LibWeb: Ensure numbers provided to WebDriver are "safe"

Numbers are limited to JS's Number.MAX_SAFE_INTEGER.
Author: https://github.com/trflynn89 Commit: https://github.com/LadybirdBrowser/ladybird/commit/434663b1c60 Pull-request: https://github.com/LadybirdBrowser/ladybird/pull/1566
2024-09-26 16:46:15 -04:00 · 2024-09-26 16:46:15 -04:00 · 434663b1c6 · 2024-10-01 09:03:47 +00:00
commit 434663b1c6
parent 71c1a1d8f4
1 changed files with 17 additions and 2 deletions
--- a/Userland/Libraries/LibWeb/WebDriver/Properties.h
+++ b/Userland/Libraries/LibWeb/WebDriver/Properties.h
@ -10,6 +10,7 @@
 #include <AK/JsonArray.h>
 #include <AK/JsonObject.h>
 #include <AK/JsonValue.h>
+#include <LibJS/Runtime/Value.h>
 #include <LibWeb/WebDriver/Error.h>

 namespace Web::WebDriver {
@ -22,6 +23,20 @@ static ErrorOr<PropertyType, WebDriver::Error> get_property(JsonObject const& pa
    if (!property.has_value())
        return WebDriver::Error::from_code(ErrorCode::InvalidArgument, ByteString::formatted("No property called '{}' present", key));

+    auto is_safe_number = []<typename T>(T value) {
+        if constexpr (sizeof(T) >= 8) {
+            if (value > static_cast<T>(JS::MAX_ARRAY_LIKE_INDEX))
+                return false;
+
+            if constexpr (IsSigned<T>) {
+                if (value < -static_cast<T>(JS::MAX_ARRAY_LIKE_INDEX))
+                    return false;
+            }
+        }
+
+        return true;
+    };
+
    if constexpr (IsSame<PropertyType, ByteString>) {
        if (!property->is_string())
            return WebDriver::Error::from_code(ErrorCode::InvalidArgument, ByteString::formatted("Property '{}' is not a String", key));
@ -31,11 +46,11 @@ static ErrorOr<PropertyType, WebDriver::Error> get_property(JsonObject const& pa
            return WebDriver::Error::from_code(ErrorCode::InvalidArgument, ByteString::formatted("Property '{}' is not a Boolean", key));
        return property->as_bool();
    } else if constexpr (IsIntegral<PropertyType>) {
-        if (auto maybe_number = property->get_integer<PropertyType>(); maybe_number.has_value())
+        if (auto maybe_number = property->get_integer<PropertyType>(); maybe_number.has_value() && is_safe_number(*maybe_number))
            return *maybe_number;
        return WebDriver::Error::from_code(ErrorCode::InvalidArgument, ByteString::formatted("Property '{}' is not an Integer", key));
    } else if constexpr (IsSame<PropertyType, double>) {
-        if (auto maybe_number = property->get_double_with_precision_loss(); maybe_number.has_value())
+        if (auto maybe_number = property->get_double_with_precision_loss(); maybe_number.has_value() && is_safe_number(*maybe_number))
            return *maybe_number;
        return WebDriver::Error::from_code(ErrorCode::InvalidArgument, ByteString::formatted("Property '{}' is not a Number", key));
    } else if constexpr (IsSame<PropertyType, JsonArray const*>) {