Disallow non-subdomain wildcards in the extension's CSP

extensions/common/csp_validator.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/csp_validator.h"
 
 #include <vector>
 
 #include "base/strings/string_split.h"
 #include "base/strings/string_tokenizer.h"
 #include "base/strings/string_util.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/common/constants.h"
+#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 
 namespace extensions {
 
 namespace csp_validator {
 
 namespace {
 
 const char kDefaultSrc[] = "default-src";
 const char kScriptSrc[] = "script-src";
 const char kObjectSrc[] = "object-src";
 
 const char kSandboxDirectiveName[] = "sandbox";
 const char kAllowSameOriginToken[] = "allow-same-origin";
 const char kAllowTopNavigation[] = "allow-top-navigation";
 
 struct DirectiveStatus {
   explicit DirectiveStatus(const char* name)
     : directive_name(name)
     , seen_in_policy(false)
     , is_secure(false) {
   }
 
   const char* directive_name;
   bool seen_in_policy;
   bool is_secure;
 };
 
+// Returns whether |url| starts with |scheme_and_separator| and does not have a
+// too permissive wildcard host name. If |should_check_rcd| is true, then the
+// Public suffix list is used to exclude wildcard TLDs such as "https://*.org".
+bool isNonWildcardTLD(const std::string& url,
+                      const std::string& scheme_and_separator,
+                      bool should_check_rcd) {
+  if (!StartsWithASCII(url, scheme_and_separator, true))
+    return false;
+
+  size_t start_of_host = scheme_and_separator.length();
+
+  size_t end_of_host = url.find("/", start_of_host);
+  if (end_of_host == std::string::npos)
+    end_of_host = url.size();
+
+  // Note: It is sufficient to only compare the first character against '*'
+  // because the CSP only allows wildcards at the start of a directive, see
+  // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax
+  bool is_wildcard_subdomain = end_of_host > start_of_host + 2 &&
+      url[start_of_host] == '*' && url[start_of_host + 1] == '.';
+  if (is_wildcard_subdomain)
+    start_of_host += 2;
+
+  size_t start_of_port = url.rfind(":", end_of_host);
+  // The ":" check at the end of the following condition is used to avoid
+  // treating the last part of an IPv6 address as a port.
+  if (start_of_port > start_of_host && url[start_of_port - 1] != ':') {
+    bool is_valid_port = false;
+    // Do a quick sanity check. The following check could mistakenly flag
+    // ":123456" or ":****" as valid, but that does not matter because the
+    // relaxing CSP directive will just be ignored by Blink.
+    for (size_t i = start_of_port + 1; i < end_of_host; ++i) {
+      is_valid_port = IsAsciiDigit(url[i]) || url[i] == '*';
+      if (!is_valid_port)
+        break;
+    }
+    if (is_valid_port)
+      end_of_host = start_of_port;
+  }
+
+  std::string host(url, start_of_host, end_of_host - start_of_host);
+  // Global wildcards are not allowed.
+  if (host.empty() || host.find("*") != std::string::npos)
+    return false;
+
+  if (!is_wildcard_subdomain || !should_check_rcd)
+    return true;
+
+  // Wildcards on subdomains of a TLD are not allowed.
+  size_t registry_length = net::registry_controlled_domains::GetRegistryLength(
+      host,
+      net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
+      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
+  return registry_length != 0;
+}
+
 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
                          Manifest::Type type) {
   while (tokenizer.GetNext()) {
     std::string source = tokenizer.token();
     base::StringToLowerASCII(&source);
 
-    // Don't alow whitelisting of all hosts. This boils down to:
-    //   1. Maximum of 2 '*' characters.
-    //   2. Each '*' is either followed by a '.' or preceded by a ':'
-    int wildcards = 0;
-    size_t length = source.length();
-    for (size_t i = 0; i < length; ++i) {
-      if (source[i] == L'*') {
-        wildcards++;
-        if (wildcards > 2)
-          return false;
-
-        bool isWildcardPort = i > 0 && source[i - 1] == L':';
-        bool isWildcardSubdomain = i + 1 < length && source[i + 1] == L'.';
-        if (!isWildcardPort && !isWildcardSubdomain)
-          return false;
-      }
-    }
-
     // We might need to relax this whitelist over time.
     if (source == "'self'" ||
         source == "'none'" ||
         source == "http://127.0.0.1" ||
         LowerCaseEqualsASCII(source, "blob:") ||
         LowerCaseEqualsASCII(source, "filesystem:") ||
         LowerCaseEqualsASCII(source, "http://localhost") ||
-        StartsWithASCII(source, "http://127.0.0.1:", false) ||
-        StartsWithASCII(source, "http://localhost:", false) ||
-        StartsWithASCII(source, "https://", true) ||
-        StartsWithASCII(source, "chrome://", true) ||
-        StartsWithASCII(source,
-                        std::string(extensions::kExtensionScheme) +
-                            url::kStandardSchemeSeparator,
-                        true) ||
+        StartsWithASCII(source, "http://127.0.0.1:", true) ||
+        StartsWithASCII(source, "http://localhost:", true) ||
+        isNonWildcardTLD(source, "https://", true) ||
+        isNonWildcardTLD(source, "chrome://", false) ||
+        isNonWildcardTLD(source,
+                         std::string(extensions::kExtensionScheme) +
+                         url::kStandardSchemeSeparator,
+                         false) ||
         StartsWithASCII(source, "chrome-extension-resource:", true)) {
       continue;
     }
 
     // crbug.com/146487
     if (type == Manifest::TYPE_EXTENSION ||
         type == Manifest::TYPE_LEGACY_PACKAGED_APP) {
       if (source == "'unsafe-eval'")
         continue;
     }
@@ skipping 108 matching lines @@
       }
     }
   }
 
   return seen_sandbox;
 }
 
 }  // namespace csp_validator
 
 }  // namespace extensions