Add validation for cosmeticFilterCreate

[fmarier]

The "Block element" feature of the Brave contextual menu relies on the cosmeticFilterCreate API call in the Shields extension.

This function should validate that its input is a valid CSS selector in order to prevent a compromise renderer from injecting arbitrary CSS declarations.

Originally reported as part of https://hackerone.com/reports/1254125.

[fmarier]

We end up running the CSS blurb through CSSStyleSheet.insertRule() and it will throw a SyntaxError if more than one rule is present.

Therefore, while it's possible to insert arbitrary text into brave://adblock by changing the JS context to "Brave" in the devtools and running something like:

chrome.runtime.sendMessage({type:"cosmeticFilterCreate", host:"fmarier.org", selector:"#body { background-color: red; } #hidden-avatar"})

I don't see a way to inject arbitrary CSS that will actually get run.

[fmarier]

I think it would still be worthwhile to validate that the CSS selector is a real one here, from a defense-in-depth point of view, but unless the rest of our code changes, it's not a security vulnerability.