extensions/common/csp_validator.cc - Issue 481643002: Disallow non-subdomain wildcards in the extension's CSP

Side by Side Diff: extensions/common/csp_validator.cc

Issue 481643002: Disallow non-subdomain wildcards in the extension's CSP (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: combine url parsing logic Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html ('k') | extensions/common/csp_validator_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "extensions/common/csp_validator.h"	5 #include "extensions/common/csp_validator.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/strings/string_split.h"	9 #include "base/strings/string_split.h"

10 #include "base/strings/string_tokenizer.h"	10 #include "base/strings/string_tokenizer.h"

11 #include "base/strings/string_util.h"	11 #include "base/strings/string_util.h"

12 #include "content/public/common/url_constants.h"	12 #include "content/public/common/url_constants.h"

13 #include "extensions/common/constants.h"	13 #include "extensions/common/constants.h"

	14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

14	15

15 namespace extensions {	16 namespace extensions {

16	17

17 namespace csp_validator {	18 namespace csp_validator {

18	19

19 namespace {	20 namespace {

20	21

21 const char kDefaultSrc[] = "default-src";	22 const char kDefaultSrc[] = "default-src";

22 const char kScriptSrc[] = "script-src";	23 const char kScriptSrc[] = "script-src";

23 const char kObjectSrc[] = "object-src";	24 const char kObjectSrc[] = "object-src";

24	25

25 const char kSandboxDirectiveName[] = "sandbox";	26 const char kSandboxDirectiveName[] = "sandbox";

26 const char kAllowSameOriginToken[] = "allow-same-origin";	27 const char kAllowSameOriginToken[] = "allow-same-origin";

27 const char kAllowTopNavigation[] = "allow-top-navigation";	28 const char kAllowTopNavigation[] = "allow-top-navigation";

28	29

29 struct DirectiveStatus {	30 struct DirectiveStatus {

30 explicit DirectiveStatus(const char* name)	31 explicit DirectiveStatus(const char* name)

31 : directive_name(name)	32 : directive_name(name)

32 , seen_in_policy(false)	33 , seen_in_policy(false)

33 , is_secure(false) {	34 , is_secure(false) {

34 }	35 }

35	36

36 const char* directive_name;	37 const char* directive_name;

37 bool seen_in_policy;	38 bool seen_in_policy;

38 bool is_secure;	39 bool is_secure;

39 };	40 };

40	41
	not at google - send to devlin 2014/08/19 20:14:28 Comment for this method. Comment for this method.
	42 bool isNonWildcardTLD(const std::string& url,

	43 const std::string& scheme_and_separator.

	44 bool should_check_rcd) {

	45 if (!StartsWithASCII(url, scheme_and_separator, true))

	46 return false;

	47

	48 size_t start_of_host = scheme_and_separator.length();

	49

	50 size_t end_of_host = url.find("/", start_of_host);

	51 if (end_of_host == std::string::npos)

	52 end_of_host = url.size();

	53

	54 // Note: It is sufficient to only compare the first character against '*'

	55 // because the CSP only allows wildcards at the start of a directive, see

	56 // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax

	57 bool is_wildcard_subdomain = end_of_host > start_of_host + 2 &&

	58 url[start_of_host] == '*' && url[start_of_host + 1] == '.';

	59 if (is_wildcard_subdomain)

	60 start_of_host += 2;

	61

	62 size_t start_of_port = url.rfind(":", end_of_host);

	63 if (start_of_port > start_of_host && url[start_of_port - 1] != ':') {
	robwu 2014/08/19 20:04:16 I changed this because :: could be a part of an IP I changed this because :: could be a part of an IPv6 address. The CSP does not specify IPv6 addresses at the moment, but I expect that that is an oversight that will be corrected in the future: https://github.com/w3c/webappsec/issues/49 not at google - send to devlin 2014/08/19 20:14:28 Write that in a comment? Show quoted text On 2014/08/19 20:04:16, robwu wrote: > I changed this because :: could be a part of an IPv6 address. The CSP does not > specify IPv6 addresses at the moment, but I expect that that is an oversight > that will be corrected in the future: https://github.com/w3c/webappsec/issues/49 Write that in a comment?
	64 bool is_valid_port = false;

	65 // Do a quick sanity check. The following check could mistakenly flag

	66 // ":123456" or ":****" as valid, but that does not matter because the

	67 // relaxing CSP directive will just be ignored by Blink.

	68 for (size_t i = start_of_port + 1; i < end_of_host; ++i) {

	69 is_valid_port = IsAsciiDigit(url[i]) \|\| url[i] == '*';

	70 if (!is_valid_port)

	71 break;

	72 }

	73 if (is_valid_port)

	74 end_of_host = start_of_port;

	75 }

	76

	77 std::string host(url, start_of_host, end_of_host - start_of_host);

	78 // Global wildcards are not allowed.

	79 if (host.empty() \|\| host.find("*") != std::string::npos)

	80 return false;

	81

	82 if (!is_wildcard_subdomain \|\| !should_check_rcd)

	83 return true;

	84

	85 // Wildcards on subdomains of a TLD are not allowed.

	86 size_t registry_length = net::registry_controlled_domains::GetRegistryLength(

	87 host,

	88 net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,

	89 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);

	90 return registry_length != 0;

	91 }

	92

41 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,	93 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,

42 Manifest::Type type) {	94 Manifest::Type type) {

43 while (tokenizer.GetNext()) {	95 while (tokenizer.GetNext()) {

44 std::string source = tokenizer.token();	96 std::string source = tokenizer.token();

45 base::StringToLowerASCII(&source);	97 base::StringToLowerASCII(&source);

46	98

47 // Don't alow whitelisting of all hosts. This boils down to:

48 // 1. Maximum of 2 '*' characters.

49 // 2. Each '*' is either followed by a '.' or preceded by a ':'

50 int wildcards = 0;

51 size_t length = source.length();

52 for (size_t i = 0; i < length; ++i) {

53 if (source[i] == L'*') {

54 wildcards++;

55 if (wildcards > 2)

56 return false;

57

58 bool isWildcardPort = i > 0 && source[i - 1] == L':';

59 bool isWildcardSubdomain = i + 1 < length && source[i + 1] == L'.';

60 if (!isWildcardPort && !isWildcardSubdomain)

61 return false;

62 }

63 }

64

65 // We might need to relax this whitelist over time.	99 // We might need to relax this whitelist over time.

66 if (source == "'self'" \|\|	100 if (source == "'self'" \|\|

67 source == "'none'" \|\|	101 source == "'none'" \|\|

68 source == "http://127.0.0.1" \|\|	102 source == "http://127.0.0.1" \|\|

69 LowerCaseEqualsASCII(source, "blob:") \|\|	103 LowerCaseEqualsASCII(source, "blob:") \|\|

70 LowerCaseEqualsASCII(source, "filesystem:") \|\|	104 LowerCaseEqualsASCII(source, "filesystem:") \|\|

71 LowerCaseEqualsASCII(source, "http://localhost") \|\|	105 LowerCaseEqualsASCII(source, "http://localhost") \|\|

72 StartsWithASCII(source, "http://127.0.0.1:", false) \|\|	106 StartsWithASCII(source, "http://127.0.0.1:", true) \|\|

73 StartsWithASCII(source, "http://localhost:", false) \|\|	107 StartsWithASCII(source, "http://localhost:", true) \|\|

74 StartsWithASCII(source, "https://", true) \|\|	108 isNonWildcardTLD(source, "https://", true) \|\|

75 StartsWithASCII(source, "chrome://", true) \|\|	109 isNonWildcardTLD(source, "chrome://", false) \|\|

76 StartsWithASCII(source,	110 isNonWildcardTLD(source,

77 std::string(extensions::kExtensionScheme) +	111 std::string(extensions::kExtensionScheme) +

78 url::kStandardSchemeSeparator,	112 url::kStandardSchemeSeparator,

79 true) \|\|	113 false) \|\|

80 StartsWithASCII(source, "chrome-extension-resource:", true)) {	114 StartsWithASCII(source, "chrome-extension-resource:", true)) {

81 continue;	115 continue;

82 }	116 }

83	117

84 // crbug.com/146487	118 // crbug.com/146487

85 if (type == Manifest::TYPE_EXTENSION \|\|	119 if (type == Manifest::TYPE_EXTENSION \|\|

86 type == Manifest::TYPE_LEGACY_PACKAGED_APP) {	120 type == Manifest::TYPE_LEGACY_PACKAGED_APP) {

87 if (source == "'unsafe-eval'")	121 if (source == "'unsafe-eval'")

88 continue;	122 continue;

89 }	123 }

(...skipping 108 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
198 }	232 }

199 }	233 }

200 }	234 }

201	235

202 return seen_sandbox;	236 return seen_sandbox;

203 }	237 }

204	238

205 } // namespace csp_validator	239 } // namespace csp_validator

206	240

207 } // namespace extensions	241 } // namespace extensions

OLD	NEW