Validate the Origin HTTP header in the browser process.

content/browser/security_exploit_browsertest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/containers/hash_tables.h"
 #include "base/strings/utf_string_conversions.h"
 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
 #include "content/browser/frame_host/navigator.h"
+#include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/browser/renderer_host/render_view_host_factory.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/common/frame_messages.h"
+#include "content/common/resource_messages.h"
 #include "content/common/view_messages.h"
 #include "content/public/browser/browser_context.h"
+#include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/interstitial_page_delegate.h"
 #include "content/public/browser/storage_partition.h"
+#include "content/public/common/appcache_info.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/file_chooser_params.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
 #include "content/public/test/test_utils.h"
 #include "content/shell/browser/shell.h"
+#include "content/test/test_content_browser_client.h"
 #include "ipc/ipc_security_test_util.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 
 using IPC::IpcSecurityTestUtil;
 
 namespace content {
 
 namespace {
 
@@ skipping 47 matching lines @@
     next_rfh = wc->GetRenderManagerForTesting()->pending_frame_host();
   }
 
   EXPECT_TRUE(next_rfh);
   EXPECT_NE(shell->web_contents()->GetRenderProcessHost()->GetID(),
             next_rfh->GetProcess()->GetID());
 
   return next_rfh->render_view_host();
 }
 
+ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
+  ResourceHostMsg_Request request;
+  request.method = "GET";
+  request.url = GURL("http://bar.com/simple_page.html");
+  request.first_party_for_cookies = GURL(origin);
+  request.referrer_policy = blink::WebReferrerPolicyDefault;
+  request.headers = base::StringPrintf("Origin: %s\r\n", origin);
+  request.load_flags = 0;
+  request.origin_pid = 0;
+  request.resource_type = RESOURCE_TYPE_XHR;
+  request.request_context = 0;
+  request.appcache_host_id = kAppCacheNoHostId;
+  request.download_to_file = false;
+  request.should_reset_appcache = false;
+  request.is_main_frame = true;
+  request.parent_is_main_frame = false;
+  request.parent_render_frame_id = -1;

[nasko, 2015/08/14 22:14:43]

MSG_ROUTING_NONE?

[Charlie Reis, 2015/08/14 23:23:32]

The docs say to use -1:
https://code.google.com/p/chromium/codesearch#chromium/src/content/common/res...
(I got this from resource_dispatcher_host_unittest.cc.)

[nasko, 2015/08/14 23:36:41]

Acknowledged.

+  request.transition_type = ui::PAGE_TRANSITION_LINK;
+  request.allow_download = true;
+  return request;
+}
+
 }  // namespace
 
 
 // The goal of these tests will be to "simulate" exploited renderer processes,
 // which can send arbitrary IPC messages and confuse browser process internal
 // state, leading to security bugs. We are trying to verify that the browser
 // doesn't perform any dangerous operations in such cases.
 class SecurityExploitBrowserTest : public ContentBrowserTest {
  public:
   SecurityExploitBrowserTest() {}
@@ skipping 17 matching lines @@
   // cause renderer to be killed.
   void TestFileChooserWithPath(const base::FilePath& path);
 };
 
 void SecurityExploitBrowserTest::TestFileChooserWithPath(
     const base::FilePath& path) {
   GURL foo("http://foo.com/simple_page.html");
   NavigateToURL(shell(), foo);
   EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
 
-  content::RenderViewHost* compromised_renderer =
+  RenderViewHost* compromised_renderer =
       shell()->web_contents()->GetRenderViewHost();
-  content::RenderProcessHostWatcher terminated(
+  RenderProcessHostWatcher terminated(
       shell()->web_contents(),
-      content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+      RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
 
   FileChooserParams params;
   params.default_file_name = path;
 
   ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
 
   IpcSecurityTestUtil::PwnMessageReceived(
       compromised_renderer->GetProcess()->GetChannel(), evil);
   terminated.Wait();
 }
 
 // Ensure that we kill the renderer process if we try to give it WebUI
 // properties and it doesn't have enabled WebUI bindings.
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
   GURL foo("http://foo.com/simple_page.html");
 
   NavigateToURL(shell(), foo);
   EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
   EXPECT_EQ(0,
       shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
 
-  content::RenderProcessHostWatcher terminated(
+  RenderProcessHostWatcher terminated(
       shell()->web_contents(),
-      content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+      RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
   shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
       "toolkit", "views");
   terminated.Wait();
 }
 
 // This is a test for crbug.com/312016 attempting to create duplicate
 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
 // it in a state with pending RenderViewHost. Before the commit of the new
 // pending RenderViewHost, this test case creates a new window through the new
 // process.
@@ skipping 104 matching lines @@
   NavigateToURL(shell(), foo);
   EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
 
   DOMMessageQueue message_queue;
 
   // Install and show an interstitial page.
   SecurityExploitTestInterstitialPage* interstitial =
       new SecurityExploitTestInterstitialPage(shell()->web_contents());
 
   ASSERT_EQ("", interstitial->last_command());
-  content::WaitForInterstitialAttach(shell()->web_contents());
+  WaitForInterstitialAttach(shell()->web_contents());
 
   InterstitialPage* interstitial_page =
       shell()->web_contents()->GetInterstitialPage();
   ASSERT_TRUE(interstitial_page != NULL);
   ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
   ASSERT_TRUE(interstitial_page->GetDelegateForTesting() == interstitial);
 
   // The interstitial page ought to be able to send a message.
   std::string message;
   ASSERT_TRUE(message_queue.WaitForMessage(&message));
   ASSERT_EQ("\"okay\"", message);
   ASSERT_EQ("\"okay\"", interstitial->last_command());
 
   // Send an automation message from the underlying content and wait for it to
   // be dispatched on this thread. This message should not be received by the
   // interstitial.
-  content::RenderFrameHost* compromised_renderer =
+  RenderFrameHost* compromised_renderer =
       shell()->web_contents()->GetMainFrame();
   FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
                                          "evil", MSG_ROUTING_NONE);
   IpcSecurityTestUtil::PwnMessageReceived(
       compromised_renderer->GetProcess()->GetChannel(), evil);
 
   ASSERT_TRUE(message_queue.WaitForMessage(&message));
   ASSERT_EQ("evil", message)
       << "Automation message should be received by WebContents.";
   ASSERT_EQ("\"okay\"", interstitial->last_command())
       << "Interstitial should not be affected.";
 
   // Send a second message from the interstitial page, and make sure that the
   // "evil" message doesn't arrive in the intervening period.
-  ASSERT_TRUE(content::ExecuteScript(
-      interstitial_page->GetMainFrame(),
-      "window.domAutomationController.send(\"okay2\");"));
+  ASSERT_TRUE(ExecuteScript(interstitial_page->GetMainFrame(),
+                            "window.domAutomationController.send(\"okay2\");"));
   ASSERT_TRUE(message_queue.WaitForMessage(&message));
   ASSERT_EQ("\"okay2\"", message);
   ASSERT_EQ("\"okay2\"", interstitial->last_command());
 }
 
+class IsolatedAppContentBrowserClient : public TestContentBrowserClient {
+ public:
+  bool IsIllegalOrigin(content::ResourceContext* resource_context,

[Charlie Reis, 2015/08/14 20:25:59]

I wanted to test this in chrome/ with an actual app, but we aren't able to
create a ResourceHostMsg_Request IPC message outside content/.  Instead, I'm
simulating the embedder having an app system here.

+                       int child_process_id,
+                       const GURL& origin) override {
+    // Simulate a case where an app origin is not in an app process.
+    return true;
+  }
+};
+
+// Renderer processes should not be able to spoof Origin HTTP headers.
+IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
+  // Create a set of IPC messages with various Origin headers.
+  ResourceHostMsg_Request chrome_origin_msg(
+      CreateXHRRequestWithOrigin("chrome://settings"));
+  ResourceHostMsg_Request embedder_isolated_origin_msg(
+      CreateXHRRequestWithOrigin("https://isolated.bar.com"));
+  ResourceHostMsg_Request invalid_origin_msg(
+      CreateXHRRequestWithOrigin("invalidurl"));
+  ResourceHostMsg_Request invalid_scheme_origin_msg(
+      CreateXHRRequestWithOrigin("fake-scheme://foo"));
+

[nasko, 2015/08/14 22:14:43]

Shouldn't a test case exist for chrome-extension:// Origin header?

[Charlie Reis, 2015/08/14 23:23:32]

Sadly I can't, since chrome-extension:// doesn't exist in content/ and this IPC
message can't be created outside content.  :(  See my CL comment above about
simulating it with the embedder_isolated_origin_msg.

[nasko, 2015/08/14 23:36:41]

Might be useful to put that/similar comment in the test itself, so it is clear
why it isn't tested.

I also wonder if it is possible to just manufacture an IPC message that is
identical to ResourceHostMsg_RequestResource in the
chrome_security_exploit_browsertest.cc, but that will probably be more complex
and need to keep things in sync, so probably not worth doing. 

[Charlie Reis, 2015/08/17 18:32:21]

Done.
Yeah, Nick and I had a long chat about this.  You could imagine exposing a
public test utility to manufacture certain IPCs outside content/, but that
wouldn't scale very well if we end up needing it for lots of IPCs.

+  GURL web_url("http://foo.com/simple_page.html");
+  NavigateToURL(shell(), web_url);
+  RenderFrameHost* web_rfh = shell()->web_contents()->GetMainFrame();
+
+  // Web processes cannot make XHRs with chrome:// Origin headers.
+  {
+    RenderProcessHostWatcher web_process_killed(
+        web_rfh->GetProcess(),
+        RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+    IPC::IpcSecurityTestUtil::PwnMessageReceived(
+        web_rfh->GetProcess()->GetChannel(),
+        ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+                                        chrome_origin_msg));
+    web_process_killed.Wait();
+  }
+
+  // Web processes cannot make XHRs with URLs that the content embedder expects
+  // to have process isolation.
+  NavigateToURL(shell(), web_url);
+  {
+    // Set up a ContentBrowserClient that simulates an app URL in a non-app
+    // process.
+    IsolatedAppContentBrowserClient app_client;
+    ContentBrowserClient* old_client = SetBrowserClientForTesting(&app_client);
+    RenderProcessHostWatcher web_process_killed(
+        web_rfh->GetProcess(),
+        RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+    IPC::IpcSecurityTestUtil::PwnMessageReceived(
+        web_rfh->GetProcess()->GetChannel(),
+        ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+                                        embedder_isolated_origin_msg));
+    web_process_killed.Wait();
+    SetBrowserClientForTesting(old_client);
+  }
+
+  // Web processes cannot make XHRs with invalid Origin headers.
+  NavigateToURL(shell(), web_url);
+  {
+    RenderProcessHostWatcher web_process_killed(
+        web_rfh->GetProcess(),
+        RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+    IPC::IpcSecurityTestUtil::PwnMessageReceived(
+        web_rfh->GetProcess()->GetChannel(),
+        ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+                                        invalid_origin_msg));
+    web_process_killed.Wait();
+  }
+
+  // Web processes cannot make XHRs with invalid scheme Origin headers.
+  NavigateToURL(shell(), web_url);
+  {
+    RenderProcessHostWatcher web_process_killed(
+        web_rfh->GetProcess(),
+        RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+    IPC::IpcSecurityTestUtil::PwnMessageReceived(
+        web_rfh->GetProcess()->GetChannel(),
+        ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
+                                        invalid_scheme_origin_msg));
+    web_process_killed.Wait();
+  }
+}
+
 }  // namespace content