bluetooth: Add Web Bluetooth blacklist checks to requestDevice.

content/browser/bluetooth/bluetooth_dispatcher_host.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // ID Not In Map Note:
 // A service, characteristic, or descriptor ID not in the corresponding
 // BluetoothDispatcherHost map [service_to_device_, characteristic_to_service_,
 // descriptor_to_characteristic_] implies a hostile renderer because a renderer
 // obtains the corresponding ID from this class and it will be added to the map
 // at that time.
 
 #include "content/browser/bluetooth/bluetooth_dispatcher_host.h"
 
 #include <stddef.h>
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/thread_task_runner_handle.h"
 #include "content/browser/bad_message.h"
+#include "content/browser/bluetooth/bluetooth_blacklist.h"
 #include "content/browser/bluetooth/bluetooth_metrics.h"
 #include "content/browser/bluetooth/first_device_bluetooth_chooser.h"
 #include "content/browser/frame_host/render_frame_host_impl.h"
 #include "content/common/bluetooth/bluetooth_messages.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_delegate.h"
 #include "device/bluetooth/bluetooth_adapter.h"
 #include "device/bluetooth/bluetooth_adapter_factory.h"
 #include "device/bluetooth/bluetooth_device.h"
 #include "device/bluetooth/bluetooth_discovery_session.h"
@@ skipping 952 matching lines @@
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
   set_adapter(adapter);
   continuation.Run();
 }
 
 void BluetoothDispatcherHost::OnRequestDeviceImpl(
     int thread_id,
     int request_id,
     int frame_routing_id,
     const std::vector<BluetoothScanFilter>& filters,
+    // Use local optional_services_blacklist_filtered in this method.

[ortuno, 2016/02/12 16:41:47]

Unsure what this comment means or why it's in the middle of the method's
parameters. I think you forgot to delete it?

[scheib, 2016/02/12 18:25:32]

See if this new approach is clearer.

     const std::vector<BluetoothUUID>& optional_services) {
   DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
   RecordWebBluetoothFunctionCall(UMAWebBluetoothFunction::REQUEST_DEVICE);
   RecordRequestDeviceArguments(filters, optional_services);
 
   VLOG(1) << "requestDevice called with the following filters: ";
   for (const BluetoothScanFilter& filter : filters) {
     VLOG(1) << "Name: " << filter.name;
     VLOG(1) << "Name Prefix: " << filter.namePrefix;
     VLOG(1) << "Services:";
     VLOG(1) << "\t[";
     for (const BluetoothUUID& service : filter.services)
       VLOG(1) << "\t\t" << service.value();
     VLOG(1) << "\t]";
   }
 
   VLOG(1) << "requestDevice called with the following optional services: ";
   for (const BluetoothUUID& service : optional_services)
     VLOG(1) << "\t" << service.value();
 
+  // Check blacklist to reject invalid filters and adjust optional_services.
+  if (BluetoothBlacklist::Get().IsExcluded(filters)) {
+    Send(new BluetoothMsg_RequestDeviceError(

[ortuno, 2016/02/12 16:41:47]

You need to record the outcome with RecordRequestDeviceOutcome.

[scheib, 2016/02/12 18:25:32]

Done.

+        thread_id, request_id,
+        WebBluetoothError::RequestDeviceWithBlacklistedUUID));
+    return;
+  }
+  std::vector<BluetoothUUID> optional_services_blacklist_filtered(
+      optional_services);
+  BluetoothBlacklist::Get().RemoveExcludedUuids(

[ortuno, 2016/02/12 16:41:47]

Didn't know LazyInstance::Get() returned a reference; I thought we usually
returned pointers.

[scheib, 2016/02/12 18:25:32]

One benefit of lazyinstance is that it reserves storage space at link time,
instead of allocating on the heap. By creating the object, not just a pointer to
one that is allocated later, we save a one more heap fragmenting permanent
allocation.

+      &optional_services_blacklist_filtered);
+
   RenderFrameHostImpl* render_frame_host =
       RenderFrameHostImpl::FromID(render_process_id_, frame_routing_id);
 
   if (!render_frame_host) {
     DLOG(WARNING)
         << "Got a requestDevice IPC without a matching RenderFrameHost: "
         << render_process_id_ << ", " << frame_routing_id;
     RecordRequestDeviceOutcome(UMARequestDeviceOutcome::NO_RENDER_FRAME);
     Send(new BluetoothMsg_RequestDeviceError(
         thread_id, request_id, WebBluetoothError::RequestDeviceWithoutFrame));
@@ skipping 23 matching lines @@
   if (HasEmptyOrInvalidFilter(filters)) {
     bad_message::ReceivedBadMessage(this,
                                     bad_message::BDH_EMPTY_OR_INVALID_FILTERS);
     return;
   }
 
   // Create storage for the information that backs the chooser, and show the
   // chooser.
   RequestDeviceSession* const session = new RequestDeviceSession(
       thread_id, request_id, render_frame_host->GetLastCommittedOrigin(),
-      filters, optional_services);
+      filters, optional_services_blacklist_filtered);
   int chooser_id = request_device_sessions_.Add(session);
 
   BluetoothChooser::EventHandler chooser_event_handler =
       base::Bind(&BluetoothDispatcherHost::OnBluetoothChooserEvent,
                  weak_ptr_on_ui_thread_, chooser_id);
   if (WebContents* web_contents =
           WebContents::FromRenderFrameHost(render_frame_host)) {
     if (WebContentsDelegate* delegate = web_contents->GetDelegate()) {
       session->chooser = delegate->RunBluetoothChooser(
           web_contents, chooser_event_handler,
@@ skipping 436 matching lines @@
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   NOTIMPLEMENTED();
 }
 
 void BluetoothDispatcherHost::ShowNeedLocationLink() {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   NOTIMPLEMENTED();
 }
 
 }  // namespace content