Support new Safe Browsing list "goog-badresource-shavar" in SafeBrowsingDatabase.

chrome/browser/safe_browsing/local_database_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/safe_browsing/local_database_manager.h"
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 77 matching lines @@
           // |full_hashes| should never contain INVALID as a |list_id|.
           NOTREACHED();
           break;
         case MALWARE:                  // Falls through.
         case PHISH:                    // Falls through.
         case BINURL:                   // Falls through.
         case CSDWHITELIST:             // Falls through.
         case DOWNLOADWHITELIST:        // Falls through.
         case INCLUSIONWHITELIST:       // Falls through.
         case EXTENSIONBLACKLIST:       // Falls through.
         case IPBLACKLIST:

[Nathan Parker, 2016/02/16 21:42:00]

Now that there are three levels, how about turning this into generalized ranking
code? The switch could set "cur_rank_level" to 1, 2,or 3.  Then if
cur_rank_level > highest_rank_level, save the index and threat.

[veranika, 2016/02/17 15:37:53]

Done, but in my code smaller numbers correspond to more severe threats. I did
that to be able to return immediately once the severest list is encountered.

           if (index)
             *index = i;
           return threat;
         case UNWANTEDURL:
           // UNWANTEDURL is considered less severe than other threats, keep
           // looking.
           pending_threat = threat;
           if (index)
             *index = i;
           break;
+        case RESOURCEBLACKLIST:
+          // RESOURCEBLACKLIST is even less severe than UNWANTEDURL.
+          if (pending_threat == INVALID) {
+            pending_threat = threat;
+            if (index)
+              *index = i;
+          }
+          break;
       }
     }
   }
   return pending_threat;
 }
 
 // Given a URL, compare all the possible host + path full hashes to the set of
 // provided full hashes.  Returns the list id of the severest matching result
 // from |full_hashes|, or INVALID if none match.
 ListType GetUrlSeverestThreatListType(
@@ skipping 15 matching lines @@
         // Ignore patterns with no matching threat.
         break;
       case MALWARE:                  // Falls through.
       case PHISH:                    // Falls through.
       case BINURL:                   // Falls through.
       case CSDWHITELIST:             // Falls through.
       case DOWNLOADWHITELIST:        // Falls through.
       case INCLUSIONWHITELIST:       // Falls through.
       case EXTENSIONBLACKLIST:       // Falls through.
       case IPBLACKLIST:
         return threat;

[Nathan Parker, 2016/02/16 21:42:00]

Same comment as above.

[veranika, 2016/02/17 15:37:53]

Done.

       case UNWANTEDURL:
         // UNWANTEDURL is considered less severe than other threats, keep
         // looking.
         pending_threat = threat;
         break;
+      case RESOURCEBLACKLIST:
+        // RESOURCEBLACKLIST is even less severe than UNWANTEDURL.
+        if (pending_threat == INVALID) {
+          pending_threat = threat;
+        }
+        break;
     }
   }
   return pending_threat;
 }
 
 SBThreatType GetThreatTypeFromListType(ListType list_type) {
   switch (list_type) {
     case PHISH:
       return SB_THREAT_TYPE_URL_PHISHING;
     case MALWARE:
       return SB_THREAT_TYPE_URL_MALWARE;
     case UNWANTEDURL:
       return SB_THREAT_TYPE_URL_UNWANTED;
     case BINURL:
       return SB_THREAT_TYPE_BINARY_MALWARE_URL;
     case EXTENSIONBLACKLIST:
       return SB_THREAT_TYPE_EXTENSION;
+    case RESOURCEBLACKLIST:
+      return SB_THREAT_TYPE_BLACKLISTED_RESOURCE;
     default:
       DVLOG(1) << "Unknown safe browsing list id " << list_type;
       return SB_THREAT_TYPE_SAFE;
   }
 }
 
 }  // namespace
 
 // static
 SBThreatType LocalSafeBrowsingDatabaseManager::GetHashSeverestThreatType(
@@ skipping 14 matching lines @@
 
 LocalSafeBrowsingDatabaseManager::SafeBrowsingCheck::SafeBrowsingCheck(
     const std::vector<GURL>& urls,
     const std::vector<SBFullHash>& full_hashes,
     Client* client,
     ListType check_type,
     const std::vector<SBThreatType>& expected_threats)
     : urls(urls),
       url_results(urls.size(), SB_THREAT_TYPE_SAFE),
       url_metadata(urls.size()),
+      url_hit_hash(urls.size()),
       full_hashes(full_hashes),
       full_hash_results(full_hashes.size(), SB_THREAT_TYPE_SAFE),
       client(client),
       need_get_hash(false),
       check_type(check_type),
       expected_threats(expected_threats) {
   DCHECK_EQ(urls.empty(), !full_hashes.empty())
       << "Exactly one of urls and full_hashes must be set";
 }
 
@@ skipping 15 matching lines @@
       case UNWANTEDURL:
         DCHECK_EQ(1u, urls.size());
         client->OnCheckBrowseUrlResult(urls[0], url_results[0],
                                        url_metadata[0]);
         break;
       case BINURL:
         DCHECK_EQ(urls.size(), url_results.size());
         client->OnCheckDownloadUrlResult(
             urls, *std::max_element(url_results.begin(), url_results.end()));
         break;
+      case RESOURCEBLACKLIST:
+        DCHECK_EQ(1u, urls.size());
+        client->OnCheckResourceUrlResult(urls[0], url_results[0],
+                                         url_hit_hash[0]);
+        break;
       default:
         NOTREACHED();
     }
   } else if (!full_hashes.empty()) {
     switch (check_type) {
       case EXTENSIONBLACKLIST: {
         std::set<std::string> unsafe_extension_ids;
         for (size_t i = 0; i < full_hashes.size(); ++i) {
           std::string extension_id =
               SBFullHashToString(full_hashes[i]);
@@ skipping 15 matching lines @@
     const scoped_refptr<SafeBrowsingService>& service)
     : sb_service_(service),
       database_(NULL),
       enabled_(false),
       enable_download_protection_(false),
       enable_csd_whitelist_(false),
       enable_download_whitelist_(false),
       enable_extension_blacklist_(false),
       enable_ip_blacklist_(false),
       enable_unwanted_software_blacklist_(true),
+      enable_resource_blacklist_(true),
       update_in_progress_(false),
       database_update_in_progress_(false),
       closing_database_(false),
       check_timeout_(base::TimeDelta::FromMilliseconds(kCheckTimeoutMs)) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
   DCHECK(sb_service_.get() != NULL);
 
   base::CommandLine* cmdline = base::CommandLine::ForCurrentProcess();
   enable_download_protection_ =
       !cmdline->HasSwitch(switches::kSbDisableDownloadProtection);
@@ skipping 98 matching lines @@
       client,
       EXTENSIONBLACKLIST,
       std::vector<SBThreatType>(1, SB_THREAT_TYPE_EXTENSION));
   StartSafeBrowsingCheck(
       check,
       base::Bind(&LocalSafeBrowsingDatabaseManager::CheckExtensionIDsOnSBThread,
                  this, prefixes));
   return false;
 }
 
+bool LocalSafeBrowsingDatabaseManager::CheckResourceUrl(
+    const GURL& url, Client* client) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  if (!enabled_ || !enable_resource_blacklist_ || !CanCheckUrl(url))
+    return true;

[Nathan Parker, 2016/02/16 21:42:00]

Do you need to check that the DB is available, like is done in CheckBrowseUrl?  

[veranika, 2016/02/17 15:37:54]

Done.

+
+  SafeBrowsingCheck* check =
+      new SafeBrowsingCheck({url}, std::vector<SBFullHash>(), client,
+                            RESOURCEBLACKLIST,
+                            {SB_THREAT_TYPE_BLACKLISTED_RESOURCE});
+  std::vector<SBPrefix> prefixes;
+  SafeBrowsingDatabase::GetDownloadUrlPrefixes(check->urls, &prefixes);
+  StartSafeBrowsingCheck(
+      check,
+      base::Bind(&LocalSafeBrowsingDatabaseManager::CheckResourceUrlOnSBThread,
+                 this, prefixes));
+  return false;
+}
+
 bool LocalSafeBrowsingDatabaseManager::MatchMalwareIP(
     const std::string& ip_address) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   if (!enabled_ || !enable_ip_blacklist_ || !MakeDatabaseAvailable()) {
     return false;  // Fail open.
   }
   return database_->ContainsMalwareIP(ip_address);
 }
 
 bool LocalSafeBrowsingDatabaseManager::MatchCsdWhitelistUrl(const GURL& url) {
@@ skipping 374 matching lines @@
   DCHECK(safe_browsing_task_runner_->RunsTasksOnCurrentThread());
 
   if (database_)
     return database_;
 
   const base::TimeTicks before = base::TimeTicks::Now();
   SafeBrowsingDatabase* database = SafeBrowsingDatabase::Create(
       safe_browsing_task_runner_, enable_download_protection_,
       enable_csd_whitelist_, enable_download_whitelist_,
       enable_extension_blacklist_, enable_ip_blacklist_,
-      enable_unwanted_software_blacklist_);
+      enable_unwanted_software_blacklist_,
+      enable_resource_blacklist_);
 
   database->Init(SafeBrowsingService::GetBaseFilename());
   {
     // Acquiring the lock here guarantees correct ordering between the writes to
     // the new database object above, and the setting of |database_| below.
     base::AutoLock lock(database_lock_);
     database_ = database;
   }
 
   BrowserThread::PostTask(
@@ skipping 297 matching lines @@
   }
 
   for (size_t i = 0; i < check->urls.size(); ++i) {
     size_t threat_index;
     SBThreatType threat = GetUrlSeverestThreatType(check->urls[i],
                                                    expected_full_hashes,
                                                    &threat_index);
     if (threat != SB_THREAT_TYPE_SAFE) {
       check->url_results[i] = threat;
       check->url_metadata[i] = expected_full_hashes[threat_index].metadata;
+      const SBFullHash& hash = expected_full_hashes[threat_index].hash;
+      check->url_hit_hash[i] = std::string(hash.full_hash,
+                                           arraysize(hash.full_hash));
       is_threat = true;
     }
   }
 
   for (size_t i = 0; i < check->full_hashes.size(); ++i) {
     SBThreatType threat =
         GetHashSeverestThreatType(check->full_hashes[i], expected_full_hashes);
     if (threat != SB_THREAT_TYPE_SAFE) {
       check->full_hash_results[i] = threat;
       is_threat = true;
@@ skipping 37 matching lines @@
     const std::vector<SBPrefix>& prefixes) {
   DCHECK(safe_browsing_task_runner_->RunsTasksOnCurrentThread());
 
   std::vector<SBPrefix> prefix_hits;
   const bool result =
       database_->ContainsExtensionPrefixes(prefixes, &prefix_hits);
   DCHECK_EQ(result, !prefix_hits.empty());
   return prefix_hits;
 }
 
+std::vector<SBPrefix>
+LocalSafeBrowsingDatabaseManager::CheckResourceUrlOnSBThread(
+    const std::vector<SBPrefix>& prefixes) {
+  DCHECK(safe_browsing_task_runner_->RunsTasksOnCurrentThread());
+
+  std::vector<SBPrefix> prefix_hits;
+  const bool result =
+      database_->ContainsResourceUrlPrefixes(prefixes, &prefix_hits);
+  DCHECK_EQ(result, !prefix_hits.empty());
+  return prefix_hits;
+}
+
 void LocalSafeBrowsingDatabaseManager::TimeoutCallback(
     SafeBrowsingCheck* check) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
   DCHECK(check);
 
   if (!enabled_)
     return;
 
   DCHECK(checks_.find(check) != checks_.end());
   if (check->client) {
@@ skipping 34 matching lines @@
       FROM_HERE, base::Bind(&LocalSafeBrowsingDatabaseManager::TimeoutCallback,
                             check->weak_ptr_factory_->GetWeakPtr(), check),
       check_timeout_);
 }
 
 bool LocalSafeBrowsingDatabaseManager::download_protection_enabled() const {
   return enable_download_protection_;
 }
 
 }  // namespace safe_browsing