components/autofill/core/common/save_password_progress_logger.h - Issue 235623002: Password manager internals page: Improve security

Side by Side Diff: components/autofill/core/common/save_password_progress_logger.h

Issue 235623002: Password manager internals page: Improve security (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: innerHTML -> innerText Created 6 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« chrome/browser/password_manager/chrome_password_manager_client.h ('K') | « components/autofill/content/renderer/renderer_save_password_progress_logger_unittest.cc ('k') | components/autofill/core/common/save_password_progress_logger.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2014 The Chromium Authors. All rights reserved.	1 // Copyright 2014 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #ifndef COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_	5 #ifndef COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_

6 #define COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_	6 #define COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_

7	7

8 #include <string>	8 #include <string>

	9 #include <vector>

9	10

	11 #include "base/strings/string16.h"

10 #include "url/gurl.h"	12 #include "url/gurl.h"

11	13

12 namespace base {	14 namespace base {

13 class Value;	15 class Value;

14 }	16 }

15	17

16 namespace autofill {	18 namespace autofill {

17	19

18 struct PasswordForm;	20 struct PasswordForm;

19	21

20 // When logging decisions made by password management code about whether to	22 // When logging decisions made by password management code about whether to

21 // offer user-entered credentials for saving or not, do use this class. It	23 // offer user-entered credentials for saving or not, do use this class. It

22 // offers a suite of convenience methods to format and scrub logs. The methods	24 // offers a suite of convenience methods to format and scrub logs. The methods

23 // have built-in privacy protections (never include a password, scrub URLs), so	25 // have built-in privacy protections (never include a password, scrub URLs), so

24 // that the result is appropriate for display on the internals page.	26 // that the result is appropriate for display on the internals page.

25 //	27 //

26 // To use this class, the method SendLog needs to be overriden to send the logs	28 // To use this class, the method SendLog needs to be overriden to send the logs

27 // for display as appropriate.	29 // for display as appropriate.

28 //	30 //

29 // TODO(vabr): Logically, this class belongs to the password_manager component.	31 // TODO(vabr): Logically, this class belongs to the password_manager component.

30 // But the PasswordAutofillAgent needs to use it, so until that agent is in a	32 // But the PasswordAutofillAgent needs to use it, so until that agent is in a

31 // third component, shared by autofill and password_manager, this helper needs	33 // third component, shared by autofill and password_manager, this helper needs

32 // to stay in autofill as well.	34 // to stay in autofill as well.

33 class SavePasswordProgressLogger {	35 class SavePasswordProgressLogger {

34 public:	36 public:

35 // All three possible decisions about saving a password. Call LogFinalDecision	37 // IDs of strings allowed in the logs: for security reasons, we only pass the

36 // as soon as one is taken by the password management code.	38 // IDs from the renderer, and map them to strings in the browser.

37 enum Decision { DECISION_SAVE, DECISION_ASK, DECISION_DROP };	39 // Make sure to keep this in the same order as \|kIDsToMessages\| in the .cc

	40 // file.
	Ilya Sherman 2014/04/12 00:00:51 Rather than requiring the order to match, please j Rather than requiring the order to match, please just use a switch stmt with cases. It's a little longer, but it's also more robust. vabr (Chromium) 2014/04/13 20:12:30 Done. Show quoted text On 2014/04/12 00:00:51, Ilya Sherman wrote: > Rather than requiring the order to match, please just use a switch stmt with > cases. It's a little longer, but it's also more robust. Done.
	41 // The code relies on them being automatically numbered, starting with 0 and

	42 // increasing by 1 (guaranteed by the C++ standard, see ISO/IEC 14882:2003

	43 // 7.2.1).

	44 enum StringID {

	45 STRING_DECISION_ASK,

	46 STRING_DECISION_DROP,

	47 STRING_DECISION_SAVE,

	48 STRING_METHOD,

	49 STRING_METHOD_GET,

	50 STRING_METHOD_POST,

	51 STRING_METHOD_EMPTY,

	52 STRING_OTHER,

	53 STRING_SCHEME_HTML,

	54 STRING_SCHEME_BASIC,

	55 STRING_SCHEME_DIGEST,

	56 STRING_SCHEME_MESSAGE,

	57 STRING_SIGNON_REALM,

	58 STRING_ORIGINAL_SIGNON_REALM,

	59 STRING_ORIGIN,

	60 STRING_ACTION,

	61 STRING_USERNAME_ELEMENT,

	62 STRING_PASSWORD_ELEMENT,

	63 STRING_PASSWORD_AUTOCOMPLETE_SET,

	64 STRING_OLD_PASSWORD_ELEMENT,

	65 STRING_SSL_VALID,

	66 STRING_PASSWORD_GENERATED,

	67 STRING_TIMES_USED,

	68 STRING_USE_ADDITIONAL_AUTHENTICATION,

	69 STRING_PSL_MATCH,

	70 STRING_NAME_OR_ID,

	71 STRING_MESSAGE,

	72 STRING_INVALID, // Represents a string returned in a case of an error.

	73 STRING_MAX = STRING_INVALID

	74 };

	75

	76 // A "structured" log, as opposed to just a log string, is passed from the

	77 // place of log creation (which might be in a renderer code) to browser for

	78 // display. We need to keep it structured to allow browser-side sanitization

	79 // for security reasons.

	80 struct StructuredLog {

	81 // Each log has one of these types. Depending on the type, the valid data

	82 // members are shown in comments (in addition to \|log_type\| itself).

	83 enum LogType {

	84 LOG_TYPE_LABEL, // \|label\|

	85 LOG_TYPE_GURL, // \|label\|, \|url\|

	86 LOG_TYPE_MESSAGE, // \|label\|, \|message\|

	87 LOG_TYPE_NUMBER, // \|label\|, \|number\|

	88 LOG_TYPE_BOOL, // \|label\|, \|truth_value\|

	89 LOG_TYPE_ELEMENT_ID, // \|label\|, \|element_id\|

	90 LOG_TYPE_MAX = LOG_TYPE_ELEMENT_ID

	91 };

	92

	93 LogType log_type;

	94 StringID label;

	95 // The members below would ideally form a union, but cannot, because of

	96 // non-POD members. The size overhead does not seem worse than having

	97 // multiple IPC methods specialized for each possible log type.

	98 GURL url;

	99 StringID message;

	100 int number;

	101 bool truth_value;

	102 // Only use \|element_id\| to store an HTML element name or id; for security

	103 // reasons all characters other than alphanumeric ones will be replaced by

	104 // spaces.

	105 std::string element_id;

	106

	107 StructuredLog();

	108 explicit StructuredLog(StringID label);

	109 StructuredLog(StringID label, GURL url);

	110 StructuredLog(StringID label, StringID message);

	111 StructuredLog(StringID label, int number);

	112 StructuredLog(StringID label, bool truth_value);

	113 StructuredLog(StringID label, const std::string& element_id);

	114 StructuredLog(StringID label, const base::string16& element_id);

	115 ~StructuredLog();

	116

	117 // Equality operators for testing.

	118 bool operator==(const StructuredLog& form) const;

	119 bool operator!=(const StructuredLog& form) const;

	120 };
	Ilya Sherman 2014/04/12 00:00:51 I'm not convinced that passing a struct rather tha I'm not convinced that passing a struct rather than a string across the process boundary improves security in any way. I think it's sufficient to just replace the string "label" parameters with StringIDs instead. If either of you disagree, could you please convey what security or privacy threat the StructuredLog class prevents, over and above the guarantees made by the LogFoo() methods below? vabr (Chromium) 2014/04/12 09:11:38 My understanding is that LogFoo don't actually pre Show quoted text On 2014/04/12 00:00:51, Ilya Sherman wrote: > I'm not convinced that passing a struct rather than a string across the process > boundary improves security in any way. I think it's sufficient to just replace > the string "label" parameters with StringIDs instead. > > If either of you disagree, could you please convey what security or privacy > threat the StructuredLog class prevents, over and above the guarantees made by > the LogFoo() methods below? My understanding is that LogFoo don't actually present any guarantees, as long as they can be called from the (untrusted) renderer. If I understand you correctly, you suggest passing a StringID for a label and a string for the data through the IPC? If so, then it will be hardly possible to make sure on the browser side, that, e.g., a password or a sensitive URL is not included in the string. Ilya Sherman 2014/04/12 22:25:31 I would keep the previous IPC design, i.e. just se Show quoted text On 2014/04/12 09:11:38, vabr (Chromium) wrote: > On 2014/04/12 00:00:51, Ilya Sherman wrote: > > I'm not convinced that passing a struct rather than a string across the > process > > boundary improves security in any way. I think it's sufficient to just > replace > > the string "label" parameters with StringIDs instead. > > > > If either of you disagree, could you please convey what security or privacy > > threat the StructuredLog class prevents, over and above the guarantees made by > > the LogFoo() methods below? > > My understanding is that LogFoo don't actually present any guarantees, as long > as they can be called from the (untrusted) renderer. > > If I understand you correctly, you suggest passing a StringID for a label and a > string for the data through the IPC? > If so, then it will be hardly possible to make sure on the browser side, that, > e.g., a password or a sensitive URL is not included in the string. I would keep the previous IPC design, i.e. just send a string. However, I would keep the StringID changes for the LogFoo() methods in this class. With this design, it's not possible to write code that accidentally emits a password or a sensitive URL, other than by going through some contortions to, say, pass the password as the name_or_id param to LogHTMLForm(). That is, there's no chance that I as a developer might add code to log a password, unless I really abuse the API... but if I'm really abusing the API, a code reviewer would likely catch that. LogMessage() previously did not have this property -- I could easily build up a complex string and pass it to LogMessage(), which would be harder for a reviewer to reason about -- did everything get sanitized properly or not? Now, in terms of a compromised renderer: First of all, if you've compromised the renderer, your next step probably isn't going to be to ask the user to enable logging, and then try to send across a password or a sensitive URL over IPC. Even if that is your goal, you can still do it, by logging the sensitive data as a "name_or_id". In other words, I think the threat model for sending sensitive data from the renderer to the browser is coding mistakes, not malicious websites. For that threat model, we can keep the cleaner option. (Of course, Tom is much more expert in this area than I am, so perhaps I am overlooking something that he sees. Corrections are definitely welcome.) On the browser side, it's still very important to sanitize the received data by escaping it (as you've done now), because there is a much higher incentive for a malicious website to try to run arbitrary code in a chrome:// page than there is to reveal a user's password. vabr (Chromium) 2014/04/16 20:55:36 Done. Show quoted text On 2014/04/12 22:25:31, Ilya Sherman wrote: > On 2014/04/12 09:11:38, vabr (Chromium) wrote: > > On 2014/04/12 00:00:51, Ilya Sherman wrote: > > > I'm not convinced that passing a struct rather than a string across the > > process > > > boundary improves security in any way. I think it's sufficient to just > > replace > > > the string "label" parameters with StringIDs instead. > > > > > > If either of you disagree, could you please convey what security or privacy > > > threat the StructuredLog class prevents, over and above the guarantees made > by > > > the LogFoo() methods below? > > > > My understanding is that LogFoo don't actually present any guarantees, as long > > as they can be called from the (untrusted) renderer. > > > > If I understand you correctly, you suggest passing a StringID for a label and > a > > string for the data through the IPC? > > If so, then it will be hardly possible to make sure on the browser side, that, > > e.g., a password or a sensitive URL is not included in the string. > > I would keep the previous IPC design, i.e. just send a string. However, I would > keep the StringID changes for the LogFoo() methods in this class. > > With this design, it's not possible to write code that accidentally emits a > password or a sensitive URL, other than by going through some contortions to, > say, pass the password as the name_or_id param to LogHTMLForm(). That is, > there's no chance that I as a developer might add code to log a password, unless > I really abuse the API... but if I'm really abusing the API, a code reviewer > would likely catch that. LogMessage() previously did not have this property -- > I could easily build up a complex string and pass it to LogMessage(), which > would be harder for a reviewer to reason about -- did everything get sanitized > properly or not? > > Now, in terms of a compromised renderer: First of all, if you've compromised the > renderer, your next step probably isn't going to be to ask the user to enable > logging, and then try to send across a password or a sensitive URL over IPC. > Even if that is your goal, you can still do it, by logging the sensitive data as > a "name_or_id". > > In other words, I think the threat model for sending sensitive data from the > renderer to the browser is coding mistakes, not malicious websites. For that > threat model, we can keep the cleaner option. (Of course, Tom is much more > expert in this area than I am, so perhaps I am overlooking something that he > sees. Corrections are definitely welcome.) > > On the browser side, it's still very important to sanitize the received data by > escaping it (as you've done now), because there is a much higher incentive for a > malicious website to try to run arbitrary code in a chrome:// page than there is > to reveal a user's password. Done.
38	121

39 SavePasswordProgressLogger();	122 SavePasswordProgressLogger();

40 virtual ~SavePasswordProgressLogger();	123 virtual ~SavePasswordProgressLogger();

41	124

42 // Logging: specialized methods (for logging forms, URLs, etc.) take care of	125 // Call SanitizeStructuredLogs only in the browser, to get a safe-for-display

43 // proper removing of sensitive data where appropriate.	126 // string representation of \|logs\|. The vector \|logs\| needs to be organised in

44 void LogPasswordForm(const std::string& message,	127 // one of the two following ways:

	128 // 1) there is only one log in the vector, of type different than

	129 // LOG_TYPE_LABEL, or

	130 // 2) there are more logs, and exactly the first one has type LOG_TYPE_LABEL,

	131 // providing a label for the whole group.

	132 static std::string SanitizeStructuredLogs(

	133 const std::vector<StructuredLog>& logs);
	Ilya Sherman 2014/04/12 00:00:51 How about only making this function available in t How about only making this function available in the browser process? vabr (Chromium) 2014/04/16 20:55:36 That function is gone. Show quoted text On 2014/04/12 00:00:51, Ilya Sherman wrote: > How about only making this function available in the browser process? That function is gone.
	134

	135 // Logging: these methods create and send a StructuredLog for sanitization and

	136 // display.

	137 void LogPasswordForm(StringID label,

45 const autofill::PasswordForm& form);	138 const autofill::PasswordForm& form);

46 void LogHTMLForm(const std::string& message,	139 void LogHTMLForm(StringID label,

47 const std::string& name_or_id,	140 const std::string& name_or_id,

48 const std::string& method,	141 const std::string& method,

49 const GURL& action);	142 const GURL& action);

50 void LogURL(const std::string& message, const GURL& url);	143 void LogURL(StringID label, const GURL& url);

51 void LogBoolean(const std::string& message, bool value);	144 void LogBoolean(StringID label, bool value);

52 void LogNumber(const std::string& message, int value);	145 void LogNumber(StringID label, int value);

53 void LogNumber(const std::string& message, size_t value);	146 void LogNumber(StringID label, size_t value);

54 void LogFinalDecision(Decision decision);	147 void LogMessage(StringID message);

55 // Do not use LogMessage when there is an appropriate specialized method

56 // above. LogMessage performs no scrubbing of sensitive data.

57 void LogMessage(const std::string& message);

58	148

59 protected:	149 protected:

60 // Sends \|log\| immediately for display.	150 // Sends \|logs\| immediately for display.

61 virtual void SendLog(const std::string& log) = 0;	151 virtual void SendLog(const std::vector<StructuredLog>& logs) = 0;

62	152

63 private:	153 private:

64 // Takes a structured \|log\|, converts it to a string suitable for plain text

65 // output, adds the \|name\| as a caption, and sends out via SendLog.

66 void LogValue(const std::string& name, const base::Value& log);

67

68 DISALLOW_COPY_AND_ASSIGN(SavePasswordProgressLogger);	154 DISALLOW_COPY_AND_ASSIGN(SavePasswordProgressLogger);

69 };	155 };

70	156

71 } // namespace autofill	157 } // namespace autofill

72	158

73 #endif // COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_	159 #endif // COMPONENTS_AUTOFILL_CORE_COMMON_SAVE_PASSWORD_PROGRESS_LOGGER_H_

OLD	NEW