Sanitize https:// URLs before sending them to PAC scripts.

net/proxy/proxy_service.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_PROXY_PROXY_SERVICE_H_
 #define NET_PROXY_PROXY_SERVICE_H_
 
 #include <stddef.h>
 
 #include <memory>
 #include <set>
 #include <string>
 #include <vector>
 
 #include "base/gtest_prod_util.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/synchronization/waitable_event.h"
 #include "base/threading/non_thread_safe.h"
 #include "net/base/completion_callback.h"
 #include "net/base/load_states.h"
 #include "net/base/net_export.h"
 #include "net/base/network_change_notifier.h"
 #include "net/log/net_log.h"
 #include "net/proxy/proxy_config_service.h"
 #include "net/proxy/proxy_info.h"
 #include "net/proxy/proxy_server.h"
+#include "url/gurl.h"
 
 class GURL;
 
 namespace base {
 class SingleThreadTaskRunner;
 class TimeDelta;
 }  // namespace base
 
 namespace net {
 
 class DhcpProxyScriptFetcher;
 class HostResolver;
 class ProxyDelegate;
 class ProxyResolver;
 class ProxyResolverFactory;
 class ProxyResolverScriptData;
 class ProxyScriptDecider;
 class ProxyScriptFetcher;
 
 // This class can be used to resolve the proxy server to use when loading a
 // HTTP(S) URL.  It uses the given ProxyResolver to handle the actual proxy
 // resolution.  See ProxyResolverV8 for example.
 class NET_EXPORT ProxyService : public NetworkChangeNotifier::IPAddressObserver,
                                 public NetworkChangeNotifier::DNSObserver,
                                 public ProxyConfigService::Observer,
                                 NON_EXPORTED_BASE(public base::NonThreadSafe) {
  public:
+  // Enumerates the policy to use when sanitizing URLs for proxy resolution
+  // (before passing them off to PAC scripts).
+  enum class SanitizeUrlPolicy {
+    // Do a basic level of sanitization for URLs:
+    //   - strip embedded identities (ex: "username:password@")
+    //   - strip the fragment (ex: "#blah")
+    //
+    // This is considered "unsafe" because it does not do any additional
+    // stripping for https:// URLs.
+    UNSAFE,
+
+    // SAFE does the same sanitization as UNSAFE, but additionally strips
+    // everything but the (scheme,host,port) from cryptographic URL schemes
+    // (https:// and wss://).
+    //
+    // In other words, it strips the path and query portion of https:// URLs.
+    SAFE,
+  };
+
   static const size_t kDefaultNumPacThreads = 4;
 
   // This interface defines the set of policies for when to poll the PAC
   // script for changes.
   //
   // The polling policy decides what the next poll delay should be in
   // milliseconds. It also decides how to wait for this delay -- either
   // by starting a timer to do the poll at exactly |next_delay_ms|
   // (MODE_USE_TIMER) or by waiting for the first network request issued after
   // |next_delay_ms| (MODE_START_AFTER_ACTIVITY).
@@ skipping 224 matching lines @@
       const PacPollPolicy* policy);
 
   // This method should only be used by unit tests. Creates an instance
   // of the default internal PacPollPolicy used by ProxyService.
   static std::unique_ptr<PacPollPolicy> CreateDefaultPacPollPolicy();
 
   void set_quick_check_enabled(bool value) {
     quick_check_enabled_ = value;
   }
 
+  void set_sanitize_url_policy(SanitizeUrlPolicy policy) {
+    sanitize_url_policy_ = policy;
+  }
+
+  // Returns a sanitized copy of |url| which is safe to pass on to a PAC script.
+  // The method for sanitizing is determined by |policy|. See the comments for
+  // that enum for details.
+  NET_EXPORT static GURL SanitizeUrl(const GURL& url, SanitizeUrlPolicy policy);

[mmenke, 2016/05/20 17:40:23]

Should this be NET_EXPORT_PRIVATE?  Not really concerned about external use,
just not sure we really expect it.

[eroman, 2016/05/20 21:23:53]

No longer applicable, as I moved the function to be internal-only.

That said, I am not a fan of NET_EXPORT_PRIVATE for the reasons given in
https://bugs.chromium.org/p/chromium/issues/detail?id=552248

(My pessimistic view is that its value erodes with time as consumers invariably
depend on it, making it little more than a confusing out-of-date comment).

+
  private:
   FRIEND_TEST_ALL_PREFIXES(ProxyServiceTest, UpdateConfigAfterFailedAutodetect);
   FRIEND_TEST_ALL_PREFIXES(ProxyServiceTest, UpdateConfigFromPACToDirect);
   friend class PacRequest;
   class InitProxyResolver;
   class ProxyScriptDeciderPoller;
 
   typedef std::set<scoped_refptr<PacRequest>> PendingRequests;
 
   enum State {
@@ skipping 144 matching lines @@
   // The earliest time at which we should run any proxy auto-config. (Used to
   // stall re-configuration following an IP address change).
   base::TimeTicks stall_proxy_autoconfig_until_;
 
   // The amount of time to stall requests following IP address changes.
   base::TimeDelta stall_proxy_auto_config_delay_;
 
   // Whether child ProxyScriptDeciders should use QuickCheck
   bool quick_check_enabled_;
 
+  // The method to use for sanitizing URLs seen by the proxy resolver.
+  SanitizeUrlPolicy sanitize_url_policy_;
+
   DISALLOW_COPY_AND_ASSIGN(ProxyService);
 };
 
 }  // namespace net
 
 #endif  // NET_PROXY_PROXY_SERVICE_H_