extensions/common/csp_validator.cc - Issue 481643002: Disallow non-subdomain wildcards in the extension's CSP

Side by Side Diff: extensions/common/csp_validator.cc

Issue 481643002: Disallow non-subdomain wildcards in the extension's CSP (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Disallow RCD and non-subdomain wildcards Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html ('K') | « chrome/common/extensions/docs/templates/articles/contentSecurityPolicy.html ('k') | extensions/common/csp_validator_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "extensions/common/csp_validator.h"	5 #include "extensions/common/csp_validator.h"

6	6

7 #include <vector>	7 #include <vector>

8	8

9 #include "base/strings/string_split.h"	9 #include "base/strings/string_split.h"

10 #include "base/strings/string_tokenizer.h"	10 #include "base/strings/string_tokenizer.h"

11 #include "base/strings/string_util.h"	11 #include "base/strings/string_util.h"

12 #include "content/public/common/url_constants.h"	12 #include "content/public/common/url_constants.h"

13 #include "extensions/common/constants.h"	13 #include "extensions/common/constants.h"

	14 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"

14	15

15 namespace extensions {	16 namespace extensions {

16	17

17 namespace csp_validator {	18 namespace csp_validator {

18	19

19 namespace {	20 namespace {

20	21

21 const char kDefaultSrc[] = "default-src";	22 const char kDefaultSrc[] = "default-src";

22 const char kScriptSrc[] = "script-src";	23 const char kScriptSrc[] = "script-src";

23 const char kObjectSrc[] = "object-src";	24 const char kObjectSrc[] = "object-src";

24	25

25 const char kSandboxDirectiveName[] = "sandbox";	26 const char kSandboxDirectiveName[] = "sandbox";

26 const char kAllowSameOriginToken[] = "allow-same-origin";	27 const char kAllowSameOriginToken[] = "allow-same-origin";

27 const char kAllowTopNavigation[] = "allow-top-navigation";	28 const char kAllowTopNavigation[] = "allow-top-navigation";

28	29

29 struct DirectiveStatus {	30 struct DirectiveStatus {

30 explicit DirectiveStatus(const char* name)	31 explicit DirectiveStatus(const char* name)

31 : directive_name(name)	32 : directive_name(name)

32 , seen_in_policy(false)	33 , seen_in_policy(false)

33 , is_secure(false) {	34 , is_secure(false) {

34 }	35 }

35	36

36 const char* directive_name;	37 const char* directive_name;

37 bool seen_in_policy;	38 bool seen_in_policy;

38 bool is_secure;	39 bool is_secure;

39 };	40 };

40	41

	42 static bool isAllowedHttpsUrl(const std::string& url) {
	not at google - send to devlin 2014/08/19 15:05:58 This function is inside an anonymous namespace, st This function is inside an anonymous namespace, static unnecessary. Also "isHttpsUrlAllowed" would read more naturally. robwu 2014/08/19 16:31:39 Done. Show quoted text On 2014/08/19 15:05:58, kalman wrote: > This function is inside an anonymous namespace, static unnecessary. > > Also "isHttpsUrlAllowed" would read more naturally. Done.
	43 if (!StartsWithASCII(url, "https://", true))

	44 return false;

	45

	46 // Length of "https://"

	47 size_t start_of_host = 8;
	not at google - send to devlin 2014/08/19 15:05:58 How about: const char* kHttps = "https://"; if (! How about: const char* kHttps = "https://"; if (!StartsWithASCII(..)) return false; size_t start_of_host = strlen(kHttps); robwu 2014/08/19 16:31:39 Done. Show quoted text On 2014/08/19 15:05:58, kalman wrote: > How about: > > const char* kHttps = "https://"; > if (!StartsWithASCII(..)) > return false; > > size_t start_of_host = strlen(kHttps); Done.
	48

	49 size_t end_of_host = url.find("/", start_of_host);

	50 if (end_of_host == std::string::npos)

	51 end_of_host = url.size();

	52

	53 bool isWildcardSubdomain = end_of_host > start_of_host + 2 &&
	not at google - send to devlin 2014/08/19 15:05:58 is_wildcard_subdomain is_wildcard_subdomain robwu 2014/08/19 16:31:39 Done. Show quoted text On 2014/08/19 15:05:58, kalman wrote: > is_wildcard_subdomain Done.
	54 url[start_of_host] == '*' && url[start_of_host + 1] == '.';

	55 if (isWildcardSubdomain)

	56 start_of_host += 2;
	not at google - send to devlin 2014/08/19 15:05:58 All of this manual URL parsing is making me nervou All of this manual URL parsing is making me nervous. Mike any idea if we have wildcard-aware URL parsing library available on the browser? I had a look at GURL but it escapes "" as "%2A" which is pretty awkward. But maybe less awkward than doing this by hand? Of course if you were to do some sort of un-escaping of "%2A" in the URL it would prevent legitimate uses of "%2A" but I don't even know if that's a valid hostname anyway. not at google - send to devlin* 2014/08/19 15:07:21 (We do have URLPattern but I'm not sure I trust it (We do have URLPattern but I'm not sure I trust it for parsing CSP directives).
	57
	not at google - send to devlin 2014/08/19 15:05:57 ^ I didn't notice that most of this code was basic ^ I didn't notice that most of this code was basically moved from below.
	58 size_t start_of_port = url.rfind(":", end_of_host);

	59 if (start_of_port != std::string::npos && start_of_port > start_of_host) {

	60 bool is_valid_port = false;

	61 // Do a quick sanity check. The following check could mistakenly flag

	62 // ":123456" or ":****" as valid, but that does not matter because the

	63 // relaxing CSP directive will just be ignored by Blink.

	64 for (size_t i = start_of_port + 1; i < end_of_host; ++i) {

	65 is_valid_port = IsAsciiDigit(url[i]) \|\| url[i] == '*';

	66 if (!is_valid_port)

	67 break;

	68 }

	69 if (is_valid_port)

	70 end_of_host = start_of_port;

	71 }

	72

	73 std::string host(url, start_of_host, end_of_host - start_of_host);

	74 // Global wildcards are not allowed.

	75 if (host.empty() \|\| host.find("*") != std::string::npos)

	76 return false;

	77

	78 if (!isWildcardSubdomain)

	79 return true;

	80

	81 // Wildcards on subdomains of a TLD are not allowed.

	82 size_t registry_length = net::registry_controlled_domains::GetRegistryLength(

	83 host,

	84 net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,

	85 net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);

	86 return registry_length != 0;

	87 }

	88

41 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,	89 bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,

42 Manifest::Type type) {	90 Manifest::Type type) {

43 while (tokenizer.GetNext()) {	91 while (tokenizer.GetNext()) {

44 std::string source = tokenizer.token();	92 std::string source = tokenizer.token();

45 base::StringToLowerASCII(&source);	93 base::StringToLowerASCII(&source);

46	94

47 // Don't alow whitelisting of all hosts. This boils down to:

48 // 1. Maximum of 2 '*' characters.

49 // 2. Each '*' is either followed by a '.' or preceded by a ':'

50 int wildcards = 0;

51 size_t length = source.length();

52 for (size_t i = 0; i < length; ++i) {

53 if (source[i] == L'*') {

54 wildcards++;

55 if (wildcards > 2)

56 return false;

57

58 bool isWildcardPort = i > 0 && source[i - 1] == L':';

59 bool isWildcardSubdomain = i + 1 < length && source[i + 1] == L'.';

60 if (!isWildcardPort && !isWildcardSubdomain)

61 return false;

62 }

63 }
not at google - send to devlin 2014/08/19 15:05:57 Isn't this a regression insofar as earlier we coul Isn't this a regression insofar as earlier we could disallow wildcard on http/chrome as well, but now we only disallow on https? Could you make isAllowedHttpsUrl agnostic of the scheme (like, find the first occurrence of ":" rather than "https:") then continue to apply that check here? robwu 2014/08/19 16:31:39 Fixed. http://* has never been allowed by the way Show quoted text On 2014/08/19 15:05:57, kalman wrote: > Isn't this a regression insofar as earlier we could disallow wildcard on > http/chrome as well, but now we only disallow on https? Could you make > isAllowedHttpsUrl agnostic of the scheme (like, find the first occurrence of ":" > rather than "https:") then continue to apply that check here? Fixed. http://* has never been allowed by the way.
64

65 // We might need to relax this whitelist over time.	95 // We might need to relax this whitelist over time.

66 if (source == "'self'" \|\|	96 if (source == "'self'" \|\|

67 source == "'none'" \|\|	97 source == "'none'" \|\|

68 source == "http://127.0.0.1" \|\|	98 source == "http://127.0.0.1" \|\|

69 LowerCaseEqualsASCII(source, "blob:") \|\|	99 LowerCaseEqualsASCII(source, "blob:") \|\|

70 LowerCaseEqualsASCII(source, "filesystem:") \|\|	100 LowerCaseEqualsASCII(source, "filesystem:") \|\|

71 LowerCaseEqualsASCII(source, "http://localhost") \|\|	101 LowerCaseEqualsASCII(source, "http://localhost") \|\|

72 StartsWithASCII(source, "http://127.0.0.1:", false) \|\|	102 StartsWithASCII(source, "http://127.0.0.1:", false) \|\|

73 StartsWithASCII(source, "http://localhost:", false) \|\|	103 StartsWithASCII(source, "http://localhost:", false) \|\|

74 StartsWithASCII(source, "https://", true) \|\|	104 isAllowedHttpsUrl(source) \|\|

75 StartsWithASCII(source, "chrome://", true) \|\|	105 StartsWithASCII(source, "chrome://", true) \|\|

76 StartsWithASCII(source,	106 StartsWithASCII(source,

77 std::string(extensions::kExtensionScheme) +	107 std::string(extensions::kExtensionScheme) +

78 url::kStandardSchemeSeparator,	108 url::kStandardSchemeSeparator,

79 true) \|\|	109 true) \|\|

80 StartsWithASCII(source, "chrome-extension-resource:", true)) {	110 StartsWithASCII(source, "chrome-extension-resource:", true)) {

81 continue;	111 continue;

82 }	112 }

83	113

84 // crbug.com/146487	114 // crbug.com/146487

(...skipping 113 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
198 }	228 }

199 }	229 }

200 }	230 }

201	231

202 return seen_sandbox;	232 return seen_sandbox;

203 }	233 }

204	234

205 } // namespace csp_validator	235 } // namespace csp_validator

206	236

207 } // namespace extensions	237 } // namespace extensions

OLD	NEW