Sanitize data before providing it to the CDM

media/blink/webcontentdecryptionmodulesession_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webcontentdecryptionmodulesession_impl.h"
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/logging.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "media/base/cdm_key_information.h"
 #include "media/base/cdm_promise.h"
 #include "media/base/key_systems.h"
 #include "media/base/limits.h"
 #include "media/base/media_keys.h"
 #include "media/blink/cdm_result_promise.h"
 #include "media/blink/cdm_session_adapter.h"
 #include "media/blink/new_session_cdm_result_promise.h"
 #include "media/blink/webmediaplayer_util.h"
 #include "media/cdm/cenc_utils.h"
 #include "media/cdm/json_web_key.h"
+#include "media/cdm/key_system_names.h"
 #include "third_party/WebKit/public/platform/WebData.h"
 #include "third_party/WebKit/public/platform/WebEncryptedMediaKeyInformation.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/platform/WebURL.h"
 #include "third_party/WebKit/public/platform/WebVector.h"
 
 namespace media {
 
 const char kCloseSessionUMAName[] = "CloseSession";
 const char kGenerateRequestUMAName[] = "GenerateRequest";
@@ skipping 106 matching lines @@
 
     case EmeInitDataType::UNKNOWN:
       break;
   }
 
   NOTREACHED();
   error_message->assign("Initialization data type is not supported.");
   return false;
 }
 
+static bool SanitizeSessionId(const blink::WebString& session_id,
+                              std::string* sanitized_session_id) {
+  // The user agent should thoroughly validate the sessionId value before
+  // passing it to the CDM. At a minimum, this should include checking that
+  // the length and value (e.g. alphanumeric) are reasonable.
+  if (!base::IsStringASCII(session_id))
+    return false;
+
+  sanitized_session_id->assign(base::UTF16ToASCII(session_id));
+  if (sanitized_session_id->length() > limits::kMaxSessionIdLength)
+    return false;
+
+  for (const char c : *sanitized_session_id) {
+    if (!IsAsciiAlpha(c) && !IsAsciiDigit(c))
+      return false;
+  }
+
+  return true;
+}
+
+static bool SanitizeResponse(const std::string& key_system,
+                             const uint8* response,
+                             size_t response_length,
+                             std::vector<uint8>* sanitized_response) {
+  // The user agent should thoroughly validate the response before passing it
+  // to the CDM. This may include verifying values are within reasonable limits,
+  // stripping irrelevant data or fields, pre-parsing it, sanitizing it,
+  // and/or generating a fully sanitized version. The user agent should check
+  // that the length and values of fields are reasonable. Unknown fields should
+  // be rejected or removed.
+  if (response_length > limits::kMaxSessionResponseLength)
+    return false;
+
+  if (IsClearKey(key_system) || IsExternalClearKey(key_system)) {
+    std::string key_string(response, response + response_length);
+    KeyIdAndKeyPairs keys;
+    MediaKeys::SessionType session_type = MediaKeys::TEMPORARY_SESSION;
+    if (!ExtractKeysFromJWKSet(key_string, &keys, &session_type))
+      return false;
+
+    // Must contain at least one key.
+    if (keys.empty())
+      return false;
+
+    for (const auto key_pair : keys) {
+      if (key_pair.first.size() < limits::kMinKeyIdLength ||
+          key_pair.first.size() > limits::kMaxKeyIdLength) {
+        return false;
+      }
+    }
+
+    std::string sanitized_data = GenerateJWKSet(keys, session_type);
+    sanitized_response->assign(sanitized_data.begin(), sanitized_data.end());
+    return true;
+  }
+
+  // TODO(jrummell): Verify responses for Widevine.
+  sanitized_response->assign(response, response + response_length);
+  return true;
+}
+
 WebContentDecryptionModuleSessionImpl::WebContentDecryptionModuleSessionImpl(
     const scoped_refptr<CdmSessionAdapter>& adapter)
     : adapter_(adapter), is_closed_(false), weak_ptr_factory_(this) {
 }
 
 WebContentDecryptionModuleSessionImpl::
     ~WebContentDecryptionModuleSessionImpl() {
   if (!session_id_.empty())
     adapter_->UnregisterSession(session_id_);
 }
@@ skipping 72 matching lines @@
               &WebContentDecryptionModuleSessionImpl::OnSessionInitialized,
               base::Unretained(this)))));
 }
 
 void WebContentDecryptionModuleSessionImpl::load(
     const blink::WebString& session_id,
     blink::WebContentDecryptionModuleResult result) {
   DCHECK(!session_id.isEmpty());
   DCHECK(session_id_.empty());
 
+  std::string sanitized_session_id;
+  if (!SanitizeSessionId(session_id, &sanitized_session_id)) {
+    result.completeWithError(
+        blink::WebContentDecryptionModuleExceptionInvalidAccessError, 0,
+        "Invalid session ID.");
+    return;
+  }
+
   // TODO(jrummell): Now that there are 2 types of persistent sessions, the
   // session type should be passed from blink. Type should also be passed in the
   // constructor (and removed from initializeNewSession()).
   adapter_->LoadSession(
-      MediaKeys::PERSISTENT_LICENSE_SESSION, base::UTF16ToASCII(session_id),
+      MediaKeys::PERSISTENT_LICENSE_SESSION, sanitized_session_id,
       scoped_ptr<NewSessionCdmPromise>(new NewSessionCdmResultPromise(
           result, adapter_->GetKeySystemUMAPrefix() + kLoadSessionUMAName,
           base::Bind(
               &WebContentDecryptionModuleSessionImpl::OnSessionInitialized,
               base::Unretained(this)))));
 }
 
 void WebContentDecryptionModuleSessionImpl::update(
     const uint8* response,
     size_t response_length,
     blink::WebContentDecryptionModuleResult result) {
   DCHECK(response);
   DCHECK(!session_id_.empty());
+
+  std::vector<uint8> sanitized_response;
+  if (!SanitizeResponse(adapter_->GetKeySystem(), response, response_length,
+                        &sanitized_response)) {
+    result.completeWithError(
+        blink::WebContentDecryptionModuleExceptionInvalidAccessError, 0,
+        "Invalid response.");
+    return;
+  }
+
   adapter_->UpdateSession(
-      session_id_, std::vector<uint8>(response, response + response_length),
+      session_id_, sanitized_response,
       scoped_ptr<SimpleCdmPromise>(new CdmResultPromise<>(
           result, adapter_->GetKeySystemUMAPrefix() + kUpdateSessionUMAName)));
 }
 
 void WebContentDecryptionModuleSessionImpl::close(
     blink::WebContentDecryptionModuleResult result) {
   DCHECK(!session_id_.empty());
   adapter_->CloseSession(
       session_id_,
       scoped_ptr<SimpleCdmPromise>(new CdmResultPromise<>(
@@ skipping 55 matching lines @@
     return blink::WebContentDecryptionModuleResult::SessionNotFound;
 
   DCHECK(session_id_.empty()) << "Session ID may not be changed once set.";
   session_id_ = session_id;
   return adapter_->RegisterSession(session_id_, weak_ptr_factory_.GetWeakPtr())
              ? blink::WebContentDecryptionModuleResult::NewSession
              : blink::WebContentDecryptionModuleResult::SessionAlreadyExists;
 }
 
 }  // namespace media