Chromium Code Reviews Chromium Code Reviews
Issue 2902933002:
Verify all files in the request body are accessible by the renderer process. (Closed)
| Index: content/browser/browser_side_navigation_browsertest.cc |
| diff --git a/content/browser/browser_side_navigation_browsertest.cc b/content/browser/browser_side_navigation_browsertest.cc |
| index dbe2ca69b8b20d05cb6203e9696a7703f0ea9f96..6f02e8cea8e6d60881153f839639ec6cd0af8c37 100644 |
| --- a/content/browser/browser_side_navigation_browsertest.cc |
| +++ b/content/browser/browser_side_navigation_browsertest.cc |
| @@ -5,11 +5,14 @@ |
| #include <stdint.h> |
| #include "base/command_line.h" |
| +#include "base/memory/ptr_util.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/strings/utf_string_conversions.h" |
| +#include "content/browser/child_process_security_policy_impl.h" |
| #include "content/browser/frame_host/navigation_handle_impl.h" |
| #include "content/browser/frame_host/navigation_request.h" |
| #include "content/browser/web_contents/web_contents_impl.h" |
| +#include "content/common/frame_messages.h" |
| #include "content/common/site_isolation_policy.h" |
| #include "content/public/browser/notification_types.h" |
| #include "content/public/browser/web_contents.h" |
| @@ -22,6 +25,9 @@ |
| #include "content/public/test/test_navigation_observer.h" |
| #include "content/shell/browser/shell.h" |
| #include "content/shell/browser/shell_network_delegate.h" |
| +#include "content/test/content_browser_test_utils_internal.h" |
| +#include "ipc/ipc_security_test_util.h" |
| +#include "net/base/load_flags.h" |
| #include "net/dns/mock_host_resolver.h" |
| #include "net/test/embedded_test_server/embedded_test_server.h" |
| #include "net/test/url_request/url_request_failed_job.h" |
| @@ -322,4 +328,75 @@ IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest, SanitizeReferrer) { |
| EXPECT_EQ(kInsecureUrl, shell()->web_contents()->GetLastCommittedURL()); |
| } |
| +// Test to verify that an exploited renderer process trying to upload a file |
| +// it hasn't been explicitly granted permissions to is correctly terminated. |
| +// TODO(nasko): This test case belongs better in |
| +// security_exploit_browsertest.cc, so move it there once PlzNavigate is on |
| +// by default. |
| +IN_PROC_BROWSER_TEST_F(BrowserSideNavigationBrowserTest, |
| + PostUploadIllegalFilePath) { |
| + GURL form_url( |
| + embedded_test_server()->GetURL("/form_that_posts_to_echoall.html")); |
| + EXPECT_TRUE(NavigateToURL(shell(), form_url)); |
| + |
| + RenderFrameHostImpl* rfh = static_cast<RenderFrameHostImpl*>( |
| + shell()->web_contents()->GetMainFrame()); |
| + |
| + // Prepare a file for the upload form. |
| + base::ThreadRestrictions::ScopedAllowIO allow_io_for_temp_dir; |
| + base::ScopedTempDir temp_dir; |
| + base::FilePath file_path; |
| + std::string file_content("test-file-content"); |
| + ASSERT_TRUE(temp_dir.CreateUniqueTempDir()); |
| + ASSERT_TRUE(base::CreateTemporaryFileInDir(temp_dir.GetPath(), &file_path)); |
| + ASSERT_LT( |
| + 0, base::WriteFile(file_path, file_content.data(), file_content.size())); |
| + |
| + // Fill out the form to refer to the test file. |
| + std::unique_ptr<FileChooserDelegate> delegate( |
| + new FileChooserDelegate(file_path)); |
| + shell()->web_contents()->SetDelegate(delegate.get()); |
| + EXPECT_TRUE(ExecuteScript(shell()->web_contents(), |
| + "document.getElementById('file').click();")); |
| + EXPECT_TRUE(delegate->file_chosen()); |
| + |
| + // Ensure that the process is allowed to access to the chosen file and |
| + // does not have access to the other file name. |
| + EXPECT_TRUE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( |
| + rfh->GetProcess()->GetID(), file_path)); |
| + |
| + base::FilePath wrong_file(file_path.value() + "-foobarz"); |
|
ncarter (slow)
2017/05/24 20:06:19
base::FilePath wrong_file(file_path.value() + FILE
|
| + EXPECT_FALSE(ChildProcessSecurityPolicyImpl::GetInstance()->CanReadFile( |
| + rfh->GetProcess()->GetID(), wrong_file)); |
| + |
| + // Setup a BeginNavigate IPC with the invalid file path. |
| + scoped_refptr<ResourceRequestBodyImpl> request_body = |
| + new ResourceRequestBodyImpl(); |
| + request_body->AppendFileRange( |
| + wrong_file, 0, std::numeric_limits<uint64_t>::max(), base::Time()); |
| + |
| + GURL url(embedded_test_server()->GetURL("/title1.html")); |
| + CommonNavigationParams common_params( |
| + url, Referrer(), ui::PAGE_TRANSITION_LINK, |
| + FrameMsg_Navigate_Type::DIFFERENT_DOCUMENT, true, false, |
| + base::TimeTicks(), FrameMsg_UILoadMetricsReportType::NO_REPORT, GURL(), |
| + GURL(), PREVIEWS_UNSPECIFIED, base::TimeTicks::Now(), "POST", |
| + request_body, base::Optional<SourceLocation>(), CSPDisposition::CHECK); |
| + BeginNavigationParams begin_params( |
| + std::string(), net::LOAD_NORMAL, false, false, |
| + REQUEST_CONTEXT_TYPE_LOCATION, |
| + blink::WebMixedContentContextType::kBlockable, |
| + true, // is_form_submission |
| + url::Origin(url)); |
| + std::unique_ptr<FrameHostMsg_BeginNavigation> msg = |
| + base::WrapUnique(new FrameHostMsg_BeginNavigation( |
|
ncarter (slow)
2017/05/24 20:06:19
nit: this could be created on the stack, or as a t
|
| + rfh->GetRoutingID(), common_params, begin_params)); |
| + |
| + RenderProcessHostWatcher process_exit_observer( |
| + rfh->GetProcess(), RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); |
| + IPC::IpcSecurityTestUtil::PwnMessageReceived(rfh->GetProcess()->GetChannel(), |
| + *(msg.get())); |
| + process_exit_observer.Wait(); |
| +} |
| + |
| } // namespace content |
