Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(258)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/child_process_security_policy_unittest.cc

Issue 2111343002: Move implementation of ChildProcessSecurityPolicyImpl to c/b/shared, and wrap in c/b (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@mffr-win
Patch Set: . Created 4 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « content/browser/child_process_security_policy_impl.cc ('k') | content/browser/loader/DEPS » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <set>
6 #include <string>
7
8 #include "base/files/file_path.h"
9 #include "content/browser/child_process_security_policy_impl.h"
10 #include "content/public/common/url_constants.h"
11 #include "content/test/test_content_browser_client.h"
12 #include "storage/browser/fileapi/file_permission_policy.h"
13 #include "storage/browser/fileapi/file_system_url.h"
14 #include "storage/browser/fileapi/isolated_context.h"
15 #include "storage/common/fileapi/file_system_types.h"
16 #include "testing/gtest/include/gtest/gtest.h"
17 #include "url/gurl.h"
18 #include "url/origin.h"
19
20 namespace content {
21 namespace {
22
23 const int kRendererID = 42;
24 const int kWorkerRendererID = kRendererID + 1;
25
26 #if defined(FILE_PATH_USES_DRIVE_LETTERS)
27 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x)
28 #else
29 #define TEST_PATH(x) FILE_PATH_LITERAL(x)
30 #endif
31
32 class ChildProcessSecurityPolicyTestBrowserClient
33 : public TestContentBrowserClient {
34 public:
35 ChildProcessSecurityPolicyTestBrowserClient() {}
36
37 bool IsHandledURL(const GURL& url) override {
38 return schemes_.find(url.scheme()) != schemes_.end();
39 }
40
41 void ClearSchemes() {
42 schemes_.clear();
43 }
44
45 void AddScheme(const std::string& scheme) {
46 schemes_.insert(scheme);
47 }
48
49 private:
50 std::set<std::string> schemes_;
51 };
52
53 } // namespace
54
55 class ChildProcessSecurityPolicyTest : public testing::Test {
56 public:
57 ChildProcessSecurityPolicyTest() : old_browser_client_(NULL) {
58 }
59
60 void SetUp() override {
61 old_browser_client_ = SetBrowserClientForTesting(&test_browser_client_);
62
63 // Claim to always handle chrome:// URLs because the CPSP's notion of
64 // allowing WebUI bindings is hard-wired to this particular scheme.
65 test_browser_client_.AddScheme(kChromeUIScheme);
66
67 // Claim to always handle file:// URLs like the browser would.
68 // net::URLRequest::IsHandledURL() no longer claims support for default
69 // protocols as this is the responsibility of the browser (which is
70 // responsible for adding the appropriate ProtocolHandler).
71 test_browser_client_.AddScheme(url::kFileScheme);
72 }
73
74 void TearDown() override {
75 test_browser_client_.ClearSchemes();
76 SetBrowserClientForTesting(old_browser_client_);
77 }
78
79 protected:
80 void RegisterTestScheme(const std::string& scheme) {
81 test_browser_client_.AddScheme(scheme);
82 }
83
84 void GrantPermissionsForFile(ChildProcessSecurityPolicyImpl* p,
85 int child_id,
86 const base::FilePath& file,
87 int permissions) {
88 p->GrantPermissionsForFile(child_id, file, permissions);
89 }
90
91 void CheckHasNoFileSystemPermission(ChildProcessSecurityPolicyImpl* p,
92 const std::string& child_id) {
93 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, child_id));
94 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, child_id));
95 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, child_id));
96 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, child_id));
97 }
98
99 void CheckHasNoFileSystemFilePermission(ChildProcessSecurityPolicyImpl* p,
100 const base::FilePath& file,
101 const storage::FileSystemURL& url) {
102 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
103 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
104 EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
105 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
106 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
107 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
108 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
109 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
110 }
111
112 private:
113 ChildProcessSecurityPolicyTestBrowserClient test_browser_client_;
114 ContentBrowserClient* old_browser_client_;
115 };
116
117
118 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
119 ChildProcessSecurityPolicyImpl* p =
120 ChildProcessSecurityPolicyImpl::GetInstance();
121
122 EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpScheme));
123 EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpsScheme));
124 EXPECT_TRUE(p->IsWebSafeScheme(url::kFtpScheme));
125 EXPECT_TRUE(p->IsWebSafeScheme(url::kDataScheme));
126 EXPECT_TRUE(p->IsWebSafeScheme("feed"));
127 EXPECT_TRUE(p->IsWebSafeScheme(url::kBlobScheme));
128 EXPECT_TRUE(p->IsWebSafeScheme(url::kFileSystemScheme));
129
130 EXPECT_FALSE(p->IsWebSafeScheme("registered-web-safe-scheme"));
131 p->RegisterWebSafeScheme("registered-web-safe-scheme");
132 EXPECT_TRUE(p->IsWebSafeScheme("registered-web-safe-scheme"));
133
134 EXPECT_FALSE(p->IsWebSafeScheme(kChromeUIScheme));
135 }
136
137 TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) {
138 ChildProcessSecurityPolicyImpl* p =
139 ChildProcessSecurityPolicyImpl::GetInstance();
140
141 EXPECT_TRUE(p->IsPseudoScheme(url::kAboutScheme));
142 EXPECT_TRUE(p->IsPseudoScheme(url::kJavaScriptScheme));
143 EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme));
144
145 EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme"));
146 p->RegisterPseudoScheme("registered-pseudo-scheme");
147 EXPECT_TRUE(p->IsPseudoScheme("registered-pseudo-scheme"));
148
149 EXPECT_FALSE(p->IsPseudoScheme(kChromeUIScheme));
150 }
151
152 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
153 ChildProcessSecurityPolicyImpl* p =
154 ChildProcessSecurityPolicyImpl::GetInstance();
155
156 p->Add(kRendererID);
157
158 // Safe to request or commit.
159 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
160 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
161 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
162 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
163 EXPECT_TRUE(p->CanRequestURL(
164 kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
165 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("http://www.google.com/")));
166 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("https://www.paypal.com/")));
167 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
168 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
169 EXPECT_TRUE(p->CanCommitURL(
170 kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
171
172 // Dangerous to request or commit.
173 EXPECT_FALSE(p->CanRequestURL(kRendererID,
174 GURL("file:///etc/passwd")));
175 EXPECT_FALSE(p->CanRequestURL(kRendererID,
176 GURL("chrome://foo/bar")));
177 EXPECT_FALSE(p->CanRequestURL(kRendererID,
178 GURL("view-source:http://www.google.com/")));
179 EXPECT_FALSE(p->CanCommitURL(kRendererID,
180 GURL("file:///etc/passwd")));
181 EXPECT_FALSE(p->CanCommitURL(kRendererID,
182 GURL("chrome://foo/bar")));
183 EXPECT_FALSE(
184 p->CanCommitURL(kRendererID, GURL("view-source:http://www.google.com/")));
185
186 p->Remove(kRendererID);
187 }
188
189 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
190 ChildProcessSecurityPolicyImpl* p =
191 ChildProcessSecurityPolicyImpl::GetInstance();
192
193 p->Add(kRendererID);
194
195 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
196 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
197 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
198 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
199 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:blank")));
200 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:BlAnK")));
201 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:BlAnK")));
202 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:blank")));
203
204 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
205 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
206 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
207 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:version")));
208 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
209 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache")));
210 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang")));
211 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:version")));
212
213 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:version")));
214 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
215 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
216 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version")));
217 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh")));
218 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe")));
219 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version")));
220
221 // Requests for about: pages should be denied.
222 p->GrantRequestURL(kRendererID, GURL("about:crash"));
223 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
224 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash")));
225
226 // These requests for chrome:// pages should be granted.
227 GURL chrome_url("chrome://foo");
228 p->GrantRequestURL(kRendererID, chrome_url);
229 EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
230 EXPECT_TRUE(p->CanCommitURL(kRendererID, chrome_url));
231
232 p->Remove(kRendererID);
233 }
234
235 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
236 ChildProcessSecurityPolicyImpl* p =
237 ChildProcessSecurityPolicyImpl::GetInstance();
238
239 p->Add(kRendererID);
240
241 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
242 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
243 p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
244 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
245 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')")));
246
247 p->Remove(kRendererID);
248 }
249
250 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
251 ChildProcessSecurityPolicyImpl* p =
252 ChildProcessSecurityPolicyImpl::GetInstance();
253
254 p->Add(kRendererID);
255
256 // Currently, "asdf" is destined for ShellExecute, so it is allowed to be
257 // requested but not committed.
258 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
259 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
260
261 // Once we register "asdf", we default to deny.
262 RegisterTestScheme("asdf");
263 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
264 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
265
266 // We can allow new schemes by adding them to the whitelist.
267 p->RegisterWebSafeScheme("asdf");
268 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
269 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers")));
270
271 // Cleanup.
272 p->Remove(kRendererID);
273 }
274
275 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
276 ChildProcessSecurityPolicyImpl* p =
277 ChildProcessSecurityPolicyImpl::GetInstance();
278
279 p->Add(kRendererID);
280
281 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
282 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
283 p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
284 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
285 EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
286
287 // We should forget our state if we repeat a renderer id.
288 p->Remove(kRendererID);
289 p->Add(kRendererID);
290 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
291 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
292 p->Remove(kRendererID);
293 }
294
295 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
296 ChildProcessSecurityPolicyImpl* p =
297 ChildProcessSecurityPolicyImpl::GetInstance();
298
299 p->Add(kRendererID);
300
301 // Child processes cannot request view source URLs.
302 EXPECT_FALSE(p->CanRequestURL(kRendererID,
303 GURL("view-source:http://www.google.com/")));
304 EXPECT_FALSE(p->CanRequestURL(kRendererID,
305 GURL("view-source:file:///etc/passwd")));
306 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
307 EXPECT_FALSE(p->CanRequestURL(
308 kRendererID, GURL("view-source:view-source:http://www.google.com/")));
309
310 // View source URLs don't actually commit; the renderer is put into view
311 // source mode, and the inner URL commits.
312 EXPECT_FALSE(p->CanCommitURL(kRendererID,
313 GURL("view-source:http://www.google.com/")));
314 EXPECT_FALSE(p->CanCommitURL(kRendererID,
315 GURL("view-source:file:///etc/passwd")));
316 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
317 EXPECT_FALSE(p->CanCommitURL(
318 kRendererID, GURL("view-source:view-source:http://www.google.com/")));
319
320 p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
321 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
322 EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd")));
323 EXPECT_FALSE(
324 p->CanRequestURL(kRendererID, GURL("view-source:file:///etc/passwd")));
325 EXPECT_FALSE(p->CanCommitURL(kRendererID,
326 GURL("view-source:file:///etc/passwd")));
327 p->Remove(kRendererID);
328 }
329
330 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
331 ChildProcessSecurityPolicyImpl* p =
332 ChildProcessSecurityPolicyImpl::GetInstance();
333
334 p->Add(kRendererID);
335
336 GURL icon_url("file:///tmp/foo.png");
337 GURL sensitive_url("file:///etc/passwd");
338 EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
339 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
340 EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url));
341 EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
342
343 p->GrantRequestSpecificFileURL(kRendererID, icon_url);
344 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
345 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
346 EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
347 EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url));
348
349 p->GrantRequestURL(kRendererID, icon_url);
350 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
351 EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
352 EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url));
353 EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url));
354
355 p->Remove(kRendererID);
356 }
357
358 TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
359 ChildProcessSecurityPolicyImpl* p =
360 ChildProcessSecurityPolicyImpl::GetInstance();
361
362 p->Add(kRendererID);
363 std::string read_id =
364 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
365 storage::kFileSystemTypeTest, "read_filesystem", base::FilePath());
366 std::string read_write_id =
367 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
368 storage::kFileSystemTypeTest,
369 "read_write_filesystem",
370 base::FilePath());
371 std::string copy_into_id =
372 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
373 storage::kFileSystemTypeTest,
374 "copy_into_filesystem",
375 base::FilePath());
376 std::string delete_from_id =
377 storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath(
378 storage::kFileSystemTypeTest,
379 "delete_from_filesystem",
380 base::FilePath());
381
382 // Test initially having no permissions.
383 CheckHasNoFileSystemPermission(p, read_id);
384 CheckHasNoFileSystemPermission(p, read_write_id);
385 CheckHasNoFileSystemPermission(p, copy_into_id);
386 CheckHasNoFileSystemPermission(p, delete_from_id);
387
388 // Testing varying combinations of grants and checks.
389 p->GrantReadFileSystem(kRendererID, read_id);
390 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_id));
391 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, read_id));
392 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_id));
393 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_id));
394
395 p->GrantReadFileSystem(kRendererID, read_write_id);
396 p->GrantWriteFileSystem(kRendererID, read_write_id);
397 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_write_id));
398 EXPECT_TRUE(p->CanReadWriteFileSystem(kRendererID, read_write_id));
399 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_write_id));
400 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_write_id));
401
402 p->GrantCopyIntoFileSystem(kRendererID, copy_into_id);
403 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, copy_into_id));
404 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, copy_into_id));
405 EXPECT_TRUE(p->CanCopyIntoFileSystem(kRendererID, copy_into_id));
406 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, copy_into_id));
407
408 p->GrantDeleteFromFileSystem(kRendererID, delete_from_id);
409 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, delete_from_id));
410 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, delete_from_id));
411 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, delete_from_id));
412 EXPECT_TRUE(p->CanDeleteFromFileSystem(kRendererID, delete_from_id));
413
414 // Test revoke permissions on renderer ID removal.
415 p->Remove(kRendererID);
416 CheckHasNoFileSystemPermission(p, read_id);
417 CheckHasNoFileSystemPermission(p, read_write_id);
418 CheckHasNoFileSystemPermission(p, copy_into_id);
419 CheckHasNoFileSystemPermission(p, delete_from_id);
420
421 // Test having no permissions upon re-adding same renderer ID.
422 p->Add(kRendererID);
423 CheckHasNoFileSystemPermission(p, read_id);
424 CheckHasNoFileSystemPermission(p, read_write_id);
425 CheckHasNoFileSystemPermission(p, copy_into_id);
426 CheckHasNoFileSystemPermission(p, delete_from_id);
427
428 // Cleanup.
429 p->Remove(kRendererID);
430 storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_id);
431 storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_write_id);
432 storage::IsolatedContext::GetInstance()->RevokeFileSystem(copy_into_id);
433 storage::IsolatedContext::GetInstance()->RevokeFileSystem(delete_from_id);
434 }
435
436 TEST_F(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) {
437 ChildProcessSecurityPolicyImpl* p =
438 ChildProcessSecurityPolicyImpl::GetInstance();
439
440 p->RegisterFileSystemPermissionPolicy(
441 storage::kFileSystemTypeTest,
442 storage::FILE_PERMISSION_USE_FILE_PERMISSION);
443
444 p->Add(kRendererID);
445 base::FilePath file(TEST_PATH("/dir/testfile"));
446 file = file.NormalizePathSeparators();
447 storage::FileSystemURL url = storage::FileSystemURL::CreateForTest(
448 GURL("http://foo/"), storage::kFileSystemTypeTest, file);
449
450 // Test initially having no permissions.
451 CheckHasNoFileSystemFilePermission(p, file, url);
452
453 // Testing every combination of permissions granting and revoking.
454 p->GrantReadFile(kRendererID, file);
455 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
456 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
457 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
458 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
459 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
460 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
461 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
462 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
463 p->RevokeAllPermissionsForFile(kRendererID, file);
464 CheckHasNoFileSystemFilePermission(p, file, url);
465
466 p->GrantCreateReadWriteFile(kRendererID, file);
467 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
468 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
469 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
470 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
471 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
472 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
473 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
474 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
475 p->RevokeAllPermissionsForFile(kRendererID, file);
476 CheckHasNoFileSystemFilePermission(p, file, url);
477
478 // Test revoke permissions on renderer ID removal.
479 p->GrantCreateReadWriteFile(kRendererID, file);
480 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
481 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
482 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
483 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
484 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
485 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
486 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
487 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
488 p->Remove(kRendererID);
489 CheckHasNoFileSystemFilePermission(p, file, url);
490
491 // Test having no permissions upon re-adding same renderer ID.
492 p->Add(kRendererID);
493 CheckHasNoFileSystemFilePermission(p, file, url);
494
495 // Cleanup.
496 p->Remove(kRendererID);
497 }
498
499 TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) {
500 base::FilePath granted_file = base::FilePath(TEST_PATH("/home/joe"));
501 base::FilePath sibling_file = base::FilePath(TEST_PATH("/home/bob"));
502 base::FilePath child_file = base::FilePath(TEST_PATH("/home/joe/file"));
503 base::FilePath parent_file = base::FilePath(TEST_PATH("/home"));
504 base::FilePath parent_slash_file = base::FilePath(TEST_PATH("/home/"));
505 base::FilePath child_traversal1 =
506 base::FilePath(TEST_PATH("/home/joe/././file"));
507 base::FilePath child_traversal2 = base::FilePath(
508 TEST_PATH("/home/joe/file/../otherfile"));
509 base::FilePath evil_traversal1 =
510 base::FilePath(TEST_PATH("/home/joe/../../etc/passwd"));
511 base::FilePath evil_traversal2 = base::FilePath(
512 TEST_PATH("/home/joe/./.././../etc/passwd"));
513 base::FilePath self_traversal =
514 base::FilePath(TEST_PATH("/home/joe/../joe/file"));
515 base::FilePath relative_file = base::FilePath(FILE_PATH_LITERAL("home/joe"));
516
517 ChildProcessSecurityPolicyImpl* p =
518 ChildProcessSecurityPolicyImpl::GetInstance();
519
520 // Grant permissions for a file.
521 p->Add(kRendererID);
522 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
523 base::File::FLAG_OPEN));
524
525 GrantPermissionsForFile(p, kRendererID, granted_file,
526 base::File::FLAG_OPEN |
527 base::File::FLAG_OPEN_TRUNCATED |
528 base::File::FLAG_READ |
529 base::File::FLAG_WRITE);
530 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
531 base::File::FLAG_OPEN |
532 base::File::FLAG_OPEN_TRUNCATED |
533 base::File::FLAG_READ |
534 base::File::FLAG_WRITE));
535 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
536 base::File::FLAG_OPEN |
537 base::File::FLAG_READ));
538 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
539 base::File::FLAG_CREATE));
540 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, 0));
541 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
542 base::File::FLAG_CREATE |
543 base::File::FLAG_OPEN_TRUNCATED |
544 base::File::FLAG_READ |
545 base::File::FLAG_WRITE));
546 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, sibling_file,
547 base::File::FLAG_OPEN |
548 base::File::FLAG_READ));
549 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, parent_file,
550 base::File::FLAG_OPEN |
551 base::File::FLAG_READ));
552 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_file,
553 base::File::FLAG_OPEN |
554 base::File::FLAG_READ));
555 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal1,
556 base::File::FLAG_OPEN |
557 base::File::FLAG_READ));
558 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal2,
559 base::File::FLAG_OPEN |
560 base::File::FLAG_READ));
561 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal1,
562 base::File::FLAG_OPEN |
563 base::File::FLAG_READ));
564 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal2,
565 base::File::FLAG_OPEN |
566 base::File::FLAG_READ));
567 // CPSP doesn't allow this case for the sake of simplicity.
568 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, self_traversal,
569 base::File::FLAG_OPEN |
570 base::File::FLAG_READ));
571 p->Remove(kRendererID);
572
573 // Grant permissions for the directory the file is in.
574 p->Add(kRendererID);
575 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
576 base::File::FLAG_OPEN));
577 GrantPermissionsForFile(p, kRendererID, parent_file,
578 base::File::FLAG_OPEN |
579 base::File::FLAG_READ);
580 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
581 base::File::FLAG_OPEN));
582 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
583 base::File::FLAG_READ |
584 base::File::FLAG_WRITE));
585 p->Remove(kRendererID);
586
587 // Grant permissions for the directory the file is in (with trailing '/').
588 p->Add(kRendererID);
589 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
590 base::File::FLAG_OPEN));
591 GrantPermissionsForFile(p, kRendererID, parent_slash_file,
592 base::File::FLAG_OPEN |
593 base::File::FLAG_READ);
594 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
595 base::File::FLAG_OPEN));
596 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
597 base::File::FLAG_READ |
598 base::File::FLAG_WRITE));
599
600 // Grant permissions for the file (should overwrite the permissions granted
601 // for the directory).
602 GrantPermissionsForFile(p, kRendererID, granted_file,
603 base::File::FLAG_TEMPORARY);
604 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
605 base::File::FLAG_OPEN));
606 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
607 base::File::FLAG_TEMPORARY));
608
609 // Revoke all permissions for the file (it should inherit its permissions
610 // from the directory again).
611 p->RevokeAllPermissionsForFile(kRendererID, granted_file);
612 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
613 base::File::FLAG_OPEN |
614 base::File::FLAG_READ));
615 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
616 base::File::FLAG_TEMPORARY));
617 p->Remove(kRendererID);
618
619 // Grant file permissions for the file to main thread renderer process,
620 // make sure its worker thread renderer process inherits those.
621 p->Add(kRendererID);
622 GrantPermissionsForFile(p, kRendererID, granted_file,
623 base::File::FLAG_OPEN |
624 base::File::FLAG_READ);
625 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
626 base::File::FLAG_OPEN |
627 base::File::FLAG_READ));
628 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
629 base::File::FLAG_WRITE));
630 p->AddWorker(kWorkerRendererID, kRendererID);
631 EXPECT_TRUE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
632 base::File::FLAG_OPEN |
633 base::File::FLAG_READ));
634 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
635 base::File::FLAG_WRITE));
636 p->Remove(kRendererID);
637 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
638 base::File::FLAG_OPEN |
639 base::File::FLAG_READ));
640 p->Remove(kWorkerRendererID);
641
642 p->Add(kRendererID);
643 GrantPermissionsForFile(p, kRendererID, relative_file,
644 base::File::FLAG_OPEN);
645 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, relative_file,
646 base::File::FLAG_OPEN));
647 p->Remove(kRendererID);
648 }
649
650 TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) {
651 ChildProcessSecurityPolicyImpl* p =
652 ChildProcessSecurityPolicyImpl::GetInstance();
653
654 GURL url("chrome://thumb/http://www.google.com/");
655
656 p->Add(kRendererID);
657
658 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
659 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
660 p->GrantWebUIBindings(kRendererID);
661 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
662 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
663
664 p->Remove(kRendererID);
665 }
666
667 TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) {
668 ChildProcessSecurityPolicyImpl* p =
669 ChildProcessSecurityPolicyImpl::GetInstance();
670
671 GURL url("file:///etc/passwd");
672 base::FilePath file(TEST_PATH("/etc/passwd"));
673
674 p->Add(kRendererID);
675
676 p->GrantRequestURL(kRendererID, url);
677 p->GrantReadFile(kRendererID, file);
678 p->GrantWebUIBindings(kRendererID);
679
680 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
681 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
682 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
683
684 p->Remove(kRendererID);
685
686 // Renderers are added and removed on the UI thread, but the policy can be
687 // queried on the IO thread. The ChildProcessSecurityPolicy needs to be
688 // prepared to answer policy questions about renderers who no longer exist.
689
690 // In this case, we default to secure behavior.
691 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
692 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
693 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
694 }
695
696 // Test the granting of origin permissions, and their interactions with
697 // granting scheme permissions.
698 TEST_F(ChildProcessSecurityPolicyTest, OriginGranting) {
699 ChildProcessSecurityPolicyImpl* p =
700 ChildProcessSecurityPolicyImpl::GetInstance();
701
702 p->Add(kRendererID);
703
704 GURL url_foo1("chrome://foo/resource1");
705 GURL url_foo2("chrome://foo/resource2");
706 GURL url_bar("chrome://bar/resource3");
707
708 EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo1));
709 EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo2));
710 EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar));
711 EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo1));
712 EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo2));
713 EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
714
715 p->GrantOrigin(kRendererID, url::Origin(url_foo1));
716
717 EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1));
718 EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2));
719 EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar));
720 EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
721 EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
722 EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar));
723
724 p->GrantScheme(kRendererID, kChromeUIScheme);
725
726 EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1));
727 EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2));
728 EXPECT_TRUE(p->CanRequestURL(kRendererID, url_bar));
729 EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1));
730 EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2));
731 EXPECT_TRUE(p->CanCommitURL(kRendererID, url_bar));
732
733 p->Remove(kRendererID);
734 }
735
736 } // namespace content
OLDNEW
« no previous file with comments | « content/browser/child_process_security_policy_impl.cc ('k') | content/browser/loader/DEPS » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698