VR: Enforce LTR directionality on rendered URL text.

chrome/browser/android/vr_shell/textures/url_bar_texture_unittest.cc

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/android/vr_shell/textures/url_bar_texture.h"
 
 #include "base/bind.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 32 matching lines @@
   ~TestUrlBarTexture() override {}
 
   void DrawURL(const GURL& gurl) {
     unsupported_mode_ = UiUnsupportedMode::kCount;
     SetURL(gurl);
     sk_sp<SkSurface> surface = SkSurface::MakeRasterN32Premul(
         texture_size_.width(), texture_size_.height());
     DrawAndLayout(surface->getCanvas(), texture_size_);
   }
 
+  static void TestUrlStyling(const base::string16& formatted_url,

[cjgrant, 2017/06/23 16:02:52]

This is unrelated to RTL; just cleanup to the public/protected nature of this
method in the base class.

+                             const url::Parsed& parsed,
+                             security_state::SecurityLevel security_level,
+                             vr_shell::RenderTextWrapper* render_text,
+                             const ColorScheme& color_scheme) {
+    ApplyUrlStyling(formatted_url, parsed, security_level, render_text,
+                    color_scheme);
+  }
+
   void SetForceFontFallbackFailure(bool force) {
     SetForceFontFallbackFailureForTesting(force);
   }
 
   size_t GetNumberOfFontFallbacksForURL(const GURL& gurl) {
     url::Parsed parsed;
     const base::string16 text = url_formatter::FormatUrl(
         gurl, url_formatter::kFormatUrlOmitAll, net::UnescapeRule::NORMAL,
         &parsed, nullptr, nullptr);
 
     gfx::FontList font_list;
     if (!GetFontList(kUrlHeight, text, &font_list))
       return 0;
 
     return font_list.GetFonts().size();
   }
 
   // Reports the last unsupported mode that was encountered. Returns kCount if
   // no unsupported mode was encountered.
   UiUnsupportedMode unsupported_mode() const { return unsupported_mode_; }
 
+  gfx::RenderText* url_render_text() { return url_render_text_.get(); }
+  const base::string16& url_text() { return url_text_; }
+
  private:
   void OnUnsupportedFeature(UiUnsupportedMode mode) {
     unsupported_mode_ = mode;
   }
 
   gfx::Size texture_size_;
   gfx::Rect bounds_;
   UiUnsupportedMode unsupported_mode_ = UiUnsupportedMode::kCount;
 };
 
@@ skipping 25 matching lines @@
  protected:
   void Verify(const std::string& url_string,
               SecurityLevel level,
               const std::string& expected_string) {
     GURL url(base::UTF8ToUTF16(url_string));
     url::Parsed parsed;
     const base::string16 formatted_url = url_formatter::FormatUrl(
         url, url_formatter::kFormatUrlOmitAll, net::UnescapeRule::NORMAL,
         &parsed, nullptr, nullptr);
     EXPECT_EQ(formatted_url, base::UTF8ToUTF16(expected_string));
-    UrlBarTexture::ApplyUrlStyling(
+    TestUrlBarTexture::TestUrlStyling(
         formatted_url, parsed, level, &mock_,
         ColorScheme::GetColorScheme(ColorScheme::kModeNormal));
-    UrlBarTexture::ApplyUrlStyling(
+    TestUrlBarTexture::TestUrlStyling(
         formatted_url, parsed, level, &mock_,
         ColorScheme::GetColorScheme(ColorScheme::kModeIncognito));
   }
 
   testing::InSequence in_sequence_;
   MockRenderText mock_;
 };
 
 #if !defined(OS_LINUX)
 // TODO(crbug/731894): This test does not work on Linux.
@@ skipping 62 matching lines @@
   texture.DrawURL(GURL("https://foo.com"));
   EXPECT_EQ(UiUnsupportedMode::kCount, texture.unsupported_mode());
   texture.SetForceFontFallbackFailure(true);
   texture.DrawURL(GURL("https://bar.com"));
   EXPECT_EQ(UiUnsupportedMode::kUnhandledCodePoint, texture.unsupported_mode());
   texture.SetForceFontFallbackFailure(false);
   texture.DrawURL(GURL("https://baz.com"));
   EXPECT_EQ(UiUnsupportedMode::kCount, texture.unsupported_mode());
 }
 
-TEST(UrlBarTextureTest, WillFailOnStrongRTLChar) {
+TEST(UrlBarTextureTest, MaliciousRTLIsRenderedLTR) {
   TestUrlBarTexture texture;
-  texture.DrawURL(GURL("https://ש.com"));
-  EXPECT_EQ(UiUnsupportedMode::kURLWithStrongRTLChars,
-            texture.unsupported_mode());
+
+  // Construct a malicious URL that attempts to spoof the hostname.
+  const std::string real_host("127.0.0.1");
+  const std::string spoofed_host("attack.com");
+  const std::string url =
+      "http://" + real_host + "/ا/http://" + spoofed_host + "‬";
+
+  texture.DrawURL(GURL(base::UTF8ToUTF16(url)));
+
+  // Determine the logical character ranges of the legitimate and spoofed
+  // hostnames in the processed URL text.
+  base::string16 text = texture.url_text();
+  base::string16 real_16 = base::UTF8ToUTF16(real_host);
+  base::string16 spoofed_16 = base::UTF8ToUTF16(spoofed_host);
+  size_t position = text.find(real_16);
+  ASSERT_NE(position, base::string16::npos);
+  gfx::Range real_range(position, position + real_16.size());
+  position = text.find(spoofed_16);
+  ASSERT_NE(position, base::string16::npos);
+  gfx::Range spoofed_range(position, position + spoofed_16.size());
+
+  // Extract the pixel locations at which hostnames were actually rendered.
+  auto real_bounds =
+      texture.url_render_text()->GetSubstringBoundsForTesting(real_range);
+  auto spoofed_bounds =
+      texture.url_render_text()->GetSubstringBoundsForTesting(spoofed_range);
+  EXPECT_EQ(real_bounds.size(), 1u);
+  EXPECT_GE(spoofed_bounds.size(), 1u);
+
+  // Verify that any spoofed portion of the hostname has remained to the right
+  // of the legitimate hostname. This will fail if LTR directionality is not
+  // specified during URL rendering.
+  auto minimum_position = real_bounds[0].x() + real_bounds[0].width();

[cjgrant, 2017/06/23 16:02:53]

If I remove the new LTR directionality setting over in the rendering code, this
test fails as expected (all parts of "attack.com" appear to the left of
127.0.0.1).

+  for (const auto& region : spoofed_bounds) {
+    EXPECT_GT(region.x(), minimum_position);
+  }
 }
 
 TEST(UrlBarTexture, ElisionIsAnUnsupportedMode) {
   TestUrlBarTexture texture;
   texture.DrawURL(GURL(
       "https://"
       "thereisnopossiblewaythatthishostnamecouldbecontainedinthelimitedspacetha"
       "tweareaffordedtousitsreallynotsomethingweshouldconsiderorplanfororpinour"
       "hopesonlestwegetdisappointedor.sad.com"));
   EXPECT_EQ(UiUnsupportedMode::kCouldNotElideURL, texture.unsupported_mode());
 }
 
 TEST(UrlBarTexture, ShortURLAreIndeedSupported) {
   TestUrlBarTexture texture;
   texture.DrawURL(GURL("https://short.com/"));
   EXPECT_EQ(UiUnsupportedMode::kCount, texture.unsupported_mode());
 }
 
 TEST(UrlBarTexture, LongPathsDoNotRequireElisionAndAreSupported) {
   TestUrlBarTexture texture;
   texture.DrawURL(GURL(
       "https://something.com/"
       "thereisnopossiblewaythatthishostnamecouldbecontainedinthelimitedspacetha"
       "tweareaffordedtousitsreallynotsomethingweshouldconsiderorplanfororpinour"
       "hopesonlestwegetdisappointedorsad.com"));
   EXPECT_EQ(UiUnsupportedMode::kCount, texture.unsupported_mode());
 }
 
 }  // namespace vr_shell