[Extensions Bindings] Check availability of custom API properties

extensions/renderer/bindings/api_binding.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/renderer/bindings/api_binding.h"
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/logging.h"
@@ skipping 136 matching lines @@
   // The associated APIBinding. This raw pointer is safe because the
   // EventData is only accessed from the callbacks associated with the
   // APIBinding, and both the APIBinding and APIEventHandler are owned by the
   // same object (the APIBindingsSystem).
   APIBinding* binding;
 };
 
 struct APIBinding::CustomPropertyData {
   CustomPropertyData(const std::string& type_name,
                      const std::string& property_name,
+                     const std::string& full_name,
                      const base::ListValue* property_values,
+                     const BindingAccessChecker* access_checker,
                      const CreateCustomType& create_custom_type)
       : type_name(type_name),
         property_name(property_name),
+        full_name(full_name),
         property_values(property_values),
+        access_checker(access_checker),
         create_custom_type(create_custom_type) {}
 
   // The type of the property, e.g. 'storage.StorageArea'.
   std::string type_name;
   // The name of the property on the object, e.g. 'local' for
   // chrome.storage.local.
   std::string property_name;
+  // The full name of the property for looking up the feature, e.g.
+  // chrome.storage.local.
+  std::string full_name;
+
   // Values curried into this particular type from the schema.
   const base::ListValue* property_values;
 
+  const BindingAccessChecker* const access_checker;
+
   CreateCustomType create_custom_type;
 };
 
 APIBinding::APIBinding(const std::string& api_name,
                        const base::ListValue* function_definitions,
                        const base::ListValue* type_definitions,
                        const base::ListValue* event_definitions,
                        const base::DictionaryValue* property_definitions,
                        const CreateCustomType& create_custom_type,
                        std::unique_ptr<APIBindingHooks> binding_hooks,
@@ skipping 212 matching lines @@
         v8::ObjectTemplate::New(isolate);
     for (const auto& enum_entry : entry.second) {
       enum_object->Set(gin::StringToSymbol(isolate, enum_entry.second),
                        gin::StringToSymbol(isolate, enum_entry.first));
     }
     object_template->Set(isolate, entry.first.c_str(), enum_object);
   }
 
   if (property_definitions_) {
     DecorateTemplateWithProperties(isolate, object_template,
-                                   *property_definitions_);
+                                   *property_definitions_, api_name_);
   }
 
   // Allow custom bindings a chance to tweak the template, such as to add
   // additional properties or types.
   binding_hooks_->InitializeTemplate(isolate, object_template, *type_refs_);
 
   object_template_.Set(isolate, object_template);
 }
 
 void APIBinding::DecorateTemplateWithProperties(
     v8::Isolate* isolate,
     v8::Local<v8::ObjectTemplate> object_template,
-    const base::DictionaryValue& properties) {
+    const base::DictionaryValue& properties,
+    const std::string& path) {
   static const char kValueKey[] = "value";
   for (base::DictionaryValue::Iterator iter(properties); !iter.IsAtEnd();
        iter.Advance()) {
     const base::DictionaryValue* dict = nullptr;
     CHECK(iter.value().GetAsDictionary(&dict));
     bool optional = false;
     if (dict->GetBoolean("optional", &optional)) {
       // TODO(devlin): What does optional even mean here? It's only used, it
       // seems, for lastError and inIncognitoContext, which are both handled
       // with custom bindings. Investigate, and remove.
       continue;
     }
 
     v8::Local<v8::String> v8_key = gin::StringToSymbol(isolate, iter.key());
     std::string ref;
     if (dict->GetString("$ref", &ref)) {
       const base::ListValue* property_values = nullptr;
       CHECK(dict->GetList("value", &property_values));
       auto property_data = base::MakeUnique<CustomPropertyData>(
-          ref, iter.key(), property_values, create_custom_type_);
+          ref, iter.key(),
+          base::StringPrintf("%s.%s", path.c_str(), iter.key().c_str()),
+          property_values, access_checker_, create_custom_type_);
       object_template->SetLazyDataProperty(
           v8_key, &APIBinding::GetCustomPropertyObject,
           v8::External::New(isolate, property_data.get()));
       custom_properties_.push_back(std::move(property_data));
       continue;
     }
 
     std::string type;
     CHECK(dict->GetString("type", &type));
     if (type != "object" && !dict->HasKey(kValueKey)) {
@@ skipping 12 matching lines @@
       object_template->Set(v8_key, v8::Boolean::New(isolate, val));
     } else if (type == "string") {
       std::string val;
       CHECK(dict->GetString(kValueKey, &val)) << iter.key();
       object_template->Set(v8_key, gin::StringToSymbol(isolate, val));
     } else if (type == "object" || !ref.empty()) {
       v8::Local<v8::ObjectTemplate> property_template =
           v8::ObjectTemplate::New(isolate);
       const base::DictionaryValue* property_dict = nullptr;
       CHECK(dict->GetDictionary("properties", &property_dict));
-      DecorateTemplateWithProperties(isolate, property_template,
-                                     *property_dict);
+      DecorateTemplateWithProperties(
+          isolate, property_template, *property_dict,
+          base::StringPrintf("%s.%s", path.c_str(), iter.key().c_str()));
       object_template->Set(v8_key, property_template);
     }
   }
 }
 
 // static
 void APIBinding::GetEventObject(
     v8::Local<v8::Name> property,
     const v8::PropertyCallbackInfo<v8::Value>& info) {
   v8::Isolate* isolate = info.GetIsolate();
@@ skipping 31 matching lines @@
   v8::HandleScope handle_scope(isolate);
   v8::Local<v8::Context> context = info.Holder()->CreationContext();
   if (!IsContextValid(context))
     return;
 
   v8::Context::Scope context_scope(context);
   CHECK(info.Data()->IsExternal());
   auto* property_data =
       static_cast<CustomPropertyData*>(info.Data().As<v8::External>()->Value());
 
+  // If the property isn't available to this context, do nothing.
+  // TODO(devlin): This is a little suboptimal. Two notable downsides:
+  // - This only applies to custom properties. This means that if an API has a
+  //   property with a raw value, it won't be restricted. Currently, this isn't
+  //   a problem, but it could be in the future.
+  // - The key remains in the parent object (though the value will be
+  //   undefined).
+  // Given the rarity of these restricted properties, this is okay, but it would
+  // be nice if it were better.
+  if (!property_data->access_checker->HasAccess(context,
+                                                property_data->full_name)) {
+    return;
+  }
+
   v8::Local<v8::Object> property = property_data->create_custom_type.Run(
       isolate, property_data->type_name, property_data->property_name,
       property_data->property_values);
   if (property.IsEmpty())
     return;
 
   info.GetReturnValue().Set(property);
 }
 
 void APIBinding::HandleCall(const std::string& name,
@@ skipping 89 matching lines @@
     arguments->ThrowTypeError(api_errors::InvocationError(
         name, signature->GetExpectedSignature(), error));
     return;
   }
 
   request_handler_->StartRequest(context, name, std::move(converted_arguments),
                                  callback, custom_callback, thread);
 }
 
 }  // namespace extensions