Chromium Code Reviews Chromium Code Reviews
Issue 2495783003:
Implement support for checking bad IPs aka MatchMalwareIP (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This file should not be build on Android but is currently getting built. | 5 // This file should not be build on Android but is currently getting built. |
| 6 // TODO(vakh): Fix that: http://crbug.com/621647 | 6 // TODO(vakh): Fix that: http://crbug.com/621647 |
| 7 | 7 |
| 8 #include "components/safe_browsing_db/v4_local_database_manager.h" | 8 #include "components/safe_browsing_db/v4_local_database_manager.h" |
| 9 | 9 |
| 10 #include <vector> | 10 #include <vector> |
| 11 | 11 |
| 12 #include "base/bind_helpers.h" | 12 #include "base/bind_helpers.h" |
| 13 #include "base/callback.h" | 13 #include "base/callback.h" |
| 14 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
| 15 #include "base/memory/ref_counted.h" | 15 #include "base/memory/ref_counted.h" |
| 16 #include "base/metrics/histogram_macros.h" | 16 #include "base/metrics/histogram_macros.h" |
| 17 #include "base/sha1.h" | |
| 17 #include "components/safe_browsing_db/v4_feature_list.h" | 18 #include "components/safe_browsing_db/v4_feature_list.h" |
| 19 #include "components/safe_browsing_db/v4_protocol_manager_util.h" | |
| 18 #include "content/public/browser/browser_thread.h" | 20 #include "content/public/browser/browser_thread.h" |
| 21 #include "net/base/ip_address.h" | |
| 19 | 22 |
| 20 using content::BrowserThread; | 23 using content::BrowserThread; |
| 21 using base::TimeTicks; | 24 using base::TimeTicks; |
| 22 | 25 |
| 23 namespace safe_browsing { | 26 namespace safe_browsing { |
| 24 | 27 |
| 25 namespace { | 28 namespace { |
| 26 | 29 |
| 27 const ThreatSeverity kLeastSeverity = | 30 const ThreatSeverity kLeastSeverity = |
| 28 std::numeric_limits<ThreatSeverity>::max(); | 31 std::numeric_limits<ThreatSeverity>::max(); |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 227 return true; | 230 return true; |
| 228 } | 231 } |
| 229 | 232 |
| 230 bool V4LocalDatabaseManager::MatchDownloadWhitelistUrl(const GURL& url) { | 233 bool V4LocalDatabaseManager::MatchDownloadWhitelistUrl(const GURL& url) { |
| 231 // TODO(vakh): Implement this skeleton. | 234 // TODO(vakh): Implement this skeleton. |
| 232 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 235 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 233 return true; | 236 return true; |
| 234 } | 237 } |
| 235 | 238 |
| 236 bool V4LocalDatabaseManager::MatchMalwareIP(const std::string& ip_address) { | 239 bool V4LocalDatabaseManager::MatchMalwareIP(const std::string& ip_address) { |
| 237 // TODO(vakh): Implement this skeleton. | |
| 238 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 240 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 239 return false; | 241 if (!enabled_) { |
| 242 return false; | |
| 243 } | |
| 244 std::string encoded_ip; | |
| 245 if (!IPAddressToEncodedIPV6(ip_address, &encoded_ip)) { | |
| 246 return false; | |
| 247 } | |
| 248 | |
| 249 std::set<FullHash> encoded_ips{encoded_ip}; | |
| 250 std::unique_ptr<PendingCheck> check = base::MakeUnique<PendingCheck>( | |
| 251 nullptr, ClientCallbackType::CHECK_MALWARE_IP, | |
| 252 StoresToCheck({GetAnyIpMalwareId()}), encoded_ips); | |
| 253 | |
| 254 // HandleCheck() tells us whether the resource is safe. | |
| 255 return !HandleCheck(std::move(check), true /* synchronous_response */); | |
| 240 } | 256 } |
| 241 | 257 |
| 242 bool V4LocalDatabaseManager::MatchModuleWhitelistString( | 258 bool V4LocalDatabaseManager::MatchModuleWhitelistString( |
| 243 const std::string& str) { | 259 const std::string& str) { |
| 244 // TODO(vakh): Implement this skeleton. | 260 // TODO(vakh): Implement this skeleton. |
| 245 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 261 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 246 return true; | 262 return true; |
| 247 } | 263 } |
| 248 | 264 |
| 249 ThreatSource V4LocalDatabaseManager::GetThreatSource() const { | 265 ThreatSource V4LocalDatabaseManager::GetThreatSource() const { |
| (...skipping 112 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 362 const std::unique_ptr<PendingCheck>& check, | 378 const std::unique_ptr<PendingCheck>& check, |
| 363 FullHashToStoreAndHashPrefixesMap* full_hash_to_store_and_hash_prefixes) { | 379 FullHashToStoreAndHashPrefixesMap* full_hash_to_store_and_hash_prefixes) { |
| 364 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 380 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 365 | 381 |
| 366 DCHECK(enabled_); | 382 DCHECK(enabled_); |
| 367 DCHECK(v4_database_); | 383 DCHECK(v4_database_); |
| 368 | 384 |
| 369 const base::TimeTicks before = TimeTicks::Now(); | 385 const base::TimeTicks before = TimeTicks::Now(); |
| 370 if (check->client_callback_type == ClientCallbackType::CHECK_BROWSE_URL || | 386 if (check->client_callback_type == ClientCallbackType::CHECK_BROWSE_URL || |
| 371 check->client_callback_type == ClientCallbackType::CHECK_DOWNLOAD_URLS || | 387 check->client_callback_type == ClientCallbackType::CHECK_DOWNLOAD_URLS || |
| 372 check->client_callback_type == ClientCallbackType::CHECK_EXTENSION_IDS) { | 388 check->client_callback_type == ClientCallbackType::CHECK_EXTENSION_IDS || |
| 389 check->client_callback_type == ClientCallbackType::CHECK_MALWARE_IP) { | |
| 373 DCHECK(!check->full_hashes.empty()); | 390 DCHECK(!check->full_hashes.empty()); |
| 374 | 391 |
| 375 full_hash_to_store_and_hash_prefixes->clear(); | 392 full_hash_to_store_and_hash_prefixes->clear(); |
| 376 for (const auto& full_hash : check->full_hashes) { | 393 for (const auto& full_hash : check->full_hashes) { |
| 377 StoreAndHashPrefixes matched_store_and_hash_prefixes; | 394 StoreAndHashPrefixes matched_store_and_hash_prefixes; |
| 378 v4_database_->GetStoresMatchingFullHash(full_hash, check->stores_to_check, | 395 v4_database_->GetStoresMatchingFullHash(full_hash, check->stores_to_check, |
| 379 &matched_store_and_hash_prefixes); | 396 &matched_store_and_hash_prefixes); |
| 380 if (!matched_store_and_hash_prefixes.empty()) { | 397 if (!matched_store_and_hash_prefixes.empty()) { |
| 381 (*full_hash_to_store_and_hash_prefixes)[full_hash] = | 398 (*full_hash_to_store_and_hash_prefixes)[full_hash] = |
| 382 matched_store_and_hash_prefixes; | 399 matched_store_and_hash_prefixes; |
| (...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 429 SBThreatType V4LocalDatabaseManager::GetSBThreatTypeForList( | 446 SBThreatType V4LocalDatabaseManager::GetSBThreatTypeForList( |
| 430 const ListIdentifier& list_id) { | 447 const ListIdentifier& list_id) { |
| 431 auto it = std::find_if( | 448 auto it = std::find_if( |
| 432 std::begin(list_infos_), std::end(list_infos_), | 449 std::begin(list_infos_), std::end(list_infos_), |
| 433 [&list_id](ListInfo const& li) { return li.list_id() == list_id; }); | 450 [&list_id](ListInfo const& li) { return li.list_id() == list_id; }); |
| 434 DCHECK(list_infos_.end() != it); | 451 DCHECK(list_infos_.end() != it); |
| 435 DCHECK_NE(SB_THREAT_TYPE_SAFE, it->sb_threat_type()); | 452 DCHECK_NE(SB_THREAT_TYPE_SAFE, it->sb_threat_type()); |
| 436 return it->sb_threat_type(); | 453 return it->sb_threat_type(); |
| 437 } | 454 } |
| 438 | 455 |
| 439 bool V4LocalDatabaseManager::HandleCheck(std::unique_ptr<PendingCheck> check) { | 456 bool V4LocalDatabaseManager::HandleCheck(std::unique_ptr<PendingCheck> check, |
|
Nathan Parker
2016/11/14 21:09:37
The flow is quite different if !sychronous_respose
vakh (use Gerrit instead)
2016/11/15 00:36:21
Done.
| |
| 457 const bool synchronous_response) { | |
| 440 if (!v4_database_) { | 458 if (!v4_database_) { |
| 459 if (synchronous_response) { | |
| 460 return true; | |
| 461 } | |
| 462 | |
| 441 queued_checks_.push_back(std::move(check)); | 463 queued_checks_.push_back(std::move(check)); |
| 442 return false; | 464 return false; |
| 443 } | 465 } |
| 444 | 466 |
| 445 FullHashToStoreAndHashPrefixesMap full_hash_to_store_and_hash_prefixes; | 467 FullHashToStoreAndHashPrefixesMap full_hash_to_store_and_hash_prefixes; |
| 446 if (!GetPrefixMatches(check, &full_hash_to_store_and_hash_prefixes)) { | 468 if (!GetPrefixMatches(check, &full_hash_to_store_and_hash_prefixes)) { |
| 447 return true; | 469 return true; |
| 448 } | 470 } |
| 449 | 471 |
| 450 // Post on the IO thread to enforce async behavior. | 472 if (!synchronous_response) { |
| 451 BrowserThread::PostTask( | 473 // Post on the IO thread to enforce async behavior. |
| 452 BrowserThread::IO, FROM_HERE, | 474 BrowserThread::PostTask( |
| 453 base::Bind(&V4LocalDatabaseManager::PerformFullHashCheck, this, | 475 BrowserThread::IO, FROM_HERE, |
| 454 base::Passed(std::move(check)), | 476 base::Bind(&V4LocalDatabaseManager::PerformFullHashCheck, this, |
| 455 full_hash_to_store_and_hash_prefixes)); | 477 base::Passed(std::move(check)), |
| 478 full_hash_to_store_and_hash_prefixes)); | |
| 479 } | |
| 456 return false; | 480 return false; |
| 457 } | 481 } |
| 458 | 482 |
| 483 // static | |
| 484 bool V4LocalDatabaseManager::IPAddressToEncodedIPV6( | |
| 485 const std::string& ip_address, | |
| 486 std::string* encoded_ip) { | |
| 487 net::IPAddress address; | |
| 488 if (!V4ProtocolManagerUtil::GetIPV6AddressFromString(ip_address, &address)) { | |
| 489 return false; | |
| 490 } | |
| 491 std::string packed_ip = net::IPAddressToPackedString(address); | |
| 492 if (packed_ip.empty()) { | |
| 493 return false; | |
| 494 } | |
| 495 | |
| 496 const std::string hash = base::SHA1HashString(packed_ip); | |
| 497 encoded_ip->resize(base::kSHA1Length + 1, '\x00'); | |
|
Scott Hess - ex-Googler
2016/11/14 20:52:10
Does the char matter? AFAICT everything will be o
vakh (use Gerrit instead)
2016/11/15 00:37:02
Done.
| |
| 498 encoded_ip->replace(0, hash.size(), hash); | |
| 499 (*encoded_ip)[20] = static_cast<unsigned char>(128); | |
|
Scott Hess - ex-Googler
2016/11/14 20:52:10
I think you should consistently use hash.size() in
vakh (use Gerrit instead)
2016/11/15 00:37:02
Done.
| |
| 500 return true; | |
| 501 } | |
| 502 | |
| 459 void V4LocalDatabaseManager::OnFullHashResponse( | 503 void V4LocalDatabaseManager::OnFullHashResponse( |
| 460 std::unique_ptr<PendingCheck> pending_check, | 504 std::unique_ptr<PendingCheck> pending_check, |
| 461 const std::vector<FullHashInfo>& full_hash_infos) { | 505 const std::vector<FullHashInfo>& full_hash_infos) { |
| 462 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 506 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 463 | 507 |
| 464 if (!enabled_) { | 508 if (!enabled_) { |
| 465 DCHECK(pending_clients_.empty()); | 509 DCHECK(pending_clients_.empty()); |
| 466 return; | 510 return; |
| 467 } | 511 } |
| 468 | 512 |
| (...skipping 110 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 579 } | 623 } |
| 580 | 624 |
| 581 void V4LocalDatabaseManager::UpdateRequestCompleted( | 625 void V4LocalDatabaseManager::UpdateRequestCompleted( |
| 582 std::unique_ptr<ParsedServerResponse> parsed_server_response) { | 626 std::unique_ptr<ParsedServerResponse> parsed_server_response) { |
| 583 DCHECK_CURRENTLY_ON(BrowserThread::IO); | 627 DCHECK_CURRENTLY_ON(BrowserThread::IO); |
| 584 v4_database_->ApplyUpdate(std::move(parsed_server_response), | 628 v4_database_->ApplyUpdate(std::move(parsed_server_response), |
| 585 db_updated_callback_); | 629 db_updated_callback_); |
| 586 } | 630 } |
| 587 | 631 |
| 588 } // namespace safe_browsing | 632 } // namespace safe_browsing |
| OLD | NEW |
