Detect static securecookies to trivialize more rules

This PR aims to trivialize rulesets that would have been modified if securecookies are ignored. It is assumed that if all securecookies are static, they can be safely ignored. A securecookie is called to be static either it is a trivial securecookie or ALL of the following conditions are satisfied: 1. securecookie.host match cookie.host from the beginning ^ to the end $. Otherwise, it might match subdomains/ partial patterns, thus a non-trivial securecookie. 2. securecookie.host will not throw an error when passed to explodeRegExp(). Otherwise, it might match patterns too complicated for our interests. 3. Each exploded securecookie.host should be included in ruleset.target/ exploded target. Otherwise, this ruleset is likely problematic itself. It is dangerous for a rewrite.
EFForg · Jul 11, 2018 · 77f08cf · 77f08cf
1 parent 8cfabe5
commit 77f08cf
Showing 1 changed file with 37 additions and 1 deletion.
diff --git a/utils/trivialize-rules/trivialize-rules.js b/utils/trivialize-rules/trivialize-rules.js
@@ -99,6 +99,7 @@ files.fork().zipAll([ sources.fork(), rules ]).map(([name, source, ruleset]) =>
   const fail = createTag('FAIL', chalk.red, console.error);
 
   let targets = ruleset.target.map(target => target.$.host);
+  let securecookies = ruleset.securecookie ? ruleset.securecookie.map(sc => sc.$) : new Array();
   let rules = ruleset.rule.map(rule => rule.$);
 
   if (rules.length === 1 && isTrivial(rules[0])) {
@@ -181,8 +182,43 @@ files.fork().zipAll([ sources.fork(), rules ]).map(([name, source, ruleset]) =>
 
   domains = Array.from(domains);
 
+  function isStaticCookie(securecookie) {
+    if (securecookie.host === '.+' && securecookie.name === '.+') {
+      return true;
+    }
+
+    if (!securecookie.host.startsWith('^') || !securecookie.host.endsWith('$')) {
+      return false;
+    }
+
+    let localDomains = new Set();
+
+    try {
+      explodeRegExp(securecookie.host, domain => {
+        if (domain.startsWith('.')) {
+          domain = domain.slice(1);
+        }
+        localDomains.add(domain);
+      });
+    } catch (e) {
+      if (!(e instanceof UnsupportedRegExp)) {
+        throw e;
+      }
+      warn`Unsupported regexp part ${e.message} while traversing securecookie : ${JSON.stringify(securecookie)}`;
+      return false;
+    }
+
+    for (const domain of localDomains) {
+      if (domains.indexOf(domain) === -1) {
+        warn`Ruleset does not cover target ${domain} for securecookie : ${JSON.stringify(securecookie)}`;
+        return false;
+      }
+    }
+    return true;
+  }
+
   if (domains.slice().sort().join('\n') !== targets.sort().join('\n')) {
-    if (ruleset.securecookie) {
+    if (securecookies.length > 0 && !securecookies.every(isStaticCookie)) {
       return;
     }