Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/permissions/permissions_data.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/command_line.h"
@@ skipping 11 matching lines @@
 #include "extensions/common/switches.h"
 #include "extensions/common/url_pattern_set.h"
 #include "url/gurl.h"
 #include "url/url_constants.h"
 
 namespace extensions {
 
 namespace {
 
 PermissionsData::PolicyDelegate* g_policy_delegate = nullptr;
+// URLs an extension can't interact with. Overridden by
+// runtime_blocked_hosts of an individual extension's PermissionsData.
+URLPatternSet* default_runtime_blocked_hosts_unsafe_ = nullptr;
+// URLs an extension can interact with regardless of
+// default_runtime_blocked_hosts_unsafe. Overridden by
+// runtime_allowed_hosts of an individual extension's PermissionsData.
+URLPatternSet* default_runtime_allowed_hosts_unsafe_ = nullptr;
 
 class AutoLockOnValidThread {
  public:
   AutoLockOnValidThread(base::Lock& lock, base::ThreadChecker* thread_checker)
       : auto_lock_(lock) {
     DCHECK(!thread_checker || thread_checker->CalledOnValidThread());
   }
 
  private:
   base::AutoLock auto_lock_;
@@ skipping 38 matching lines @@
 bool PermissionsData::ShouldSkipPermissionWarnings(
     const std::string& extension_id) {
   // See http://b/4946060 for more details.
   return extension_id == extension_misc::kProdHangoutsExtensionId;
 }
 
 // static
 bool PermissionsData::IsRestrictedUrl(const GURL& document_url,
                                       const Extension* extension,
                                       std::string* error) {
+  if (extension &&
+      extension->permissions_data()->IsRuntimeBlockedHost(document_url)) {
+    *error = manifest_errors::kCannotAccessPage;
+    return true;
+  }
   if (extension && CanExecuteScriptEverywhere(extension))
     return false;
 
   // Check if the scheme is valid for extensions. If not, return.
   if (!URLPattern::IsValidSchemeForExtensions(document_url.scheme()) &&
       document_url.spec() != url::kAboutBlankURL) {
     if (error) {
       if (extension->permissions_data()->active_permissions().HasAPIPermission(
               APIPermission::kTab)) {
         *error = ErrorUtils::FormatErrorMessage(
@@ skipping 20 matching lines @@
   if (extension && document_url.SchemeIs(kExtensionScheme) &&
       document_url.host() != extension->id() && !allow_on_chrome_urls) {
     if (error)
       *error = manifest_errors::kCannotAccessExtensionUrl;
     return true;
   }
 
   return false;
 }
 
+bool PermissionsData::UsesDefaultPolicyHostRestrictions() const {
+  DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+  return uses_default_policy_host_restrictions_;
+}
+
+const URLPatternSet& PermissionsData::default_runtime_blocked_hosts() {
+  if (!default_runtime_blocked_hosts_unsafe_)
+    default_runtime_blocked_hosts_unsafe_ = new URLPatternSet();
+  return *default_runtime_blocked_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::default_runtime_allowed_hosts() {
+  if (!default_runtime_allowed_hosts_unsafe_)
+    default_runtime_allowed_hosts_unsafe_ = new URLPatternSet();
+  return *default_runtime_allowed_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::runtime_blocked_hosts() const {
+  if (uses_default_policy_host_restrictions_)
+    return default_runtime_blocked_hosts();
+  return runtime_blocked_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::runtime_allowed_hosts() const {
+  if (uses_default_policy_host_restrictions_)
+    return default_runtime_allowed_hosts();
+  return runtime_allowed_hosts_unsafe_;
+}
+
 void PermissionsData::BindToCurrentThread() const {
   DCHECK(!thread_checker_);
   thread_checker_.reset(new base::ThreadChecker());
 }
 
 void PermissionsData::SetPermissions(
     std::unique_ptr<const PermissionSet> active,
     std::unique_ptr<const PermissionSet> withheld) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
   active_permissions_unsafe_ = std::move(active);
   withheld_permissions_unsafe_ = std::move(withheld);
 }
 
+void PermissionsData::SetPolicyHostRestrictions(
+    const URLPatternSet runtime_blocked_hosts,

[dcheng, 2017/02/06 07:05:29]

Nit: &

[nrpeter, 2017/02/06 22:53:15]

Done.

+    const URLPatternSet runtime_allowed_hosts,
+    const bool uses_default_policy_host_restrictions) const {
+  AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
+  runtime_blocked_hosts_unsafe_ = runtime_blocked_hosts;
+  runtime_allowed_hosts_unsafe_ = runtime_allowed_hosts;
+  uses_default_policy_host_restrictions_ =
+      uses_default_policy_host_restrictions;
+}
+
+// static
+void PermissionsData::SetDefaultPolicyHostRestrictions(
+    const URLPatternSet default_runtime_blocked_hosts,
+    const URLPatternSet default_runtime_allowed_hosts) {
+  default_runtime_blocked_hosts_unsafe_ =
+      new URLPatternSet(default_runtime_blocked_hosts);

[dcheng, 2017/02/06 07:05:29]

Will this leak the original heap allocation, if it's already assigned?

[nrpeter, 2017/02/06 22:53:15]

Quite correct since I can't use unique_ptr::reset due to static POD
requirements.

C++ isn't my main language, so a double check if this fix would be much
appreciated as I don't want to introduce a UAF.

[dcheng, 2017/02/07 07:47:12]

Since URLPatternSet is assignable, I would recommend something along these
lines:
  GetDefaultRuntimeBlockedHosts() = default_runtime_blocked_hosts;

with:
URLPatternSet& GetDefaultRuntimeBlockedHosts() {
  CR_DEFINE_STATIC_LOCAL(URLPatternSet, patterns, ());
  return patterns;
};

[nrpeter, 2017/03/22 23:47:38]

Devlin requested this to be a Leaky LazyInstance and I've updated the code to do
that. Does that work for you?

+  default_runtime_allowed_hosts_unsafe_ =
+      new URLPatternSet(default_runtime_allowed_hosts);
+}
+
 void PermissionsData::SetActivePermissions(
     std::unique_ptr<const PermissionSet> active) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
   active_permissions_unsafe_ = std::move(active);
 }
 
 void PermissionsData::UpdateTabSpecificPermissions(
     int tab_id,
     const PermissionSet& permissions) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
@@ skipping 48 matching lines @@
 URLPatternSet PermissionsData::GetEffectiveHostPermissions() const {
   base::AutoLock auto_lock(runtime_lock_);
   URLPatternSet effective_hosts = active_permissions_unsafe_->effective_hosts();
   for (const auto& val : tab_specific_permissions_)
     effective_hosts.AddPatterns(val.second->effective_hosts());
   return effective_hosts;
 }
 
 bool PermissionsData::HasHostPermission(const GURL& url) const {
   base::AutoLock auto_lock(runtime_lock_);
-  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url);
+  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url) &&
+         !IsRuntimeBlockedHost(url);
 }
 
 bool PermissionsData::HasEffectiveAccessToAllHosts() const {
   base::AutoLock auto_lock(runtime_lock_);
   return active_permissions_unsafe_->HasEffectiveAccessToAllHosts();
 }
 
 PermissionMessages PermissionsData::GetPermissionMessages() const {
   base::AutoLock auto_lock(runtime_lock_);
   return PermissionMessageProvider::Get()->GetPermissionMessages(
@@ skipping 98 matching lines @@
   if (tab_id >= 0) {
     const PermissionSet* tab_permissions = GetTabSpecificPermissions(tab_id);
     if (tab_permissions &&
         tab_permissions->explicit_hosts().MatchesSecurityOrigin(url)) {
       return true;
     }
   }
   return false;
 }
 
+bool PermissionsData::IsRuntimeBlockedHost(const GURL& url) const {
+  return runtime_blocked_hosts().MatchesURL(url) &&
+         !runtime_allowed_hosts().MatchesURL(url);
+}
+
 PermissionsData::AccessType PermissionsData::CanRunOnPage(
     const Extension* extension,
     const GURL& document_url,
     int tab_id,
     const URLPatternSet& permitted_url_patterns,
     const URLPatternSet& withheld_url_patterns,
     std::string* error) const {
   runtime_lock_.AssertAcquired();
   if (g_policy_delegate &&
       !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url,
-                                                 tab_id, error)) {
+                                                 tab_id, error))
+    return ACCESS_DENIED;
+
+  if (IsRuntimeBlockedHost(document_url)) {
+    if (error)
+      *error =
+          "This page cannot be scripted due to an ExtensionsSettings policy.";
     return ACCESS_DENIED;
   }
 
   if (IsRestrictedUrl(document_url, extension, error))
     return ACCESS_DENIED;
 
   if (HasTabSpecificPermissionToExecuteScript(tab_id, document_url))
     return ACCESS_ALLOWED;
 
   if (permitted_url_patterns.MatchesURL(document_url))
     return ACCESS_ALLOWED;
 
   if (withheld_url_patterns.MatchesURL(document_url))
     return ACCESS_WITHHELD;
 
   if (error) {
     if (extension->permissions_data()->active_permissions().HasAPIPermission(
             APIPermission::kTab)) {
       *error = ErrorUtils::FormatErrorMessage(
           manifest_errors::kCannotAccessPageWithUrl, document_url.spec());
     } else {
       *error = manifest_errors::kCannotAccessPage;
     }
   }
 
   return ACCESS_DENIED;
 }
 
 }  // namespace extensions