[SafeBrowsing] Block dangerous unchecked downloads based on a Finch trial.

chrome/browser/file_select_helper.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/file_select_helper.h"
 
 #include <string>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 14 matching lines @@
 #include "content/public/browser/notification_details.h"
 #include "content/public/browser/notification_source.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/render_widget_host.h"
 #include "content/public/browser/render_widget_host_view.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/file_chooser_file_info.h"
 #include "content/public/common/file_chooser_params.h"
+#include "net/base/filename_util.h"
 #include "net/base/mime_util.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/shell_dialogs/selected_file_info.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/file_manager/fileapi_util.h"
 #include "content/public/browser/site_instance.h"
 #endif
 
+#if defined(FULL_SAFE_BROWSING)
+#include "chrome/browser/safe_browsing/unverified_download_policy.h"
+#endif
+
 using content::BrowserThread;
 using content::FileChooserParams;
 using content::RenderViewHost;
 using content::RenderWidgetHost;
 using content::WebContents;
 
 namespace {
 
 // There is only one file-selection happening at any given time,
 // so we allocate an enumeration ID for that purpose.  All IDs from
@@ skipping 373 matching lines @@
   select_file_types_ = GetFileTypesFromAcceptType(params.accept_types);
   select_file_types_->support_drive = !params.need_local_path;
 
   BrowserThread::PostTask(
       BrowserThread::UI, FROM_HERE,
       base::Bind(&FileSelectHelper::RunFileChooserOnUIThread, this, params));
 }
 
 void FileSelectHelper::RunFileChooserOnUIThread(
     const FileChooserParams& params) {
+  DCHECK_IMPLIES(!params.default_file_name.empty(),

[sky, 2015/10/21 22:46:19]

Please don't use DCHECK_IMPLIES. Yes, it is in base/logging, but it hurts
readability. I hadn't a clue what it means, which likely goes for most of the
team. Worse yet, looking at the definition I have to map it to:

DCHECK_IMPLIES(!!params.default_file_name.empty()

If you had instead used:

DCHECK(params.default_file_name.empty() || ...)

I would immediately understand what you're checking.

[asanka, 2015/10/22 21:55:12]

Done :), and point taken.

+                 params.mode == FileChooserParams::Save)
+      << "The default_file_name parameter should only be specified for Save "
+         "file choosers";
+  DCHECK(params.default_file_name == params.default_file_name.BaseName())
+      << "The default_file_name parameter should not contain path separators";
+
   if (!render_view_host_ || !web_contents_ || !IsValidProfile(profile_)) {
     // If the renderer was destroyed before we started, just cancel the
     // operation.
     RunFileChooserEnd();
     return;
   }
 
+  // The parameters contain potentially unsafe filenames provided by the

[sky, 2015/10/21 22:46:20]

I think you should move this to a standalone function that is easy to test
without having to go through a browser test.

[asanka, 2015/10/22 21:55:12]

Done and added a test to FileSelectHelpTest unit test to verify the aspects of
sanitization that's relevant to this class. However, I left one browser_test in
place that has an invalid filename because I wanted something to verify that the
sanitization method is called appropriately.

+  // renderer. They should be sanitized before being used in a file selection
+  // dialog. Also, the subsequent file type blocking checks rely on the file
+  // extension being valid and significant (e.g. no trailing periods on OS_WIN
+  // which disappear once the file is written).
+  base::FilePath default_file_name = net::GenerateFileName(
+      GURL(), std::string(), std::string(),
+      params.default_file_name.AsUTF8Unsafe(), std::string(), std::string());
+  base::FilePath default_file_path =
+      profile_->last_selected_directory().Append(default_file_name);
+
+#if defined(FULL_SAFE_BROWSING)
+  if (params.mode == FileChooserParams::Save &&
+      !safe_browsing::IsUnverifiedDownloadAllowed(
+          default_file_path)) {
+    NotifyRenderViewHostAndEnd(std::vector<ui::SelectedFileInfo>());
+    return;
+  }
+#endif
+
   select_file_dialog_ = ui::SelectFileDialog::Create(
       this, new ChromeSelectFilePolicy(web_contents_));
   if (!select_file_dialog_.get())
     return;
 
   dialog_mode_ = params.mode;
   switch (params.mode) {
     case FileChooserParams::Open:
       dialog_type_ = ui::SelectFileDialog::SELECT_OPEN_FILE;
       break;
     case FileChooserParams::OpenMultiple:
       dialog_type_ = ui::SelectFileDialog::SELECT_OPEN_MULTI_FILE;
       break;
     case FileChooserParams::UploadFolder:
       dialog_type_ = ui::SelectFileDialog::SELECT_UPLOAD_FOLDER;
       break;
     case FileChooserParams::Save:
       dialog_type_ = ui::SelectFileDialog::SELECT_SAVEAS_FILE;
       break;
     default:
       // Prevent warning.
       dialog_type_ = ui::SelectFileDialog::SELECT_OPEN_FILE;
       NOTREACHED();
   }
 
-  base::FilePath default_file_name = params.default_file_name.IsAbsolute() ?
-      params.default_file_name :
-      profile_->last_selected_directory().Append(params.default_file_name);
-
   gfx::NativeWindow owning_window = platform_util::GetTopLevel(
       render_view_host_->GetWidget()->GetView()->GetNativeView());
 
 #if defined(OS_ANDROID)
   // Android needs the original MIME types and an additional capture value.
   std::pair<std::vector<base::string16>, bool> accept_types =
       std::make_pair(params.accept_types, params.capture);
 #endif
 
   select_file_dialog_->SelectFile(
-      dialog_type_,
-      params.title,
-      default_file_name,
-      select_file_types_.get(),
+      dialog_type_, params.title, default_file_path, select_file_types_.get(),
       select_file_types_.get() && !select_file_types_->extensions.empty()
           ? 1
           : 0,  // 1-based index of default extension to show.
       base::FilePath::StringType(),
       owning_window,
 #if defined(OS_ANDROID)
       &accept_types);
 #else
       NULL);
 #endif
@@ skipping 68 matching lines @@
   // of an extension or a "/" in the case of a MIME type).
   std::string unused;
   if (accept_type.length() <= 1 ||
       base::ToLowerASCII(accept_type) != accept_type ||
       base::TrimWhitespaceASCII(accept_type, base::TRIM_ALL, &unused) !=
           base::TRIM_NONE) {
     return false;
   }
   return true;
 }