[PPAPI] Quarantine files that are writeable by a Pepper plugin.

content/browser/download/quarantine_mac.mm

-// Copyright 2016 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "content/browser/download/quarantine.h"
-
-#import <ApplicationServices/ApplicationServices.h>
-#import <Foundation/Foundation.h>
-
-#include "base/files/file_path.h"
-#include "base/logging.h"
-#include "base/mac/foundation_util.h"
-#include "base/mac/mac_logging.h"
-#include "base/mac/mac_util.h"
-#include "base/mac/scoped_cftyperef.h"
-#include "base/mac/scoped_nsobject.h"
-#include "base/strings/sys_string_conversions.h"
-#include "base/threading/thread_restrictions.h"
-#include "url/gurl.h"
-
-namespace {
-
-// Once Chrome no longer supports macOS 10.9, this code will no longer be
-// necessary. Note that LSCopyItemAttribute was deprecated in macOS 10.8, but
-// the replacement to kLSItemQuarantineProperties did not exist until macOS
-// 10.10.
-#if !defined(MAC_OS_X_VERSION_10_10) || \
-    MAC_OS_X_VERSION_MIN_REQUIRED < MAC_OS_X_VERSION_10_10
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
-bool GetQuarantinePropertiesDeprecated(
-    const base::FilePath& file,
-    base::scoped_nsobject<NSMutableDictionary>* properties) {
-  const UInt8* path = reinterpret_cast<const UInt8*>(file.value().c_str());
-  FSRef file_ref;
-  if (FSPathMakeRef(path, &file_ref, nullptr) != noErr)
-    return false;
-
-  base::ScopedCFTypeRef<CFTypeRef> quarantine_properties;
-  OSStatus status = LSCopyItemAttribute(&file_ref, kLSRolesAll,
-      kLSItemQuarantineProperties, quarantine_properties.InitializeInto());
-  if (status != noErr)
-    return true;
-
-  CFDictionaryRef quarantine_properties_dict =
-      base::mac::CFCast<CFDictionaryRef>(quarantine_properties.get());
-  if (!quarantine_properties_dict) {
-    LOG(WARNING) << "kLSItemQuarantineProperties is not a dictionary on file "
-                 << file.value();
-    return false;
-  }
-
-  properties->reset(
-      [base::mac::CFToNSCast(quarantine_properties_dict) mutableCopy]);
-  return true;
-}
-
-bool SetQuarantinePropertiesDeprecated(const base::FilePath& file,
-                                       NSDictionary* properties) {
-  const UInt8* path = reinterpret_cast<const UInt8*>(file.value().c_str());
-  FSRef file_ref;
-  if (FSPathMakeRef(path, &file_ref, nullptr) != noErr)
-    return false;
-  OSStatus os_error = LSSetItemAttribute(
-      &file_ref, kLSRolesAll, kLSItemQuarantineProperties, properties);
-  if (os_error != noErr) {
-    OSSTATUS_LOG(WARNING, os_error)
-        << "Unable to set quarantine attributes on file " << file.value();
-    return false;
-  }
-  return true;
-}
-#pragma clang diagnostic pop
-#endif
-
-bool GetQuarantineProperties(
-    const base::FilePath& file,
-    base::scoped_nsobject<NSMutableDictionary>* properties) {
-  base::scoped_nsobject<NSURL> file_url([[NSURL alloc]
-      initFileURLWithPath:base::SysUTF8ToNSString(file.value())]);
-  if (!file_url)
-    return false;
-
-// NSURLQuarantinePropertiesKey is only available on macOS 10.10+.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wunguarded-availability"
-  NSError* error = nil;
-  id quarantine_properties = nil;
-  BOOL success = [file_url getResourceValue:&quarantine_properties
-                                     forKey:NSURLQuarantinePropertiesKey
-                                      error:&error];
-#pragma clang diagnostic pop
-  if (!success) {
-    std::string error_message(error ? error.description.UTF8String : "");
-    LOG(WARNING) << "Unable to get quarantine attributes for file "
-                 << file.value() << ". Error: " << error_message;
-    return false;
-  }
-
-  if (!quarantine_properties)
-    return true;
-
-  NSDictionary* quarantine_properties_dict =
-      base::mac::ObjCCast<NSDictionary>(quarantine_properties);
-  if (!quarantine_properties_dict) {
-    LOG(WARNING) << "Quarantine properties have wrong class: "
-                 << [[[quarantine_properties class] description] UTF8String];
-    return false;
-  }
-
-  properties->reset([quarantine_properties_dict mutableCopy]);
-  return true;
-}
-
-bool SetQuarantineProperties(const base::FilePath& file,
-                             NSDictionary* properties) {
-  base::scoped_nsobject<NSURL> file_url([[NSURL alloc]
-      initFileURLWithPath:base::SysUTF8ToNSString(file.value())]);
-  if (!file_url)
-    return false;
-
-// NSURLQuarantinePropertiesKey is only available on macOS 10.10+.
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wunguarded-availability"
-  NSError* error = nil;
-  bool success = [file_url setResourceValue:properties
-                                     forKey:NSURLQuarantinePropertiesKey
-                                      error:&error];
-#pragma clang diagnostic pop
-  if (!success) {
-    std::string error_message(error ? error.description.UTF8String : "");
-    LOG(WARNING) << "Unable to set quarantine attributes on file "
-                 << file.value() << ". Error: " << error_message;
-    return false;
-  }
-  return true;
-}
-
-}  // namespace
-
-namespace content {
-
-namespace {
-
-// As of Mac OS X 10.4 ("Tiger"), files can be tagged with metadata describing
-// various attributes.  Metadata is integrated with the system's Spotlight
-// feature and is searchable.  Ordinarily, metadata can only be set by
-// Spotlight importers, which requires that the importer own the target file.
-// However, there's an attribute intended to describe the origin of a
-// file, that can store the source URL and referrer of a downloaded file.
-// It's stored as a "com.apple.metadata:kMDItemWhereFroms" extended attribute,
-// structured as a binary1-format plist containing a list of sources.  This
-// attribute can only be populated by the downloader, not a Spotlight importer.
-// Safari on 10.4 and later populates this attribute.
-//
-// With this metadata set, you can locate downloads by performing a Spotlight
-// search for their source or referrer URLs, either from within the Spotlight
-// UI or from the command line:
-//     mdfind 'kMDItemWhereFroms == "http://releases.mozilla.org/*"'
-//
-// There is no documented API to set metadata on a file directly as of the
-// 10.5 SDK.  The MDSetItemAttribute function does exist to perform this task,
-// but it's undocumented.
-bool AddOriginMetadataToFile(const base::FilePath& file,
-                             const GURL& source,
-                             const GURL& referrer) {
-  base::ThreadRestrictions::AssertIOAllowed();
-  // There's no declaration for MDItemSetAttribute in any known public SDK.
-  // It exists in the 10.4 and 10.5 runtimes.  To play it safe, do the lookup
-  // at runtime instead of declaring it ourselves and linking against what's
-  // provided.  This has two benefits:
-  //  - If Apple relents and declares the function in a future SDK (it's
-  //    happened before), our build won't break.
-  //  - If Apple removes or renames the function in a future runtime, the
-  //    loader won't refuse to let the application launch.  Instead, we'll
-  //    silently fail to set any metadata.
-  typedef OSStatus (*MDItemSetAttribute_type)(MDItemRef, CFStringRef,
-                                              CFTypeRef);
-  static MDItemSetAttribute_type md_item_set_attribute_func = NULL;
-
-  static bool did_symbol_lookup = false;
-  if (!did_symbol_lookup) {
-    did_symbol_lookup = true;
-    CFBundleRef metadata_bundle =
-        CFBundleGetBundleWithIdentifier(CFSTR("com.apple.Metadata"));
-    if (!metadata_bundle)
-      return false;
-
-    md_item_set_attribute_func =
-        (MDItemSetAttribute_type)CFBundleGetFunctionPointerForName(
-            metadata_bundle, CFSTR("MDItemSetAttribute"));
-  }
-  if (!md_item_set_attribute_func)
-    return false;
-
-  NSString* file_path = [NSString stringWithUTF8String:file.value().c_str()];
-  if (!file_path)
-    return false;
-
-  base::ScopedCFTypeRef<MDItemRef> md_item(
-      MDItemCreate(NULL, base::mac::NSToCFCast(file_path)));
-  if (!md_item)
-    return false;
-
-  // We won't put any more than 2 items into the attribute.
-  NSMutableArray* list = [NSMutableArray arrayWithCapacity:2];
-
-  // Follow Safari's lead: the first item in the list is the source URL of
-  // the downloaded file. If the referrer is known, store that, too.
-  NSString* origin_url = [NSString stringWithUTF8String:source.spec().c_str()];
-  if (origin_url)
-    [list addObject:origin_url];
-  NSString* referrer_url =
-      [NSString stringWithUTF8String:referrer.spec().c_str()];
-  if (referrer_url)
-    [list addObject:referrer_url];
-
-  md_item_set_attribute_func(md_item, kMDItemWhereFroms,
-                             base::mac::NSToCFCast(list));
-  return true;
-}
-
-// Adds quarantine metadata to the file, assuming it has already been
-// quarantined by the OS.
-// |source| should be the source URL for the download, and |referrer| should be
-// the URL the user initiated the download from.
-
-// The OS will automatically quarantine files due to the
-// LSFileQuarantineEnabled entry in our Info.plist, but it knows relatively
-// little about the files. We add more information about the download to
-// improve the UI shown by the OS when the users tries to open the file.
-bool AddQuarantineMetadataToFile(const base::FilePath& file,
-                                 const GURL& source,
-                                 const GURL& referrer) {
-  base::ThreadRestrictions::AssertIOAllowed();
-  base::scoped_nsobject<NSMutableDictionary> properties;
-  bool success = false;
-  if (base::mac::IsAtLeastOS10_10()) {
-    success = GetQuarantineProperties(file, &properties);
-  } else {
-    success = GetQuarantinePropertiesDeprecated(file, &properties);
-  }
-
-  if (!success)
-    return false;
-
-  if (!properties) {
-    // If there are no quarantine properties, then the file isn't quarantined
-    // (e.g., because the user has set up exclusions for certain file types).
-    // We don't want to add any metadata, because that will cause the file to
-    // be quarantined against the user's wishes.
-    return true;
-  }
-
-  // kLSQuarantineAgentNameKey, kLSQuarantineAgentBundleIdentifierKey, and
-  // kLSQuarantineTimeStampKey are set for us (see LSQuarantine.h), so we only
-  // need to set the values that the OS can't infer.
-
-  if (![properties valueForKey:(NSString*)kLSQuarantineTypeKey]) {
-    CFStringRef type = source.SchemeIsHTTPOrHTTPS()
-                       ? kLSQuarantineTypeWebDownload
-                       : kLSQuarantineTypeOtherDownload;
-    [properties setValue:(NSString*)type
-                  forKey:(NSString*)kLSQuarantineTypeKey];
-  }
-
-  if (![properties valueForKey:(NSString*)kLSQuarantineOriginURLKey] &&
-      referrer.is_valid()) {
-    NSString* referrer_url =
-        [NSString stringWithUTF8String:referrer.spec().c_str()];
-    [properties setValue:referrer_url
-                  forKey:(NSString*)kLSQuarantineOriginURLKey];
-  }
-
-  if (![properties valueForKey:(NSString*)kLSQuarantineDataURLKey] &&
-      source.is_valid()) {
-    NSString* origin_url =
-        [NSString stringWithUTF8String:source.spec().c_str()];
-    [properties setValue:origin_url forKey:(NSString*)kLSQuarantineDataURLKey];
-  }
-
-  if (base::mac::IsAtLeastOS10_10()) {
-    return SetQuarantineProperties(file, properties);
-  } else {
-    return SetQuarantinePropertiesDeprecated(file, properties);
-  }
-}
-
-}  // namespace
-
-QuarantineFileResult QuarantineFile(const base::FilePath& file,
-                                    const GURL& source_url,
-                                    const GURL& referrer_url,
-                                    const std::string& client_guid) {
-  bool quarantine_succeeded =
-      AddQuarantineMetadataToFile(file, source_url, referrer_url);
-  bool origin_succeeded =
-      AddOriginMetadataToFile(file, source_url, referrer_url);
-  return quarantine_succeeded && origin_succeeded
-             ? QuarantineFileResult::OK
-             : QuarantineFileResult::ANNOTATION_FAILED;
-}
-
-}  // namespace content