[false-positive] input-manage permission rule

[pwnetrationguru]

So I can't tell for sure if this is a false-positive or not, maybe there is some magic behind this that causes this, but I frequently get errors reported for input-manage permission. Running ScanJS, I appear to get the follow false positives relating to input-manage permission:

var $panels = $this.find('dd').hide();

$li.find('.error').hide();

$('.isotope-filters').hide();

Based on those, it appears to be related to jQuery, but working in the experiment tab, it appears these cause the input-manage permission to error:

this.hide()
body.innerHTML.hide()

While a.hide() doesn't flag, a.mgmt.hide() does flag, which based on the rule definition seems to make sense. The rule is defined as $_any.mgmt.hide(). Maybe there is some chaining going on that automagically includes mgmt in calls like this.hide()

P.S. Hope you guys are doing awesome!! :panda_face:

[pauljt]

Hmm interesting, thanks Rob!

Actually I'm not even sure how thes rule even works - I don't remember adding support for xxx.yyy.zzz Interesting that a.hide() doesnt get flagged but a.hide does.

Another reason for abandoning the rule parser, and going back to explicit rules imho. (though the fix for this specific case should be simple)

[mozfreddyb]

Thanks for filing, Rob! :) This is probably bad for other users of jQuery. Would you be willing to take a stab at it? The rule parsing code is likely to be changed completely in the future by #168.

[pwnetrationguru]

@mozfreddyb, I can definitely take a look, although the parsing engine has always been a bit of a black box for me. :)

Any idea on priority of getting #168 done?

[mozfreddyb]

If this here is important for you, I'd recommend you take a look before we get at #168.

[pwnetrationguru]

Cool, sounds good. I'll take a look this week! I'll probably follow-up with questions as I go.