OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
6 #include "base/macros.h" | 6 #include "base/macros.h" |
7 #include "base/strings/stringprintf.h" | 7 #include "base/strings/stringprintf.h" |
8 #include "base/strings/utf_string_conversions.h" | 8 #include "base/strings/utf_string_conversions.h" |
9 #include "chrome/browser/ui/browser.h" | 9 #include "chrome/browser/ui/browser.h" |
10 #include "chrome/browser/ui/browser_commands.h" | 10 #include "chrome/browser/ui/browser_commands.h" |
11 #include "chrome/browser/ui/singleton_tabs.h" | 11 #include "chrome/browser/ui/singleton_tabs.h" |
12 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 12 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
13 #include "chrome/test/base/in_process_browser_test.h" | 13 #include "chrome/test/base/in_process_browser_test.h" |
14 #include "chrome/test/base/ui_test_utils.h" | 14 #include "chrome/test/base/ui_test_utils.h" |
| 15 #include "content/common/fileapi/webblob_messages.h" |
15 #include "content/public/browser/notification_observer.h" | 16 #include "content/public/browser/notification_observer.h" |
16 #include "content/public/browser/notification_service.h" | 17 #include "content/public/browser/notification_service.h" |
17 #include "content/public/browser/notification_types.h" | 18 #include "content/public/browser/notification_types.h" |
| 19 #include "content/public/browser/render_frame_host.h" |
| 20 #include "content/public/browser/render_process_host.h" |
18 #include "content/public/browser/resource_request_details.h" | 21 #include "content/public/browser/resource_request_details.h" |
19 #include "content/public/browser/web_contents_observer.h" | 22 #include "content/public/browser/web_contents_observer.h" |
20 #include "content/public/common/content_switches.h" | 23 #include "content/public/common/content_switches.h" |
21 #include "content/public/test/browser_test_utils.h" | 24 #include "content/public/test/browser_test_utils.h" |
| 25 #include "ipc/ipc_security_test_util.h" |
| 26 #include "net/dns/mock_host_resolver.h" |
22 #include "net/test/embedded_test_server/embedded_test_server.h" | 27 #include "net/test/embedded_test_server/embedded_test_server.h" |
23 | 28 |
24 // The goal of these tests is to "simulate" exploited renderer processes, which | 29 // The goal of these tests is to "simulate" exploited renderer processes, which |
25 // can send arbitrary IPC messages and confuse browser process internal state, | 30 // can send arbitrary IPC messages and confuse browser process internal state, |
26 // leading to security bugs. We are trying to verify that the browser doesn't | 31 // leading to security bugs. We are trying to verify that the browser doesn't |
27 // perform any dangerous operations in such cases. | 32 // perform any dangerous operations in such cases. |
28 // This is similar to the security_exploit_browsertest.cc tests, but also | 33 // This is similar to the security_exploit_browsertest.cc tests, but also |
29 // includes chrome/ layer concepts such as extensions. | 34 // includes chrome/ layer concepts such as extensions. |
30 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { | 35 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { |
31 public: | 36 public: |
32 ChromeSecurityExploitBrowserTest() {} | 37 ChromeSecurityExploitBrowserTest() {} |
33 ~ChromeSecurityExploitBrowserTest() override {} | 38 ~ChromeSecurityExploitBrowserTest() override {} |
34 | 39 |
| 40 void SetUpOnMainThread() override { |
| 41 ASSERT_TRUE(embedded_test_server()->Start()); |
| 42 host_resolver()->AddRule("*", "127.0.0.1"); |
| 43 } |
| 44 |
35 void SetUpCommandLine(base::CommandLine* command_line) override { | 45 void SetUpCommandLine(base::CommandLine* command_line) override { |
36 ASSERT_TRUE(embedded_test_server()->Start()); | |
37 | |
38 // Add a host resolver rule to map all outgoing requests to the test server. | |
39 // This allows us to use "real" hostnames in URLs, which we can use to | |
40 // create arbitrary SiteInstances. | |
41 command_line->AppendSwitchASCII( | |
42 switches::kHostResolverRules, | |
43 "MAP * " + embedded_test_server()->host_port_pair().ToString() + | |
44 ",EXCLUDE localhost"); | |
45 | |
46 // Since we assume exploited renderer process, it can bypass the same origin | 46 // Since we assume exploited renderer process, it can bypass the same origin |
47 // policy at will. Simulate that by passing the disable-web-security flag. | 47 // policy at will. Simulate that by passing the disable-web-security flag. |
48 command_line->AppendSwitch(switches::kDisableWebSecurity); | 48 command_line->AppendSwitch(switches::kDisableWebSecurity); |
49 } | 49 } |
50 | 50 |
51 private: | 51 private: |
52 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); | 52 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); |
53 }; | 53 }; |
54 | 54 |
55 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, | 55 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, |
56 ChromeExtensionResources) { | 56 ChromeExtensionResources) { |
57 // Load a page that requests a chrome-extension:// image through XHR. We | 57 // Load a page that requests a chrome-extension:// image through XHR. We |
58 // expect this load to fail, as it is an illegal request. | 58 // expect this load to fail, as it is an illegal request. |
59 GURL foo("http://foo.com/chrome_extension_resource.html"); | 59 GURL foo = embedded_test_server()->GetURL("foo.com", |
| 60 "/chrome_extension_resource.html"); |
60 | 61 |
61 content::DOMMessageQueue msg_queue; | 62 content::DOMMessageQueue msg_queue; |
62 | 63 |
63 ui_test_utils::NavigateToURL(browser(), foo); | 64 ui_test_utils::NavigateToURL(browser(), foo); |
64 | 65 |
65 std::string status; | 66 std::string status; |
66 std::string expected_status("0"); | 67 std::string expected_status("0"); |
67 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); | 68 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); |
68 EXPECT_STREQ(status.c_str(), expected_status.c_str()); | 69 EXPECT_STREQ(status.c_str(), expected_status.c_str()); |
69 } | 70 } |
| 71 |
| 72 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, |
| 73 CreateBlobInExtensionOrigin) { |
| 74 ui_test_utils::NavigateToURL( |
| 75 browser(), |
| 76 embedded_test_server()->GetURL("a.root-servers.net", "/title1.html")); |
| 77 |
| 78 content::RenderFrameHost* rfh = |
| 79 browser()->tab_strip_model()->GetActiveWebContents()->GetMainFrame(); |
| 80 |
| 81 // All these are attacker controlled values. The UUID is arbitrary. |
| 82 std::string blob_id = "2ce53a26-0409-45a3-86e5-f8fb9f5566d8"; |
| 83 std::string blob_type = "text/html"; |
| 84 std::string blob_contents = "<script>chrome.extensions</script>"; |
| 85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; |
| 86 |
| 87 // Target the bookmark manager extension. |
| 88 std::string target_origin = |
| 89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; |
| 90 |
| 91 std::vector<storage::DataElement> data_elements(1); |
| 92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); |
| 93 |
| 94 // Set up a blob ID and populate it with attacker-controlled value. These two |
| 95 // messages are allowed, because this data is not in any origin. |
| 96 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| 97 rfh->GetProcess()->GetChannel(), |
| 98 BlobStorageMsg_RegisterBlobUUID(blob_id, blob_type, "", |
| 99 std::set<std::string>())); |
| 100 |
| 101 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| 102 rfh->GetProcess()->GetChannel(), |
| 103 BlobStorageMsg_StartBuildingBlob(blob_id, data_elements)); |
| 104 |
| 105 // This IPC should result in a kill because |target_origin| is not commitable |
| 106 // in |rfh->GetProcess()|. |
| 107 content::RenderProcessHostWatcher crash_observer( |
| 108 rfh->GetProcess(), |
| 109 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| 110 IPC::IpcSecurityTestUtil::PwnMessageReceived( |
| 111 rfh->GetProcess()->GetChannel(), |
| 112 BlobHostMsg_RegisterPublicURL( |
| 113 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); |
| 114 crash_observer.Wait(); // If the process is killed, this test passes. |
| 115 } |
OLD | NEW |