict-di') !== null;
     bootstrap(appElement, module ? [module] : [], config);
   }
diff --git a/test/AngularSpec.js b/test/AngularSpec.js
index 4e16d15550a6..71b29c4949c2 100644
--- a/test/AngularSpec.js
+++ b/test/AngularSpec.js
@@ -1682,6 +1682,27 @@ describe('angular', function() {
 
       dealoc(appElement);
     });
+
+    it('should not bootstrap from an extension into a non-extension document', function() {
+      var src = 'resource://something';
+      // Fake a minimal document object (the actual document.currentScript is readonly).
+      var fakeDoc = {
+        currentScript: { getAttribute: function() { return src; } },
+        location: {protocol: 'http:'},
+        createElement: document.createElement.bind(document),
+      };
+      expect(allowAutoBootstrap(fakeDoc)).toBe(false);
+
+      src = 'file://whatever';
+      expect(allowAutoBootstrap(fakeDoc)).toBe(true);
+    });
+
+    it('should not bootstrap if bootstrapping is disabled', function() {
+      isAutoBootstrapAllowed = false;
+      angularInit(jqLite('<div ng-app></div>')[0], bootstrapSpy);
+      expect(bootstrapSpy).not.toHaveBeenCalled();
+      isAutoBootstrapAllowed = true;
+    });
   });