Password manager internals page: Improve security

components/autofill/core/common/save_password_progress_logger.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/core/common/save_password_progress_logger.h"
 
+#include <algorithm>
+
 #include "base/json/json_writer.h"
 #include "base/logging.h"
+#include "base/memory/scoped_ptr.h"

[Ilya Sherman, 2014/04/19 07:51:22]

nit: Not needed?

[vabr (Chromium), 2014/04/19 19:35:02]

Done.

 #include "base/numerics/safe_conversions.h"
+#include "base/strings/string16.h"
+#include "base/strings/string_util.h"
+#include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "components/autofill/core/common/password_form.h"
 
 using base::checked_cast;
 using base::Value;
 using base::DictionaryValue;
 using base::FundamentalValue;
 using base::StringValue;
 
 namespace autofill {
 
 namespace {
 
+// Note 1: Caching the ID->string map in an array would be probably faster, but
+// the switch statement is (a) robust against re-ordering, and (b) checks in
+// compile-time, that all IDs get a string assigned. The expected frequency of
+// calls is low enough (in particular, zero if password manager internals page
+// is not open), that optimizing for code robustness is preferred against speed.
+// Note 2: The messages can be used as dictionary keys. Do not use '.' in them.
+std::string GetStringFromID(SavePasswordProgressLogger::StringID id) {
+  switch (id) {
+    case SavePasswordProgressLogger::STRING_DECISION_ASK:
+      return "Decision: ASK the user";
+    case SavePasswordProgressLogger::STRING_DECISION_DROP:
+      return "Decision: DROP the password";
+    case SavePasswordProgressLogger::STRING_DECISION_SAVE:
+      return "Decision: SAVE the password";
+    case SavePasswordProgressLogger::STRING_METHOD:
+      return "Form method";
+    case SavePasswordProgressLogger::STRING_METHOD_GET:
+      return "GET";
+    case SavePasswordProgressLogger::STRING_METHOD_POST:
+      return "POST";
+    case SavePasswordProgressLogger::STRING_METHOD_EMPTY:
+      return "(empty)";
+    case SavePasswordProgressLogger::STRING_OTHER:
+      return "(other)";
+    case SavePasswordProgressLogger::STRING_SCHEME_HTML:
+      return "HTML";
+    case SavePasswordProgressLogger::STRING_SCHEME_BASIC:
+      return "Basic";
+    case SavePasswordProgressLogger::STRING_SCHEME_DIGEST:
+      return "Digest";
+    case SavePasswordProgressLogger::STRING_SCHEME_MESSAGE:
+      return "Scheme";
+    case SavePasswordProgressLogger::STRING_SIGNON_REALM:
+      return "Signon realm";
+    case SavePasswordProgressLogger::STRING_ORIGINAL_SIGNON_REALM:
+      return "Original signon realm";
+    case SavePasswordProgressLogger::STRING_ORIGIN:
+      return "Origin";
+    case SavePasswordProgressLogger::STRING_ACTION:
+      return "Action";
+    case SavePasswordProgressLogger::STRING_USERNAME_ELEMENT:
+      return "Username element";
+    case SavePasswordProgressLogger::STRING_PASSWORD_ELEMENT:
+      return "Password element";
+    case SavePasswordProgressLogger::STRING_PASSWORD_AUTOCOMPLETE_SET:
+      return "Password autocomplete set";
+    case SavePasswordProgressLogger::STRING_OLD_PASSWORD_ELEMENT:
+      return "Old password element";
+    case SavePasswordProgressLogger::STRING_SSL_VALID:
+      return "SSL valid";
+    case SavePasswordProgressLogger::STRING_PASSWORD_GENERATED:
+      return "Password generated";
+    case SavePasswordProgressLogger::STRING_TIMES_USED:
+      return "Times used";
+    case SavePasswordProgressLogger::STRING_USE_ADDITIONAL_AUTHENTICATION:
+      return "Use additional authentication";
+    case SavePasswordProgressLogger::STRING_PSL_MATCH:
+      return "PSL match";
+    case SavePasswordProgressLogger::STRING_NAME_OR_ID:
+      return "Form name or ID";
+    case SavePasswordProgressLogger::STRING_MESSAGE:
+      return "Message";
+    case SavePasswordProgressLogger::STRING_INVALID:
+      return "INVALID";
+      // Intentionally no default: clause here -- all IDs need to get covered.
+  }
+  NOTREACHED();  // Win compilers don't believe this is unreachable.
+  return std::string();
+};
+
 // Removes privacy sensitive parts of |url| (currently all but host and scheme).
 std::string ScrubURL(const GURL& url) {
   if (url.is_valid())
     return url.GetWithEmptyPath().spec();
   return std::string();
 }
 
+// Returns true for all characters which we don't want to see in the logged IDs
+// or names of HTML elements.
+bool IsUnwantedInElementID(char c) {
+  return !(c == '_' || c == '-' || IsAsciiAlpha(c) || IsAsciiDigit(c));
+}
+
+// Replaces all characters satisfying IsUnwantedInElementID by a ' ', and turns
+// all characters to lowercase. This damages some valid HTML element IDs or
+// names, but it is likely that it will be still possible to match the scrubbed
+// string to the original ID or name in the HTML doc. That's good enough for the
+// logging purposes, and provides some security benefits.
+std::string ScrubElementID(std::string element_id) {
+  std::replace_if(
+      element_id.begin(), element_id.end(), IsUnwantedInElementID, ' ');
+  return StringToLowerASCII(element_id);
+}
+
+std::string ScrubElementID(base::string16 element_id) {

[Ilya Sherman, 2014/04/19 07:51:22]

nit: Pass by const-reference.

[vabr (Chromium), 2014/04/19 19:35:02]

Thanks! This was a silly copy-paste from the 8-bit string version, where I pass
by value on purpose (the argument is used as a local variable transformed by the
replace_if algorithm).
Done.

+  return ScrubElementID(base::UTF16ToUTF8(element_id));
+}
+
 std::string FormSchemeToString(PasswordForm::Scheme scheme) {
+  SavePasswordProgressLogger::StringID result_id =
+      SavePasswordProgressLogger::STRING_INVALID;
   switch (scheme) {
     case PasswordForm::SCHEME_HTML:
-      return "HTML";
+      result_id = SavePasswordProgressLogger::STRING_SCHEME_HTML;
+      break;
     case PasswordForm::SCHEME_BASIC:
-      return "BASIC";
+      result_id = SavePasswordProgressLogger::STRING_SCHEME_BASIC;
+      break;
     case PasswordForm::SCHEME_DIGEST:
-      return "DIGEST";
+      result_id = SavePasswordProgressLogger::STRING_SCHEME_DIGEST;
+      break;
     case PasswordForm::SCHEME_OTHER:
-      return "OTHER";
+      result_id = SavePasswordProgressLogger::STRING_OTHER;
+      break;
   }
-  NOTREACHED();  // Win compilers don't believe this is unreachable.
-  return std::string();
+  return GetStringFromID(result_id);
 }
 
-StringValue DecisionToStringValue(
-    SavePasswordProgressLogger::Decision decision) {
-  switch (decision) {
-    case SavePasswordProgressLogger::DECISION_SAVE:
-      return StringValue("SAVE the password");
-    case SavePasswordProgressLogger::DECISION_ASK:
-      return StringValue("ASK the user whether to save the password");
-    case SavePasswordProgressLogger::DECISION_DROP:
-      return StringValue("DROP the password");
-  }
-  NOTREACHED();  // Win compilers don't believe this is unreachable.
-  return StringValue(std::string());
+std::string FormMethodToString(const std::string& method) {
+  std::string method_processed;
+  base::TrimWhitespaceASCII(
+      StringToLowerASCII(method), base::TRIM_ALL, &method_processed);
+  SavePasswordProgressLogger::StringID result_id =
+      SavePasswordProgressLogger::STRING_OTHER;
+  if (method_processed.empty())
+    result_id = SavePasswordProgressLogger::STRING_METHOD_EMPTY;
+  else if (method_processed == "get")
+    result_id = SavePasswordProgressLogger::STRING_METHOD_GET;
+  else if (method_processed == "post")
+    result_id = SavePasswordProgressLogger::STRING_METHOD_POST;
+  return GetStringFromID(result_id);
 }
 
 }  // namespace
 
-SavePasswordProgressLogger::SavePasswordProgressLogger() {}
-
-SavePasswordProgressLogger::~SavePasswordProgressLogger() {}
-
-void SavePasswordProgressLogger::LogPasswordForm(const std::string& message,
-                                                 const PasswordForm& form) {
-  DictionaryValue log;
-  // Do not use the "<<" operator for PasswordForms, because it also prints
-  // passwords. Also, that operator is only for testing.
-  log.SetString("scheme", FormSchemeToString(form.scheme));
-  log.SetString("signon realm", ScrubURL(GURL(form.signon_realm)));
-  log.SetString("original signon realm",
-                ScrubURL(GURL(form.original_signon_realm)));
-  log.SetString("origin", ScrubURL(form.origin));
-  log.SetString("action", ScrubURL(form.action));
-  log.SetString("username element", form.username_element);
-  log.SetString("password element", form.password_element);
-  log.SetBoolean("password autocomplete set", form.password_autocomplete_set);
-  log.SetString("old password element", form.old_password_element);
-  log.SetBoolean("ssl valid", form.ssl_valid);
-  log.SetBoolean("password generated",
-                 form.type == PasswordForm::TYPE_GENERATED);
-  log.SetInteger("times used", form.times_used);
-  log.SetBoolean("use additional authentication",
-                 form.use_additional_authentication);
-  log.SetBoolean("is PSL match", form.IsPublicSuffixMatch());
-  LogValue(message, log);
+SavePasswordProgressLogger::SavePasswordProgressLogger() {
 }
 
-void SavePasswordProgressLogger::LogHTMLForm(const std::string& message,
-                                             const std::string& name_or_id,
-                                             const std::string& method,
-                                             const GURL& action) {
-  DictionaryValue log;
-  log.SetString("name_or_id", name_or_id);
-  log.SetString("method", method);
-  log.SetString("action", ScrubURL(action));
-  LogValue(message, log);
+SavePasswordProgressLogger::~SavePasswordProgressLogger() {
 }
 
-void SavePasswordProgressLogger::LogURL(const std::string& message,
-                                        const GURL& url) {
-  LogValue(message, StringValue(ScrubURL(url)));
+void SavePasswordProgressLogger::LogPasswordForm(
+    SavePasswordProgressLogger::StringID label,
+    const PasswordForm& form) {
+  DictionaryValue log;
+  log.SetString(GetStringFromID(STRING_SCHEME_MESSAGE),
+                FormSchemeToString(form.scheme));
+  log.SetString(GetStringFromID(STRING_SCHEME_MESSAGE),
+                FormSchemeToString(form.scheme));
+  log.SetString(GetStringFromID(STRING_SIGNON_REALM),
+                ScrubURL(GURL(form.signon_realm)));
+  log.SetString(GetStringFromID(STRING_ORIGINAL_SIGNON_REALM),
+                ScrubURL(GURL(form.original_signon_realm)));
+  log.SetString(GetStringFromID(STRING_ORIGIN), ScrubURL(form.origin));
+  log.SetString(GetStringFromID(STRING_ACTION), ScrubURL(form.action));
+  log.SetString(GetStringFromID(STRING_USERNAME_ELEMENT),
+                ScrubElementID(form.username_element));
+  log.SetString(GetStringFromID(STRING_PASSWORD_ELEMENT),
+                ScrubElementID(form.password_element));
+  log.SetBoolean(GetStringFromID(STRING_PASSWORD_AUTOCOMPLETE_SET),
+                 form.password_autocomplete_set);
+  log.SetString(GetStringFromID(STRING_OLD_PASSWORD_ELEMENT),
+                ScrubElementID(form.old_password_element));
+  log.SetBoolean(GetStringFromID(STRING_SSL_VALID), form.ssl_valid);
+  log.SetBoolean(GetStringFromID(STRING_PASSWORD_GENERATED),
+                 form.type == PasswordForm::TYPE_GENERATED);
+  log.SetInteger(GetStringFromID(STRING_TIMES_USED), form.times_used);
+  log.SetBoolean(GetStringFromID(STRING_USE_ADDITIONAL_AUTHENTICATION),
+                 form.use_additional_authentication);
+  log.SetBoolean(GetStringFromID(STRING_PSL_MATCH), form.IsPublicSuffixMatch());
+  LogValue(label, log);
 }
 
-void SavePasswordProgressLogger::LogBoolean(const std::string& message,
-                                            bool value) {
-  LogValue(message, FundamentalValue(value));
+void SavePasswordProgressLogger::LogHTMLForm(
+    SavePasswordProgressLogger::StringID label,
+    const std::string& name_or_id,
+    const std::string& method,
+    const GURL& action) {
+  DictionaryValue log;
+  log.SetString(GetStringFromID(STRING_NAME_OR_ID), ScrubElementID(name_or_id));
+  log.SetString(GetStringFromID(STRING_METHOD), FormMethodToString(method));
+  log.SetString(GetStringFromID(STRING_ACTION), ScrubURL(action));
+  LogValue(label, log);
 }
 
-void SavePasswordProgressLogger::LogNumber(const std::string& message,
-                                           int value) {
-  LogValue(message, FundamentalValue(value));
+void SavePasswordProgressLogger::LogURL(
+    SavePasswordProgressLogger::StringID label,
+    const GURL& url) {
+  LogValue(label, StringValue(ScrubURL(url)));
 }
 
-void SavePasswordProgressLogger::LogNumber(const std::string& message,
-                                           size_t value) {
-  LogValue(message, FundamentalValue(checked_cast<int, size_t>(value)));
+void SavePasswordProgressLogger::LogBoolean(
+    SavePasswordProgressLogger::StringID label,
+    bool truth_value) {
+  LogValue(label, FundamentalValue(truth_value));
 }
 
-void SavePasswordProgressLogger::LogFinalDecision(Decision decision) {
-  LogValue("Final decision taken", DecisionToStringValue(decision));
+void SavePasswordProgressLogger::LogNumber(
+    SavePasswordProgressLogger::StringID label,
+    int signed_number) {
+  LogValue(label, FundamentalValue(signed_number));
 }
 
-void SavePasswordProgressLogger::LogMessage(const std::string& message) {
-  LogValue("Message", StringValue(message));
+void SavePasswordProgressLogger::LogNumber(
+    SavePasswordProgressLogger::StringID label,
+    size_t unsigned_number) {
+  int signed_number = checked_cast<int, size_t>(unsigned_number);
+  LogNumber(label, signed_number);
 }
 
-void SavePasswordProgressLogger::LogValue(const std::string& name,
-                                          const Value& log) {
+void SavePasswordProgressLogger::LogMessage(
+    SavePasswordProgressLogger::StringID message) {
+  LogValue(STRING_MESSAGE, StringValue(GetStringFromID(message)));
+}
+
+void SavePasswordProgressLogger::LogValue(StringID label, const Value& log) {
   std::string log_string;
   bool conversion_to_string_successful = base::JSONWriter::WriteWithOptions(
       &log, base::JSONWriter::OPTIONS_PRETTY_PRINT, &log_string);
   DCHECK(conversion_to_string_successful);
-  SendLog(name + ": " + log_string);
+  SendLog(GetStringFromID(label) + ": " + log_string);
 }
 
 }  // namespace autofill