[AF] Prevent Logging Password Values to Console

Before sending over to be logged by DevTools, filter out DOM nodes that have a type attribute equal to "password", and that are not empty. Bug: 934609 Change-Id: I147ad0c2bad13cc50394f4b5ff2f4bfb7293114b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1506498 Commit-Queue: Sebastien Lalancette <seblalancette@chromium.org> Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> Reviewed-by: Mathieu Perreault <mathp@chromium.org> Cr-Commit-Position: refs/heads/master@{#638615}

[AF] Prevent Logging Password Values to Console
Before sending over to be logged by DevTools, filter out DOM nodes that have a type attribute equal to "password", and that are not empty. Bug: 934609 Change-Id: I147ad0c2bad13cc50394f4b5ff2f4bfb7293114b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1506498 Commit-Queue: Sebastien Lalancette <seblalancette@chromium.org> Reviewed-by: Vadym Doroshenko <dvadym@chromium.org> Reviewed-by: Mathieu Perreault <mathp@chromium.org> Cr-Commit-Position: refs/heads/master@{#638615}
89f296b3 · Sebastien Lalancette · Commit Bot · 70bf8062 · 89f296b3
Commit 89f296b3 authored Mar 07, 2019 by Sebastien Lalancette Committed by Commit Bot Mar 07, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 3 deletions

components/autofill/content/renderer/page_form_analyser_logger.cc ...ts/autofill/content/renderer/page_form_analyser_logger.cc +27 -3

No files found.
--- a/components/autofill/content/renderer/page_form_analyser_logger.cc
+++ b/components/autofill/content/renderer/page_form_analyser_logger.cc
@@ -6,7 +6,11 @@
 #include <utility>
+#include "base/strings/string_util.h"
 #include "third_party/blink/public/platform/web_string.h"
+#include "third_party/blink/public/web/web_element.h"
+#include "third_party/blink/public/web/web_input_element.h"
+#include "third_party/blink/public/web/web_node.h"
 namespace autofill {
@@ -38,11 +42,31 @@ void PageFormAnalyserLogger::Flush() {
      text.clear();
      text += "[DOM] ";
      text += entry.message;
-      for (unsigned i = 0; i < entry.nodes.size(); ++i)
-        text += " %o";
+      std::vector<blink::WebNode> nodesToLog;
+      for (unsigned i = 0; i < entry.nodes.size(); ++i) {
+        if (entry.nodes[i].IsElementNode()) {
+          const blink::WebElement element =
+              entry.nodes[i].ToConst<blink::WebElement>();
+          const blink::WebInputElement* webInputElement =
+              blink::ToWebInputElement(&element);
+          // Filter out password inputs with values from being logged, as their
+          // values are also logged.
+          const bool shouldObfuscate =
+              webInputElement &&
+              webInputElement->IsPasswordFieldForAutofill() &&
+              !webInputElement->Value().IsEmpty();
+          if (!shouldObfuscate) {
+            text += " %o";
+            nodesToLog.push_back(element);
+          }
+        }
+      }
      blink::WebConsoleMessage message(level, blink::WebString::FromUTF8(text));
-      message.nodes = std::move(entry.nodes);  // avoids copying node vectors.
+      message.nodes = std::move(nodesToLog);  // avoids copying node vectors.
      frame_->AddMessageToConsole(message);
    }
  }