Close a loophole in extension content verification

extensions/browser/content_hash_fetcher.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/content_hash_fetcher.h"
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/file_util.h"
 #include "base/files/file_enumerator.h"
 #include "base/json/json_reader.h"
 #include "base/memory/ref_counted.h"
 #include "base/metrics/histogram.h"
 #include "base/synchronization/lock.h"
 #include "base/task_runner_util.h"
 #include "base/timer/elapsed_timer.h"
 #include "base/version.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/sha2.h"
 #include "extensions/browser/computed_hashes.h"
 #include "extensions/browser/content_hash_tree.h"
 #include "extensions/browser/content_verifier_delegate.h"
-#include "extensions/browser/extension_registry.h"
 #include "extensions/browser/verified_contents.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/file_util.h"
 #include "net/base/load_flags.h"
 #include "net/url_request/url_fetcher.h"
 #include "net/url_request/url_fetcher_delegate.h"
 #include "net/url_request/url_request_status.h"
 
 namespace {
@@ skipping 42 matching lines @@
 
   // Returns the set of paths that had a hash mismatch.
   const std::set<base::FilePath>& hash_mismatch_paths() {
     return hash_mismatch_paths_;
   }
 
  private:
   friend class base::RefCountedThreadSafe<ContentHashFetcherJob>;
   virtual ~ContentHashFetcherJob();
 
+  // Tries to load a verified_contents.json file at |path|. On successfully
+  // reading and validing the file, the verified_contents_ member variable will
+  // be set and this function will return true. If the file does not exist, or
+  // exists but is invalid, it will return false. Also, any invalid
+  // file will be removed from disk and
+  bool LoadVerifiedContents(const base::FilePath& path);
+
   // Callback for when we're done doing file I/O to see if we already have
   // a verified contents file. If we don't, this will kick off a network
   // request to get one.
   void DoneCheckingForVerifiedContents(bool found);
 
   // URLFetcherDelegate interface
   virtual void OnURLFetchComplete(const net::URLFetcher* source) OVERRIDE;
 
   // Callback for when we're done ensuring we have verified contents, and are
   // ready to move on to MaybeCreateHashes.
@@ skipping 29 matching lines @@
 
   CompletionCallback callback_;
   content::BrowserThread::ID creation_thread_;
 
   // Used for fetching content signatures.
   scoped_ptr<net::URLFetcher> url_fetcher_;
 
   // The key used to validate verified_contents.json.
   ContentVerifierKey key_;
 
+  // The parsed contents of the verified_contents.json file, either read from
+  // disk or fetched from the network and then written to disk.
+  scoped_ptr<VerifiedContents> verified_contents_;
+
   // Whether this job succeeded.
   bool success_;
 
   // Paths that were found to have a mismatching hash.
   std::set<base::FilePath> hash_mismatch_paths_;
 
   // The block size to use for hashing.
   int block_size_;
 
   // Note: this may be accessed from multiple threads, so all access should
@@ skipping 30 matching lines @@
       content::BrowserThread::GetCurrentThreadIdentifier(&creation_thread_);
   DCHECK(got_id);
 }
 
 void ContentHashFetcherJob::Start() {
   base::FilePath verified_contents_path =
       file_util::GetVerifiedContentsPath(extension_path_);
   base::PostTaskAndReplyWithResult(
       content::BrowserThread::GetBlockingPool(),
       FROM_HERE,
-      base::Bind(&base::PathExists, verified_contents_path),
+      base::Bind(&ContentHashFetcherJob::LoadVerifiedContents,
+                 this,
+                 verified_contents_path),
       base::Bind(&ContentHashFetcherJob::DoneCheckingForVerifiedContents,
                  this));
 }
 
 void ContentHashFetcherJob::Cancel() {
   base::AutoLock autolock(cancelled_lock_);
   cancelled_ = true;
 }
 
 bool ContentHashFetcherJob::IsCancelled() {
   base::AutoLock autolock(cancelled_lock_);
   bool result = cancelled_;
   return result;
 }
 
 ContentHashFetcherJob::~ContentHashFetcherJob() {
 }
 
+bool ContentHashFetcherJob::LoadVerifiedContents(const base::FilePath& path) {
+  if (!base::PathExists(path))
+    return false;
+  verified_contents_.reset(new VerifiedContents(key_.data, key_.size));
+  if (!verified_contents_->InitFrom(path, false)) {
+    verified_contents_.reset();
+    if (!base::DeleteFile(path, false))
+      LOG(WARNING) << "Failed to delete " << path.value();
+    return false;
+  }
+  return true;
+}
+
 void ContentHashFetcherJob::DoneCheckingForVerifiedContents(bool found) {
   if (IsCancelled())
     return;
   if (found) {
     VLOG(1) << "Found verified contents for " << extension_id_;
     DoneFetchingVerifiedContents(true);
   } else {
     VLOG(1) << "Missing verified contents for " << extension_id_
             << ", fetching...";
     url_fetcher_.reset(
@@ skipping 96 matching lines @@
 }
 
 bool ContentHashFetcherJob::CreateHashes(const base::FilePath& hashes_file) {
   base::ElapsedTimer timer;
   if (IsCancelled())
     return false;
   // Make sure the directory exists.
   if (!base::CreateDirectoryAndGetError(hashes_file.DirName(), NULL))
     return false;
 
-  base::FilePath verified_contents_path =
-      file_util::GetVerifiedContentsPath(extension_path_);
-  VerifiedContents verified_contents(key_.data, key_.size);
-  if (!verified_contents.InitFrom(verified_contents_path, false))
-    return false;
+  if (!verified_contents_.get()) {
+    base::FilePath verified_contents_path =
+        file_util::GetVerifiedContentsPath(extension_path_);
+    verified_contents_.reset(new VerifiedContents(key_.data, key_.size));
+    if (!verified_contents_->InitFrom(verified_contents_path, false))
+      return false;
+    verified_contents_.reset();
+  }
 
   base::FileEnumerator enumerator(extension_path_,
                                   true, /* recursive */
                                   base::FileEnumerator::FILES);
   // First discover all the file paths and put them in a sorted set.
   SortedFilePathSet paths;
   for (;;) {
     if (IsCancelled())
       return false;
 
     base::FilePath full_path = enumerator.Next();
     if (full_path.empty())
       break;
     paths.insert(full_path);
   }
 
   // Now iterate over all the paths in sorted order and compute the block hashes
   // for each one.
   ComputedHashes::Writer writer;
   for (SortedFilePathSet::iterator i = paths.begin(); i != paths.end(); ++i) {
     if (IsCancelled())
       return false;
     const base::FilePath& full_path = *i;
     base::FilePath relative_path;
     extension_path_.AppendRelativePath(full_path, &relative_path);
     relative_path = relative_path.NormalizePathSeparatorsTo('/');
 
     const std::string* expected_root =
-        verified_contents.GetTreeHashRoot(relative_path);
+        verified_contents_->GetTreeHashRoot(relative_path);
     if (!expected_root)
       continue;
 
     std::string contents;
     if (!base::ReadFileToString(full_path, &contents)) {
       LOG(ERROR) << "Could not read " << full_path.MaybeAsASCII();
       continue;
     }
 
     // Iterate through taking the hash of each block of size (block_size_) of
@@ skipping 104 matching lines @@
 
   for (JobMap::iterator i = jobs_.begin(); i != jobs_.end(); ++i) {
     if (i->second.get() == job) {
       jobs_.erase(i);
       break;
     }
   }
 }
 
 }  // namespace extensions