Disallow redirects in SDCH dictionary fetches.

net/url_request/sdch_dictionary_fetcher_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/url_request/sdch_dictionary_fetcher.h"
 
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/macros.h"
 #include "base/run_loop.h"
 #include "base/strings/stringprintf.h"
 #include "base/thread_task_runner_handle.h"
 #include "net/base/load_flags.h"
 #include "net/base/sdch_manager.h"
 #include "net/http/http_response_headers.h"
 #include "net/url_request/url_request_data_job.h"
 #include "net/url_request/url_request_filter.h"
 #include "net/url_request/url_request_interceptor.h"
+#include "net/url_request/url_request_redirect_job.h"
 #include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
 const char kSampleBufferContext[] = "This is a sample buffer.";
-const char kTestDomain[] = "top.domain.test";
+const char kTestDomain1[] = "top.domain.test";
+const char kTestDomain2[] = "top2.domain.test";
 
 class URLRequestSpecifiedResponseJob : public URLRequestSimpleJob {
  public:
   // Called on destruction with load flags used for this request.
   typedef base::Callback<void(int)> DestructionCallback;
 
   URLRequestSpecifiedResponseJob(
       URLRequest* request,
       NetworkDelegate* network_delegate,
       const HttpResponseInfo& response_info_to_return,
@@ skipping 32 matching lines @@
     return OK;
   }
 
   const HttpResponseInfo response_info_to_return_;
   int last_load_flags_seen_;
   const DestructionCallback destruction_callback_;
 
   DISALLOW_COPY_AND_ASSIGN(URLRequestSpecifiedResponseJob);
 };
 
-class SpecifiedResponseJobInterceptor : public URLRequestInterceptor {
+// Wrap URLRequestRedirectJob in a destruction callback.
+class TestURLRequestRedirectJob : public URLRequestRedirectJob {
  public:
-  // A callback to be called whenever a URLRequestSpecifiedResponseJob is
-  // created or destroyed.  The first argument will be the change in number of
-  // jobs (i.e. +1 for created, -1 for destroyed).
-  // The second argument will be undefined if the job is being created,
-  // and will contain the load flags passed to the request the
-  // job was created for if the job is being destroyed.
+  TestURLRequestRedirectJob(URLRequest* request,
+                            NetworkDelegate* network_delegate,
+                            const GURL& redirect_destination,
+                            ResponseCode response_code,
+                            const std::string& redirect_reason,
+                            base::Closure destruction_callback)
+      : URLRequestRedirectJob(request,
+                              network_delegate,
+                              redirect_destination,
+                              response_code,
+                              redirect_reason),
+        destruction_callback_(destruction_callback) {}
+  ~TestURLRequestRedirectJob() override { destruction_callback_.Run(); }
+
+ private:
+  const base::Closure destruction_callback_;
+};
+
+static const char* redirect_signal = "/redirect/";
+class SDCHTestRequestInterceptor : public URLRequestInterceptor {
+ public:
+  // A callback to be called whenever a URLRequestJob child of this
+  // interceptor is created or destroyed.  The first argument will be the
+  // change in number of jobs (i.e. +1 for created, -1 for destroyed).
+  // The second argument will be undefined if the job is being created
+  // or a redirect job is being destroyed, and (for non-redirect job
+  // destruction) will contain the load flags passed to the request the
+  // job was created for.
   typedef base::Callback<void(int outstanding_job_delta,
                               int destruction_load_flags)> LifecycleCallback;
 
   // |*info| will be returned from all child URLRequestSpecifiedResponseJobs.
   // Note that: a) this pointer is shared with the caller, and the caller must
-  // guarantee that |*info| outlives the SpecifiedResponseJobInterceptor, and
+  // guarantee that |*info| outlives the SDCHTestRequestInterceptor, and
   // b) |*info| is mutable, and changes to should propagate to
   // URLRequestSpecifiedResponseJobs created after any change.
-  SpecifiedResponseJobInterceptor(HttpResponseInfo* http_response_info,
-                                  const LifecycleCallback& lifecycle_callback)
+  SDCHTestRequestInterceptor(HttpResponseInfo* http_response_info,
+                             const LifecycleCallback& lifecycle_callback)
       : http_response_info_(http_response_info),
         lifecycle_callback_(lifecycle_callback) {
     DCHECK(!lifecycle_callback_.is_null());
   }
-  ~SpecifiedResponseJobInterceptor() override {}
+  ~SDCHTestRequestInterceptor() override {}
 
   URLRequestJob* MaybeInterceptRequest(
       URLRequest* request,
       NetworkDelegate* network_delegate) const override {
     lifecycle_callback_.Run(1, 0);
 
+    std::string path = request->url().path();
+    if (path.substr(0, strlen(redirect_signal)) == redirect_signal) {
+      return new TestURLRequestRedirectJob(
+          request, network_delegate, GURL(path.substr(strlen(redirect_signal))),
+          URLRequestRedirectJob::REDIRECT_307_TEMPORARY_REDIRECT, "testing",
+          base::Bind(lifecycle_callback_, -1, 0));
+    }
+
     return new URLRequestSpecifiedResponseJob(
         request, network_delegate, *http_response_info_,
         base::Bind(lifecycle_callback_, -1));
   }
 
   // The caller must ensure that both |*http_response_info| and the
   // callback remain valid for the lifetime of the
-  // SpecifiedResponseJobInterceptor (i.e. until Unregister() is called).
+  // SDCHTestRequestInterceptor (i.e. until Unregister() is called).
   static void RegisterWithFilter(HttpResponseInfo* http_response_info,
                                  const LifecycleCallback& lifecycle_callback) {
-    scoped_ptr<SpecifiedResponseJobInterceptor> interceptor(
-        new SpecifiedResponseJobInterceptor(http_response_info,
-                                            lifecycle_callback));
+    URLRequestFilter::GetInstance()->AddHostnameInterceptor(
+        "http", kTestDomain1,
+        scoped_ptr<URLRequestInterceptor>(new SDCHTestRequestInterceptor(
+            http_response_info, lifecycle_callback)));
 
     URLRequestFilter::GetInstance()->AddHostnameInterceptor(
-        "http", kTestDomain, std::move(interceptor));
+        "https", kTestDomain1,
+        scoped_ptr<URLRequestInterceptor>(new SDCHTestRequestInterceptor(
+            http_response_info, lifecycle_callback)));
+
+    URLRequestFilter::GetInstance()->AddHostnameInterceptor(
+        "http", kTestDomain2,
+        scoped_ptr<URLRequestInterceptor>(new SDCHTestRequestInterceptor(
+            http_response_info, lifecycle_callback)));
+
+    URLRequestFilter::GetInstance()->AddHostnameInterceptor(
+        "https", kTestDomain2,
+        scoped_ptr<URLRequestInterceptor>(new SDCHTestRequestInterceptor(
+            http_response_info, lifecycle_callback)));
   }
 
   static void Unregister() {
-    URLRequestFilter::GetInstance()->RemoveHostnameHandler("http", kTestDomain);
+    URLRequestFilter::GetInstance()->RemoveHostnameHandler("http",
+                                                           kTestDomain1);
+    URLRequestFilter::GetInstance()->RemoveHostnameHandler("https",
+                                                           kTestDomain1);
+    URLRequestFilter::GetInstance()->RemoveHostnameHandler("http",
+                                                           kTestDomain2);
+    URLRequestFilter::GetInstance()->RemoveHostnameHandler("https",
+                                                           kTestDomain2);
   }
 
  private:
   HttpResponseInfo* http_response_info_;
   LifecycleCallback lifecycle_callback_;
-  DISALLOW_COPY_AND_ASSIGN(SpecifiedResponseJobInterceptor);
+  DISALLOW_COPY_AND_ASSIGN(SDCHTestRequestInterceptor);
 };
 
 // Local test infrastructure
 // * URLRequestSpecifiedResponseJob: A URLRequestJob that returns
 //   a different but derivable response for each URL (used for all
 //   url requests in this file).  This class is initialized with
 //   the HttpResponseInfo to return (if any), as well as a callback
 //   that is called when the class is destroyed.  That callback
 //   takes as arguemnt the load flags used for the request the
 //   job was created for.
-// * SpecifiedResponseJobInterceptor: This class is a
-//   URLRequestInterceptor that generates the class above.  It is constructed
+// * SDCHTestRequestInterceptor: This class is a
+//   URLRequestInterceptor that generates either the class above or an
+//   instance of URLRequestRedirectJob (if the first component of the path
+//   is "redirect").  It is constructed
 //   with a pointer to the (mutable) resposne info that should be
-//   returned from the URLRequestSpecifiedResponseJob children, as well as
+//   returned from constructed URLRequestSpecifiedResponseJobs, as well as
 //   a callback that is run when URLRequestSpecifiedResponseJobs are
 //   created or destroyed.
 // * SdchDictionaryFetcherTest: This class registers the above interceptor,
 //   tracks the number of jobs requested and the subset of those
 //   that are still outstanding.  It exports an interface to wait until there
 //   are no jobs outstanding.  It shares an HttpResponseInfo structure
-//   with the SpecifiedResponseJobInterceptor to control the response
+//   with the SDCHTestRequestInterceptor to control the response
 //   information returned by the jbos.
 // The standard pattern for tests is to schedule a dictionary fetch, wait
 // for no jobs outstanding, then test that the fetch results are as expected.
 
 class SdchDictionaryFetcherTest : public ::testing::Test {
  public:
   struct DictionaryAdditions {
     DictionaryAdditions(const std::string& dictionary_text,
                         const GURL& dictionary_url)
         : dictionary_text(dictionary_text), dictionary_url(dictionary_url) {}
 
     std::string dictionary_text;
     GURL dictionary_url;
   };
 
   SdchDictionaryFetcherTest()
       : jobs_requested_(0),
         jobs_outstanding_(0),
         last_load_flags_seen_(LOAD_NORMAL),
         context_(new TestURLRequestContext),
         fetcher_(new SdchDictionaryFetcher(context_.get())),
         factory_(this) {
     response_info_to_return_.request_time = base::Time::Now();
     response_info_to_return_.response_time = base::Time::Now();
-    SpecifiedResponseJobInterceptor::RegisterWithFilter(
+    SDCHTestRequestInterceptor::RegisterWithFilter(
         &response_info_to_return_,
         base::Bind(&SdchDictionaryFetcherTest::OnNumberJobsChanged,
                    factory_.GetWeakPtr()));
   }
 
   ~SdchDictionaryFetcherTest() override {
-    SpecifiedResponseJobInterceptor::Unregister();
+    SDCHTestRequestInterceptor::Unregister();
   }
 
   void OnDictionaryFetched(const std::string& dictionary_text,
                            const GURL& dictionary_url,
                            const BoundNetLog& net_log,
                            bool was_from_cache) {
     dictionary_additions_.push_back(
         DictionaryAdditions(dictionary_text, dictionary_url));
   }
 
   // Return (in |*out|) all dictionary additions since the last time
   // this function was called.
   void GetDictionaryAdditions(std::vector<DictionaryAdditions>* out) {
     out->swap(dictionary_additions_);
     dictionary_additions_.clear();
   }
 
   SdchDictionaryFetcher* fetcher() { return fetcher_.get(); }
 
   // May not be called outside the SetUp()/TearDown() interval.
   int jobs_requested() const { return jobs_requested_; }
 
   GURL PathToGurl(const char* path) const {
     std::string gurl_string("http://");
-    gurl_string += kTestDomain;
+    gurl_string += kTestDomain1;
     gurl_string += "/";
     gurl_string += path;
     return GURL(gurl_string);
   }
 
   // Block until there are no outstanding URLRequestSpecifiedResponseJobs.
   void WaitForNoJobs() {
     // A job may be started after the previous one was destroyed, with a brief
     // period of 0 jobs in between, so may have to start the run loop multiple
     // times.
@@ skipping 199 matching lines @@
   EXPECT_EQ(1, jobs_requested());
 
   fetcher()->Cancel();
   WaitForNoJobs();
   EXPECT_TRUE(fetcher()->Schedule(dictionary_url, GetDefaultCallback()));
 
   WaitForNoJobs();
   EXPECT_EQ(2, jobs_requested());
 }
 
+TEST_F(SdchDictionaryFetcherTest, InOriginRedirect) {
+  GURL dictionary_url(PathToGurl("dictionary"));
+  GURL local_redirect_url(dictionary_url.GetWithEmptyPath().spec() +
+                          "redirect/" + dictionary_url.spec());
+  EXPECT_TRUE(fetcher()->Schedule(local_redirect_url, GetDefaultCallback()));
+  WaitForNoJobs();
+
+  // Both the redirect job and the job retrieving the actual dictionary
+  // should have been executed.
+  EXPECT_EQ(2, jobs_requested());
+  std::vector<DictionaryAdditions> additions;
+  GetDictionaryAdditions(&additions);
+  EXPECT_EQ(1u, additions.size());
+}
+
+TEST_F(SdchDictionaryFetcherTest, CrossSecurityRedirect) {
+  std::string dictionary_url_spec("https://" + std::string(kTestDomain1) +
+                                  "/dictionary");
+  GURL local_redirect_url("http://" + std::string(kTestDomain1) + "/redirect/" +
+                          dictionary_url_spec);
+
+  EXPECT_TRUE(fetcher()->Schedule(local_redirect_url, GetDefaultCallback()));
+  WaitForNoJobs();
+
+  // The fetcher should have refused the redirect job.
+  EXPECT_EQ(1, jobs_requested());
+  std::vector<DictionaryAdditions> additions;
+  GetDictionaryAdditions(&additions);
+  // And there should be no dictionaries added.
+  EXPECT_EQ(0u, additions.size());
+}
+
+TEST_F(SdchDictionaryFetcherTest, CrossSiteRedirect) {
+  std::string dictionary_url_spec("https://" + std::string(kTestDomain1) +
+                                  "/dictionary");
+  GURL local_redirect_url("https://" + std::string(kTestDomain2) +
+                          "/redirect/" + dictionary_url_spec);
+
+  EXPECT_TRUE(fetcher()->Schedule(local_redirect_url, GetDefaultCallback()));
+  WaitForNoJobs();
+
+  // The fetcher should have refused the redirect job.
+  EXPECT_EQ(1, jobs_requested());
+  std::vector<DictionaryAdditions> additions;
+  GetDictionaryAdditions(&additions);
+  // And there should be no dictionaries added.
+  EXPECT_EQ(0u, additions.size());
+}
+
+TEST_F(SdchDictionaryFetcherTest, CrossSiteSecurityRedirect) {
+  std::string dictionary_url_spec("https://" + std::string(kTestDomain1) +
+                                  "/dictionary");
+  GURL local_redirect_url("http://" + std::string(kTestDomain2) + "/redirect/" +
+                          dictionary_url_spec);
+
+  EXPECT_TRUE(fetcher()->Schedule(local_redirect_url, GetDefaultCallback()));
+  WaitForNoJobs();
+
+  // The fetcher should have refused the redirect job.
+  EXPECT_EQ(1, jobs_requested());
+  std::vector<DictionaryAdditions> additions;
+  GetDictionaryAdditions(&additions);
+  // And there should be no dictionaries added.
+  EXPECT_EQ(0u, additions.size());
+}
+
 }  // namespace
 
 }  // namespace net