Verify all files in the request body are accessible by the renderer process.

content/browser/browser_side_navigation_browsertest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <stdint.h>
 
 #include "base/command_line.h"
+#include "base/memory/ptr_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/frame_host/navigation_handle_impl.h"
 #include "content/browser/frame_host/navigation_request.h"
 #include "content/browser/web_contents/web_contents_impl.h"
+#include "content/common/frame_messages.h"
 #include "content/common/site_isolation_policy.h"
 #include "content/public/browser/notification_types.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
 #include "content/public/test/navigation_handle_observer.h"
 #include "content/public/test/test_navigation_observer.h"
 #include "content/shell/browser/shell.h"
 #include "content/shell/browser/shell_network_delegate.h"
+#include "content/test/content_browser_test_utils_internal.h"
+#include "ipc/ipc_security_test_util.h"
+#include "net/base/load_flags.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/url_request/url_request_failed_job.h"
 #include "url/gurl.h"
 
 namespace content {
 
 class BrowserSideNavigationBrowserTest : public ContentBrowserTest {
  public:
   BrowserSideNavigationBrowserTest() {}
@@ skipping 280 matching lines @@
   ASSERT_TRUE(root->navigation_request());
   EXPECT_EQ(GURL(),
             root->navigation_request()->navigation_handle()->GetReferrer().url);
 
   // The navigation should commit without being blocked.
   EXPECT_TRUE(manager.WaitForResponse());
   manager.WaitForNavigationFinished();
   EXPECT_EQ(kInsecureUrl, shell()->web_contents()->GetLastCommittedURL());
 }
 
+// Test to verify that an exploited renderer process trying to upload a file
+// it hasn't been explicitly granted permissions to is correctly terminated.
+// TODO(nasko): This test case belongs better in
+// security_exploit_browsertest.cc, so move it there once PlzNavigate is on
+// by default.
+IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest,
+                       PostUploadIllegalFilePath) {
+  GURL form_url(
+      embedded_test_server()->GetURL("/form_that_posts_to_echoall.html"));
+  EXPECT_TRUE(NavigateToURL(shell(), form_url));
+
+  RenderFrameHostImpl* rfh = static_cast<RenderFrameHostImpl*>(
+      shell()->web_contents()->GetMainFrame());
+
+  // Prepare a file for the upload form.
+  base::ThreadRestrictions::ScopedAllowIO allow_io_for_temp_dir;
+  base::ScopedTempDir temp_dir;
+  base::FilePath file_path;
+  std::string file_content("test-file-content");
+  ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
+  ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.GetPath(), &file_path));
+  ASSERT_LT(
+      0, base::WriteFile(file_path, file_content.data(), file_content.size()));
+
+  // Fill out the form to refer to the test file.
+  std::unique_ptr<FileChooserDelegate> delegate(
+      new FileChooserDelegate(file_path));
+  shell()->web_contents()->SetDelegate(delegate.get());
+  EXPECT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "document.getElementById('file').click();"));
+  EXPECT_TRUE(delegate->file_chosen());
+
+  // Ensure that the process is allowed to access to the chosen file and
+  // does not have access to the other file name.
+  EXPECT_TRUE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      rfh->GetProcess()->GetID(), file_path));
+
+  base::FilePath wrong_file(file_path.value() + "-foobarz");

[ncarter (slow), 2017/05/24 20:06:19]

base::FilePath wrong_file(file_path.value() + FILE_PATH_LITERAL("-foobarz"));

+  EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile(
+      rfh->GetProcess()->GetID(), wrong_file));
+
+  // Setup a BeginNavigate IPC with the invalid file path.
+  scoped_refptr<ResourceRequestBodyImpl> request_body =
+      new ResourceRequestBodyImpl();
+  request_body->AppendFileRange(
+      wrong_file, 0, std::numeric_limits<uint64_t>::max(), base::Time());
+
+  GURL url(embedded_test_server()->GetURL("/title1.html"));
+  CommonNavigationParams common_params(
+      url, Referrer(), ui::PAGE_TRANSITION_LINK,
+      FrameMsg_Navigate_Type::DIFFERENT_DOCUMENT, true, false,
+      base::TimeTicks(), FrameMsg_UILoadMetricsReportType::NO_REPORT, GURL(),
+      GURL(), PREVIEWS_UNSPECIFIED, base::TimeTicks::Now(), "POST",
+      request_body, base::Optional<SourceLocation>(), CSPDisposition::CHECK);
+  BeginNavigationParams begin_params(
+      std::string(), net::LOAD_NORMAL, false, false,
+      REQUEST_CONTEXT_TYPE_LOCATION,
+      blink::WebMixedContentContextType::kBlockable,
+      true,  // is_form_submission
+      url::Origin(url));
+  std::unique_ptr<FrameHostMsg_BeginNavigation> msg =
+      base::WrapUnique(new FrameHostMsg_BeginNavigation(

[ncarter (slow), 2017/05/24 20:06:19]

nit: this could be created on the stack, or as a temporary expression in the
call to PwnMessageReceived.

+          rfh->GetRoutingID(), common_params, begin_params));
+
+  RenderProcessHostWatcher process_exit_observer(
+      rfh->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
+  IPC::IpcSecurityTestUtil::PwnMessageReceived(rfh->GetProcess()->GetChannel(),
+                                               *(msg.get()));
+  process_exit_observer.Wait();
+}
+
 }  // namespace content