Synopsis :
python addonParser.py extension.xpi
Description :
A simple python script that lexically analysis Firefox extensions, trying to find any problems. Outputs any problems to the terminal.
Requires :
Python Image Library
Notes :
Writes any .jar files into the $PWD/temp/ directory.
Breakdown of output :
examing chrome/ (13)
examing chrome/content/ (13)
examing chrome/content/botOFF.png (13)
examing chrome/content/botON.png (13)
examing chrome/content/dowint.css (13)
examing chrome/content/dowint.js (13)
examing chrome/content/dowint.xul (13)
WARNING: http://dowint.net/inc/js.php does not start with chrome:// and not a local file for file chrome/content/dowint.xul (5)
examing chrome/content/logo.gif (13)
WARNING: Image chrome/content/logo.gif does not match it's extension. Expected GIF, got PNG (2)
examing chrome.manifest (13)
examing install.rdf (13)
Numbers in parentheses at the end of line are just for debugging use only.
Text in square parentheses is often the source of the problem (used when evaluating javascript files)
Types :
Warning – something is wrong or possibly needs some examining
Error – I don’t know how to evaluate this (eg. files that I wasn’t expecting, or files that I don’t know how to properly evaluate)
Quirks (some people call this bugs) :
- Sometimes it gives you information, but not enough context:
WARNING: found XMLHttpRequest [var req = new XMLHttpRequest();] in file content/hrtoolbar.js (9) - Sometimes the output is extremely long because the js file was minified:
WARNING: found XMLHttpRequest [var CC=Components.classes;var CI=Components.interfaces;var … ] - False positives can be quite common :
WARNING: found reference to outside source [@namespace url(”http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul”);] in file skin/webwean.css. (8)
(This is common false positive in CSS files. Though it has found a problem once)
Undecided Issues :
- What to do about .dtd and .properties (should anything be done for these files?)
- Should XHR throw up a warning? It’s fairly common, and we’re really just worried about eval.
Checks and Errors :
| Error | Problem |
|---|---|
| 1 | Image file is not an image file |
| 2 | Image file extension does not match its type |
| 3 | XUL file is invalid XML |
| 4 | Inline JS |
| 5 | The src for a script tag was not a chrome:// url nor a local file |
| 6 | Invalid keyboard shortcuts (Macs require alt + another modifier) |
| 7 | iframe content type is not content |
| 8 | CSS file has an outside reference |
| 9 | XHR found |
| 10 | Javascript eval keyword found :p |
| 11 | Javascript loadSubscript found |
| 12 | Javascript new Function() |
| 13 | Log message |
| 14 | RCS directory found. Could be sensitive to the author. |
| 15 | A binary component has been found |
File :
Currently available here. Will upload repository later.
Please be advised that this tool is extremely stupid, and not a substitute for careful reviews :)