Mitigate spoofing attempt using Latin letters.

components/url_formatter/url_formatter.cc

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/url_formatter/url_formatter.h"
 
 #include <algorithm>
 #include <utility>
+#include <vector>
 
 #include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/string_piece.h"
+#include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_offset_string_conversions.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_local_storage.h"
+#include "net/base/lookup_string_in_fixed_set.h"
 #include "third_party/icu/source/common/unicode/schriter.h"
 #include "third_party/icu/source/common/unicode/uidna.h"
 #include "third_party/icu/source/common/unicode/uniset.h"
 #include "third_party/icu/source/common/unicode/uscript.h"
+#include "third_party/icu/source/common/unicode/utypes.h"
 #include "third_party/icu/source/common/unicode/uvernum.h"
 #include "third_party/icu/source/i18n/unicode/regex.h"
+#include "third_party/icu/source/i18n/unicode/translit.h"
 #include "third_party/icu/source/i18n/unicode/uspoof.h"
 #include "url/gurl.h"
 #include "url/third_party/mozilla/url_parse.h"
 
 namespace url_formatter {
 
 namespace {
 
 base::string16 IDNToUnicodeWithAdjustments(
     base::StringPiece host,
@@ skipping 150 matching lines @@
     new_parsed->scheme.len = kViewSourceLength - 1;
   }
   AdjustAllComponentsButScheme(kViewSourceLength, new_parsed);
 
   if (prefix_end)
     *prefix_end += kViewSourceLength;
 
   return result;
 }
 
+// A helper class for IDN Spoof checking, used to ensure that no IDN input is
+// spoofable per Chromium's standard of spoofability. For a more thorough
+// explanation of how spoof checking works in Chromium, see
+// http://dev.chromium.org/developers/design-documents/idn-in-google-chrome .
+class IDNSpoofChecker {
+ public:
+  IDNSpoofChecker();
+
+  // Returns true if |label| is safe to display as Unicode. When the TLD is
+  // ASCII, check if a label is entirely made of Cyrillic letters that look like
+  // Latin letters. In the event of library failure, all IDN inputs will be
+  // treated as unsafe.
+  bool Check(base::StringPiece16 label, bool is_tld_ascii);
+
+  // Returns true if |hostname| or the last few components of |hostname| looks
+  // similar to one of top N domains (N=500). Two checks are done:

[ncarter (slow), 2017/04/26 18:46:29]

The (N=500) comment seems likely to fall out of date. Might be better to just
provide a reference to the input file?

[jungshik at Google, 2017/04/26 19:36:21]

Done.

+  //   1. Calculate the skeleton of |hostname| based on the Unicode confusable
+  //   character list and look it up in the pre-calculated skeleton list of
+  //   top N domains.
+  //   2. Look up the diacritic-free version of |hostname| in the list of
+  //   top N domains.

[ncarter (slow), 2017/04/26 18:46:29]

Should this document what happens if |hostname| is, without modification, one of
the top N domains?

[jungshik at Google, 2017/04/26 19:36:21]

Non-IDN hostnames will not reach here (they're not subject to this check.). I
can document that. 

+  bool SimilarToTopDomains(base::StringPiece16 hostname);
+
+ private:
+  void SetAllowedUnicodeSet(UErrorCode* status);
+  bool IsMadeOfLatinAlikeCyrillic(const icu::UnicodeString& label_string);
+  bool GetSkeleton(base::StringPiece16 hostname, std::string* skeleton);
+  bool RemoveDiacritics(base::StringPiece16 input, std::string* accent_free);
+
+  USpoofChecker* checker_;
+  icu::UnicodeSet deviation_characters_;
+  icu::UnicodeSet non_ascii_latin_letters_;
+  icu::UnicodeSet kana_letters_exceptions_;
+  icu::UnicodeSet cyrillic_letters_;
+  icu::UnicodeSet cyrillic_letters_latin_alike_;
+  icu::UnicodeSet latin_letters_n_ascii_;
+  icu::Transliterator* transliterator_;
+
+  DISALLOW_COPY_AND_ASSIGN(IDNSpoofChecker);
+};
+
+base::LazyInstance<IDNSpoofChecker>::Leaky g_idn_spoof_checker =
+    LAZY_INSTANCE_INITIALIZER;
+base::ThreadLocalStorage::StaticSlot tls_index = TLS_INITIALIZER;
+
+void OnThreadTermination(void* regex_matcher) {
+  delete reinterpret_cast<icu::RegexMatcher*>(regex_matcher);
+}
+
 // TODO(brettw): We may want to skip this step in the case of file URLs to
 // allow unicode UNC hostnames regardless of encodings.
 base::string16 IDNToUnicodeWithAdjustments(
     base::StringPiece host, base::OffsetAdjuster::Adjustments* adjustments) {
   if (adjustments)
     adjustments->clear();
   // Convert the ASCII input to a base::string16 for ICU.
   base::string16 input16;
   input16.reserve(host.length());
   input16.insert(input16.end(), host.begin(), host.end());
 
   bool is_tld_ascii = true;
   size_t last_dot = host.rfind('.');
   if (last_dot != base::StringPiece::npos &&
       host.substr(last_dot).starts_with(".xn--")) {
     is_tld_ascii = false;
   }
 
   // Do each component of the host separately, since we enforce script matching
   // on a per-component basis.
   base::string16 out16;
+  bool has_idn_component = false;
   for (size_t component_start = 0, component_end;
        component_start < input16.length();
        component_start = component_end + 1) {
     // Find the end of the component.
     component_end = input16.find('.', component_start);
     if (component_end == base::string16::npos)
       component_end = input16.length();  // For getting the last component.
     size_t component_length = component_end - component_start;
     size_t new_component_start = out16.length();
     bool converted_idn = false;
     if (component_end > component_start) {
       // Add the substring that we just found.
       converted_idn =
           IDNToUnicodeOneComponent(input16.data() + component_start,
                                    component_length, is_tld_ascii, &out16);
+      has_idn_component = has_idn_component || converted_idn;
     }
     size_t new_component_length = out16.length() - new_component_start;
 
     if (converted_idn && adjustments) {
       adjustments->push_back(base::OffsetAdjuster::Adjustment(
           component_start, component_length, new_component_length));
     }
 
     // Need to add the dot we just found (if we found one).
     if (component_end < input16.length())
       out16.push_back('.');
   }
+
+  if (has_idn_component &&
+      g_idn_spoof_checker.Get().SimilarToTopDomains(out16)) {
+    if (adjustments)
+      adjustments->clear();
+    return input16;
+  }
   return out16;
 }
 
-// A helper class for IDN Spoof checking, used to ensure that no IDN input is
-// spoofable per Chromium's standard of spoofability. For a more thorough
-// explanation of how spoof checking works in Chromium, see
-// http://dev.chromium.org/developers/design-documents/idn-in-google-chrome .
-class IDNSpoofChecker {
- public:
-  IDNSpoofChecker();
-
-  // Returns true if |label| is safe to display as Unicode. When the TLD is
-  // ASCII, check if a label is entirely made of Cyrillic letters that look like
-  // Latin letters. In the event of library failure, all IDN inputs will be
-  // treated as unsafe.
-  bool Check(base::StringPiece16 label, bool is_tld_ascii);
-
- private:
-  void SetAllowedUnicodeSet(UErrorCode* status);
-  bool IsMadeOfLatinAlikeCyrillic(const icu::UnicodeString& label_string);
-
-  USpoofChecker* checker_;
-  icu::UnicodeSet deviation_characters_;
-  icu::UnicodeSet non_ascii_latin_letters_;
-  icu::UnicodeSet kana_letters_exceptions_;
-  icu::UnicodeSet cyrillic_letters_;
-  icu::UnicodeSet cyrillic_letters_latin_alike_;
-
-  DISALLOW_COPY_AND_ASSIGN(IDNSpoofChecker);
-};
-
-base::LazyInstance<IDNSpoofChecker>::Leaky g_idn_spoof_checker =
-    LAZY_INSTANCE_INITIALIZER;
-base::ThreadLocalStorage::StaticSlot tls_index = TLS_INITIALIZER;
-
-void OnThreadTermination(void* regex_matcher) {
-  delete reinterpret_cast<icu::RegexMatcher*>(regex_matcher);
-}
-
 IDNSpoofChecker::IDNSpoofChecker() {
   UErrorCode status = U_ZERO_ERROR;
   checker_ = uspoof_open(&status);
   if (U_FAILURE(status)) {
     checker_ = nullptr;
     return;
   }
 
   // At this point, USpoofChecker has all the checks enabled except
   // for USPOOF_CHAR_LIMIT (USPOOF_{RESTRICTION_LEVEL, INVISIBLE,
@@ skipping 41 matching lines @@
   // These Cyrillic letters look like Latin. A domain label entirely made of
   // these letters is blocked as a simplified whole-script-spoofable.
   cyrillic_letters_latin_alike_ =
       icu::UnicodeSet(icu::UnicodeString("[асԁеһіјӏорԛѕԝхуъЬҽпгѵѡ]"), status);
   cyrillic_letters_latin_alike_.freeze();
 
   cyrillic_letters_ =
       icu::UnicodeSet(UNICODE_STRING_SIMPLE("[[:Cyrl:]]"), status);
   cyrillic_letters_.freeze();
 
-  DCHECK(U_SUCCESS(status));
+  // This set is used to determine whether or not to apply a slow
+  // transliteration to remove diacritics to a given hostname for accent-free
+  // comparison with top domain names. If it has any character outside the set,
+  // the expensive step will be skipped because it cannot match any of top
+  // domain names.
+  // The last ([\u0300-\u0331] is a shorthand for "[:Identifier_Status=Allowed:]
+  // & [:Script_Extensions=Inherited:] - [\\u200C\\u200D]". The latter is a
+  // subset of the former but it does not matter because hostnames with
+  // characters outside the latter set would be rejected in an earlier step.
+  latin_letters_n_ascii_ = icu::UnicodeSet(UNICODE_STRING_SIMPLE(
+      "[[:Latin:] [0-9\\u002e_\\u002d] [\\u0300-\\u0331]]"), status);
+  latin_letters_n_ascii_.freeze();
+
+  // Used for diacritics-agnostic comparison. Add "ł > l; ø > o; đ > d" that
+  // are not handled by "NFD; Nonspacing mark removal; NFC".
+  UParseError parse_error;
+  transliterator_ = icu::Transliterator::createFromRules(
+      UNICODE_STRING_SIMPLE("DropAcc"),
+      icu::UnicodeString("::NFD; ::[:Nonspacing Mark:] Remove; ::NFC;"
+                         " ł > l; ø > o; đ > d;"),
+      UTRANS_FORWARD, parse_error, status);
+  DCHECK(U_SUCCESS(status))
+      << "Spoofchecker initalization failed due to an error: "
+      << u_errorName(status);
+  if (U_FAILURE(status))
+    transliterator_ = nullptr;
 }
 
 bool IDNSpoofChecker::Check(base::StringPiece16 label, bool is_tld_ascii) {
   UErrorCode status = U_ZERO_ERROR;
   int32_t result = uspoof_check(checker_, label.data(),
                                 base::checked_cast<int32_t>(label.size()),
                                 NULL, &status);
   // If uspoof_check fails (due to library failure), or if any of the checks
   // fail, treat the IDN as unsafe.
   if (U_FAILURE(status) || (result & USPOOF_ALL_CHECKS))
@@ skipping 77 matching lines @@
             "^[og]+[\\p{scx=armn}]|[\\p{scx=armn}][og]+$|"
             "[\\p{scx=armn}][og]+[\\p{scx=armn}]",
             -1, US_INV),
         0, status);
     tls_index.Set(dangerous_pattern);
   }
   dangerous_pattern->reset(label_string);
   return !dangerous_pattern->find();
 }
 
+bool IDNSpoofChecker::GetSkeleton(base::StringPiece16 hostname,
+                                  std::string* skeleton) {
+  skeleton->clear();
+  icu::UnicodeString ustr_host(FALSE, hostname.data(), hostname.length());
+  // TODO(jshin): Consider supplementing the confusable list by replacing some
+  // characters with their confusable counterpart (e.g. U+04CF => 'l').
+  UErrorCode status = U_ZERO_ERROR;
+  icu::UnicodeString ustr_skeleton;
+  uspoof_getSkeletonUnicodeString(checker_, 0, /* not used. deprecated. */
+                                  ustr_host, ustr_skeleton, &status);
+  if (U_FAILURE(status))
+    return false;
+  ustr_skeleton.toUTF8String(*skeleton);
+  return true;
+}
+
+#include "components/url_formatter/top_domains/alexa_names_and_skeletons-inc.cc"
+// All the domains in the above file have 3 or fewer labels.
+const size_t kNumberOfLabelsToCheck = 3;
+
+bool LookupStringInSet(base::StringPiece needle,
+                       const unsigned char* fixed_set,
+                       size_t set_len,
+                       int mask) {
+  int type = net::LookupStringInFixedSet(fixed_set, set_len, needle.data(),
+                                         needle.length());
+  return (type != net::kDafsaNotFound) && ((type & mask) != 0);
+}
+
+bool LookupMatchInTopDomains(base::StringPiece hostname, int mask) {
+  // When 'hostname' is a skeleton instead of actual hostname, it's assumed
+  // that no character other than '.' among those allowed in IDN will have
+  // '.' as its skeleton.
+  auto labels = base::SplitStringPiece(hostname, ".", base::KEEP_WHITESPACE,
+                                       base::SPLIT_WANT_ALL);

[ncarter (slow), 2017/04/26 18:46:29]

Is it possible for hostname to end in ".", or has that already been stripped? If
the trailing dot is preserved to this point, then that seems like a way to
defeat the spoof detection.

[jungshik at Google, 2017/04/26 19:36:21]

That's taken care of in the loop in the caller (see lines 271 to 298 in 
IDNToUnicodeWithAdjustments). So, there will not be any trailing dot here.

+
+  while (labels.size() > kNumberOfLabelsToCheck)
+    labels.erase(labels.begin());
+
+  while (labels.size() > 1) {
+    std::string partial_hostname = base::JoinString(labels, ".");
+    if (LookupStringInSet(partial_hostname, kDafsa, arraysize(kDafsa), mask))
+      return true;
+    labels.erase(labels.begin());
+  }
+  return false;
+}
+
+bool IDNSpoofChecker::RemoveDiacritics(base::StringPiece16 input,
+                                       std::string* accent_free) {
+  if (!transliterator_)
+    return false;
+  icu::UnicodeString ustr_input(FALSE, input.data(), input.length());
+  // If input has any characters outside Latin and [._-], there is no point in
+  // getting rid of diacritics because it will not match any of top domain
+  // names even after diacritics removal.
+  if (latin_letters_n_ascii_.span(ustr_input, 0, USET_SPAN_CONTAINED) !=
+      ustr_input.length())
+    return false;
+  transliterator_->transliterate(ustr_input);
+  ustr_input.toUTF8String(*accent_free);
+  return true;
+}
+
+bool IDNSpoofChecker::SimilarToTopDomains(base::StringPiece16 hostname) {
+  std::string skeleton;
+  if (GetSkeleton(hostname, &skeleton) && LookupMatchInTopDomains(skeleton, 2))
+    return true;
+
+  std::string accent_free_name;
+  return RemoveDiacritics(hostname, &accent_free_name) &&
+         LookupMatchInTopDomains(accent_free_name, 1);
+}
+
 bool IDNSpoofChecker::IsMadeOfLatinAlikeCyrillic(
     const icu::UnicodeString& label_string) {
   // Collect all the Cyrillic letters in |label_string| and see if they're
   // a subset of |cyrillic_letters_latin_alike_|.
   // A shortcut of defining cyrillic_letters_latin_alike_ to include [0-9] and
   // [_-] and checking if the set contains all letters of |label_string|
   // would work in most cases, but not if a label has non-letters outside
   // ASCII.
   icu::UnicodeSet cyrillic_in_label;
   icu::StringCharacterIterator it(label_string);
@@ skipping 400 matching lines @@
   return base::StartsWith(text, www, base::CompareCase::SENSITIVE)
       ? text.substr(www.length()) : text;
 }
 
 base::string16 StripWWWFromHost(const GURL& url) {
   DCHECK(url.is_valid());
   return StripWWW(base::ASCIIToUTF16(url.host_piece()));
 }
 
 }  // namespace url_formatter