OLD | NEW |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "base/command_line.h" | 5 #include "base/command_line.h" |
6 #include "base/macros.h" | 6 #include "base/macros.h" |
7 #include "base/strings/stringprintf.h" | 7 #include "base/strings/stringprintf.h" |
8 #include "base/strings/utf_string_conversions.h" | 8 #include "base/strings/utf_string_conversions.h" |
9 #include "chrome/browser/ui/browser.h" | 9 #include "chrome/browser/ui/browser.h" |
10 #include "chrome/browser/ui/browser_commands.h" | 10 #include "chrome/browser/ui/browser_commands.h" |
11 #include "chrome/browser/ui/singleton_tabs.h" | 11 #include "chrome/browser/ui/singleton_tabs.h" |
12 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 12 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
13 #include "chrome/test/base/in_process_browser_test.h" | 13 #include "chrome/test/base/in_process_browser_test.h" |
14 #include "chrome/test/base/ui_test_utils.h" | 14 #include "chrome/test/base/ui_test_utils.h" |
15 #include "content/common/fileapi/webblob_messages.h" | |
16 #include "content/public/browser/notification_observer.h" | 15 #include "content/public/browser/notification_observer.h" |
17 #include "content/public/browser/notification_service.h" | 16 #include "content/public/browser/notification_service.h" |
18 #include "content/public/browser/notification_types.h" | 17 #include "content/public/browser/notification_types.h" |
19 #include "content/public/browser/render_frame_host.h" | |
20 #include "content/public/browser/render_process_host.h" | |
21 #include "content/public/browser/resource_request_details.h" | 18 #include "content/public/browser/resource_request_details.h" |
22 #include "content/public/browser/web_contents_observer.h" | 19 #include "content/public/browser/web_contents_observer.h" |
23 #include "content/public/common/content_switches.h" | 20 #include "content/public/common/content_switches.h" |
24 #include "content/public/test/browser_test_utils.h" | 21 #include "content/public/test/browser_test_utils.h" |
25 #include "ipc/ipc_security_test_util.h" | |
26 #include "net/dns/mock_host_resolver.h" | |
27 #include "net/test/embedded_test_server/embedded_test_server.h" | 22 #include "net/test/embedded_test_server/embedded_test_server.h" |
28 | 23 |
29 // The goal of these tests is to "simulate" exploited renderer processes, which | 24 // The goal of these tests is to "simulate" exploited renderer processes, which |
30 // can send arbitrary IPC messages and confuse browser process internal state, | 25 // can send arbitrary IPC messages and confuse browser process internal state, |
31 // leading to security bugs. We are trying to verify that the browser doesn't | 26 // leading to security bugs. We are trying to verify that the browser doesn't |
32 // perform any dangerous operations in such cases. | 27 // perform any dangerous operations in such cases. |
33 // This is similar to the security_exploit_browsertest.cc tests, but also | 28 // This is similar to the security_exploit_browsertest.cc tests, but also |
34 // includes chrome/ layer concepts such as extensions. | 29 // includes chrome/ layer concepts such as extensions. |
35 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { | 30 class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest { |
36 public: | 31 public: |
37 ChromeSecurityExploitBrowserTest() {} | 32 ChromeSecurityExploitBrowserTest() {} |
38 ~ChromeSecurityExploitBrowserTest() override {} | 33 ~ChromeSecurityExploitBrowserTest() override {} |
39 | 34 |
40 void SetUpOnMainThread() override { | 35 void SetUpCommandLine(base::CommandLine* command_line) override { |
41 ASSERT_TRUE(embedded_test_server()->Start()); | 36 ASSERT_TRUE(embedded_test_server()->Start()); |
42 host_resolver()->AddRule("*", "127.0.0.1"); | |
43 } | |
44 | 37 |
45 void SetUpCommandLine(base::CommandLine* command_line) override { | 38 // Add a host resolver rule to map all outgoing requests to the test server. |
| 39 // This allows us to use "real" hostnames in URLs, which we can use to |
| 40 // create arbitrary SiteInstances. |
| 41 command_line->AppendSwitchASCII( |
| 42 switches::kHostResolverRules, |
| 43 "MAP * " + embedded_test_server()->host_port_pair().ToString() + |
| 44 ",EXCLUDE localhost"); |
| 45 |
46 // Since we assume exploited renderer process, it can bypass the same origin | 46 // Since we assume exploited renderer process, it can bypass the same origin |
47 // policy at will. Simulate that by passing the disable-web-security flag. | 47 // policy at will. Simulate that by passing the disable-web-security flag. |
48 command_line->AppendSwitch(switches::kDisableWebSecurity); | 48 command_line->AppendSwitch(switches::kDisableWebSecurity); |
49 } | 49 } |
50 | 50 |
51 private: | 51 private: |
52 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); | 52 DISALLOW_COPY_AND_ASSIGN(ChromeSecurityExploitBrowserTest); |
53 }; | 53 }; |
54 | 54 |
55 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, | 55 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, |
56 ChromeExtensionResources) { | 56 ChromeExtensionResources) { |
57 // Load a page that requests a chrome-extension:// image through XHR. We | 57 // Load a page that requests a chrome-extension:// image through XHR. We |
58 // expect this load to fail, as it is an illegal request. | 58 // expect this load to fail, as it is an illegal request. |
59 GURL foo = embedded_test_server()->GetURL("foo.com", | 59 GURL foo("http://foo.com/chrome_extension_resource.html"); |
60 "/chrome_extension_resource.html"); | |
61 | 60 |
62 content::DOMMessageQueue msg_queue; | 61 content::DOMMessageQueue msg_queue; |
63 | 62 |
64 ui_test_utils::NavigateToURL(browser(), foo); | 63 ui_test_utils::NavigateToURL(browser(), foo); |
65 | 64 |
66 std::string status; | 65 std::string status; |
67 std::string expected_status("0"); | 66 std::string expected_status("0"); |
68 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); | 67 EXPECT_TRUE(msg_queue.WaitForMessage(&status)); |
69 EXPECT_STREQ(status.c_str(), expected_status.c_str()); | 68 EXPECT_STREQ(status.c_str(), expected_status.c_str()); |
70 } | 69 } |
71 | |
72 IN_PROC_BROWSER_TEST_F(ChromeSecurityExploitBrowserTest, | |
73 CreateBlobInExtensionOrigin) { | |
74 ui_test_utils::NavigateToURL( | |
75 browser(), | |
76 embedded_test_server()->GetURL("a.root-servers.net", "/title1.html")); | |
77 | |
78 content::RenderFrameHost* rfh = | |
79 browser()->tab_strip_model()->GetActiveWebContents()->GetMainFrame(); | |
80 | |
81 // All these are attacker controlled values. The UUID is arbitrary. | |
82 std::string blob_id = "2ce53a26-0409-45a3-86e5-f8fb9f5566d8"; | |
83 std::string blob_type = "text/html"; | |
84 std::string blob_contents = "<script>chrome.extensions</script>"; | |
85 std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd"; | |
86 | |
87 // Target the bookmark manager extension. | |
88 std::string target_origin = | |
89 "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno"; | |
90 | |
91 std::vector<storage::DataElement> data_elements(1); | |
92 data_elements[0].SetToBytes(blob_contents.c_str(), blob_contents.size()); | |
93 | |
94 // Set up a blob ID and populate it with attacker-controlled value. These two | |
95 // messages are allowed, because this data is not in any origin. | |
96 IPC::IpcSecurityTestUtil::PwnMessageReceived( | |
97 rfh->GetProcess()->GetChannel(), | |
98 BlobStorageMsg_RegisterBlobUUID(blob_id, blob_type, "", | |
99 std::set<std::string>())); | |
100 | |
101 IPC::IpcSecurityTestUtil::PwnMessageReceived( | |
102 rfh->GetProcess()->GetChannel(), | |
103 BlobStorageMsg_StartBuildingBlob(blob_id, data_elements)); | |
104 | |
105 // This IPC should result in a kill because |target_origin| is not commitable | |
106 // in |rfh->GetProcess()|. | |
107 content::RenderProcessHostWatcher crash_observer( | |
108 rfh->GetProcess(), | |
109 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); | |
110 IPC::IpcSecurityTestUtil::PwnMessageReceived( | |
111 rfh->GetProcess()->GetChannel(), | |
112 BlobHostMsg_RegisterPublicURL( | |
113 GURL("blob:" + target_origin + "/" + blob_path), blob_id)); | |
114 crash_observer.Wait(); // If the process is killed, this test passes. | |
115 } | |
OLD | NEW |