Correctly test for canonicalized path in the CreateNamedPipe policy engine.

sandbox/win/src/named_pipe_dispatcher.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "sandbox/win/src/named_pipe_dispatcher.h"
 
 #include "base/basictypes.h"
+#include "base/strings/string_split.h"
 
 #include "sandbox/win/src/crosscall_client.h"
 #include "sandbox/win/src/interception.h"
 #include "sandbox/win/src/interceptors.h"
 #include "sandbox/win/src/ipc_tags.h"
 #include "sandbox/win/src/named_pipe_interception.h"
 #include "sandbox/win/src/named_pipe_policy.h"
 #include "sandbox/win/src/policy_broker.h"
 #include "sandbox/win/src/policy_params.h"
 #include "sandbox/win/src/sandbox.h"
@@ skipping 18 matching lines @@
     return INTERCEPT_EAT(manager, kKerneldllName, CreateNamedPipeW,
                          CREATE_NAMED_PIPE_ID, 36);
 
   return false;
 }
 
 bool NamedPipeDispatcher::CreateNamedPipe(
     IPCInfo* ipc, base::string16* name, DWORD open_mode, DWORD pipe_mode,
     DWORD max_instances, DWORD out_buffer_size, DWORD in_buffer_size,
     DWORD default_timeout) {
+  ipc->return_info.win32_result = ERROR_ACCESS_DENIED;
+  ipc->return_info.handle = INVALID_HANDLE_VALUE;

[jschuh, 2014/01/27 20:29:47]

Never put INVALID_HANDLE_VALUE in anything that may be passed cross-process (due
to the own-process pseudo-handle being the same as INVALID_HANDLE_VALUE).

[Will Harris, 2014/01/27 23:47:18]

Done.

+
+  std::vector<base::string16> paths;
+  base::SplitString(*name, '\\', &paths);
+
+  for (std::vector<base::string16>::const_iterator iter = paths.begin();
+       iter != paths.end(); ++iter) {
+    if (*iter == L"..")
+      return true;
+  }
+
+  // Windows happily accepts / as well as \ once into the pipe namespace, so we
+  // check for this as well.
+  base::SplitString(*name, '/', &paths);
+
+  for (std::vector<base::string16>::const_iterator iter = paths.begin();

[jschuh, 2014/01/27 20:29:47]

Don't you want to nest this inside the above loop, and split the substrings to
catch cases like "\../"?

[Will Harris, 2014/01/27 23:47:18]

Done.

+       iter != paths.end(); ++iter) {
+    if (*iter == L"..")
+      return true;
+  }
+
   const wchar_t* pipe_name = name->c_str();
   CountedParameterSet<NameBased> params;
   params[NameBased::NAME] = ParamPickerMake(pipe_name);
 
   EvalResult eval = policy_base_->EvalPolicy(IPC_CREATENAMEDPIPEW_TAG,
                                              params.GetBase());
 
+  // "For file I/O, the "\\?\" prefix to a path string tells the Windows APIs to
+  // disable all string parsing and to send the string that follows it straight
+  // to the file system."
+  // http://msdn.microsoft.com/en-us/library/aa365247(VS.85).aspx
+  // This ensures even if there is a path traversal in the pipe name, and it is
+  // able to get past the checks above, it will still not be allowed to escape
+  // our whitelisted namespace.
+  if (name->compare(0, 4, L"\\\\.\\") == 0)
+    name->replace(0, 4, L"\\\\\?\\");
+
   HANDLE pipe;
   DWORD ret = NamedPipePolicy::CreateNamedPipeAction(eval, *ipc->client_info,
                                                      *name, open_mode,
                                                      pipe_mode, max_instances,
                                                      out_buffer_size,
                                                      in_buffer_size,
                                                      default_timeout, &pipe);
 
   ipc->return_info.win32_result = ret;
   ipc->return_info.handle = pipe;
   return true;
 }
 
 }  // namespace sandbox