[Downloads] Gracefully handle SafeBrowsing check failures.

chrome/browser/safe_browsing/download_protection_service.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/safe_browsing/download_protection_service.h"
 
 #include "base/bind.h"
 #include "base/compiler_specific.h"
 #include "base/format_macros.h"
 #include "base/memory/scoped_ptr.h"
@@ skipping 293 matching lines @@
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     // TODO(noelutz): implement some cache to make sure we don't issue the same
     // request over and over again if a user downloads the same binary multiple
     // times.
     DownloadCheckResultReason reason = REASON_MAX;
     if (!IsSupportedDownload(
         *item_, item_->GetTargetFilePath(), &reason, &type_)) {
       switch (reason) {
         case REASON_EMPTY_URL_CHAIN:
         case REASON_INVALID_URL:
-          PostFinishTask(SAFE, reason);
+          PostFinishTask(UNKNOWN, reason);
           return;
 
         case REASON_NOT_BINARY_FILE:
           RecordFileExtensionType(item_->GetTargetFilePath());
-          PostFinishTask(SAFE, reason);
+          PostFinishTask(UNKNOWN, reason);
           return;
 
         default:
           // We only expect the reasons explicitly handled above.
           NOTREACHED();
       }
     }
     RecordFileExtensionType(item_->GetTargetFilePath());
 
     // Compute features from the file contents. Note that we record histograms
@@ skipping 20 matching lines @@
     timeout_start_time_ = base::TimeTicks::Now();
     BrowserThread::PostDelayedTask(
         BrowserThread::UI,
         FROM_HERE,
         base::Bind(&CheckClientDownloadRequest::Cancel,
                    weakptr_factory_.GetWeakPtr()),
         base::TimeDelta::FromMilliseconds(
             service_->download_request_timeout_ms()));
   }
 
-  // Canceling a request will cause us to always report the result as SAFE
+  // Canceling a request will cause us to always report the result as UNKNOWN
   // unless a pending request is about to call FinishRequest.
   void Cancel() {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     if (fetcher_.get()) {
       // The DownloadProtectionService is going to release its reference, so we
       // might be destroyed before the URLFetcher completes.  Cancel the
       // fetcher so it does not try to invoke OnURLFetchComplete.
       fetcher_.reset();
     }
     // Note: If there is no fetcher, then some callback is still holding a
     // reference to this object.  We'll eventually wind up in some method on
     // the UI thread that will call FinishRequest() again.  If FinishRequest()
     // is called a second time, it will be a no-op.
-    FinishRequest(SAFE, REASON_REQUEST_CANCELED);
+    FinishRequest(UNKNOWN, REASON_REQUEST_CANCELED);
     // Calling FinishRequest might delete this object, we may be deleted by
     // this point.
   }
 
   // content::DownloadItem::Observer implementation.
   virtual void OnDownloadDestroyed(content::DownloadItem* download) OVERRIDE {
     Cancel();
     DCHECK(item_ == NULL);
   }
 
   // From the net::URLFetcherDelegate interface.
   virtual void OnURLFetchComplete(const net::URLFetcher* source) OVERRIDE {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     DCHECK_EQ(source, fetcher_.get());
     VLOG(2) << "Received a response for URL: "
             << item_->GetUrlChain().back() << ": success="
             << source->GetStatus().is_success() << " response_code="
             << source->GetResponseCode();
     if (source->GetStatus().is_success()) {
       UMA_HISTOGRAM_SPARSE_SLOWLY(
           "SBClientDownload.DownloadRequestResponseCode",
           source->GetResponseCode());
     }
     UMA_HISTOGRAM_SPARSE_SLOWLY(
         "SBClientDownload.DownloadRequestNetError",
         -source->GetStatus().error());
     DownloadCheckResultReason reason = REASON_SERVER_PING_FAILED;
-    DownloadCheckResult result = SAFE;
+    DownloadCheckResult result = UNKNOWN;
     if (source->GetStatus().is_success() &&
         net::HTTP_OK == source->GetResponseCode()) {
       ClientDownloadResponse response;
       std::string data;
       bool got_data = source->GetResponseAsString(&data);
       DCHECK(got_data);
       if (!response.ParseFromString(data)) {
         reason = REASON_INVALID_RESPONSE_PROTO;
+        result = UNKNOWN;
       } else if (response.verdict() == ClientDownloadResponse::SAFE) {
         reason = REASON_DOWNLOAD_SAFE;
+        result = SAFE;
       } else if (service_ && !service_->IsSupportedDownload(
           *item_, item_->GetTargetFilePath())) {
         // The client of the download protection service assumes that we don't
         // support this download so we cannot return any other verdict than
-        // SAFE even if the server says it's dangerous to download this file.
+        // UNKNOWN even if the server says it's dangerous to download this file.
         // Note: if service_ is NULL we already cancelled the request and
-        // returned SAFE.
+        // returned UNKNOWN.
         reason = REASON_DOWNLOAD_NOT_SUPPORTED;
+        result = UNKNOWN;
       } else if (response.verdict() == ClientDownloadResponse::DANGEROUS) {
         reason = REASON_DOWNLOAD_DANGEROUS;
         result = DANGEROUS;
       } else if (response.verdict() == ClientDownloadResponse::UNCOMMON) {
         reason = REASON_DOWNLOAD_UNCOMMON;
         result = UNCOMMON;
       } else if (response.verdict() == ClientDownloadResponse::DANGEROUS_HOST) {
         reason = REASON_DOWNLOAD_DANGEROUS_HOST;
         result = DANGEROUS_HOST;
       } else if (
           response.verdict() == ClientDownloadResponse::POTENTIALLY_UNWANTED) {
         reason = REASON_DOWNLOAD_POTENTIALLY_UNWANTED;
         result = POTENTIALLY_UNWANTED;
       } else {
         LOG(DFATAL) << "Unknown download response verdict: "
                     << response.verdict();
         reason = REASON_INVALID_RESPONSE_VERDICT;
+        result = UNKNOWN;
       }
       DownloadFeedbackService::MaybeStorePingsForDownload(
           result, item_, client_download_request_data_, data);
     }
     // We don't need the fetcher anymore.
     fetcher_.reset();
     UMA_HISTOGRAM_TIMES("SBClientDownload.DownloadRequestDuration",
                         base::TimeTicks::Now() - start_time_);
     UMA_HISTOGRAM_TIMES("SBClientDownload.DownloadRequestNetworkDuration",
                         base::TimeTicks::Now() - request_start_time_);
@@ skipping 111 matching lines @@
       VLOG(1) << "Zip analysis failed for " << item_->GetFullPath().value();
     }
     UMA_HISTOGRAM_BOOLEAN("SBClientDownload.ZipFileHasExecutable",
                           zipped_executable_);
     UMA_HISTOGRAM_BOOLEAN("SBClientDownload.ZipFileHasArchiveButNoExecutable",
                           results.has_archive && !zipped_executable_);
     UMA_HISTOGRAM_TIMES("SBClientDownload.ExtractZipFeaturesTime",
                         base::TimeTicks::Now() - zip_analysis_start_time_);
 
     if (!zipped_executable_) {
-      PostFinishTask(SAFE, REASON_ARCHIVE_WITHOUT_BINARIES);
+      PostFinishTask(UNKNOWN, REASON_ARCHIVE_WITHOUT_BINARIES);
       return;
     }
     OnFileFeatureExtractionDone();
   }
 
+  static void RecordCountOfSignedOrWhitelistedDownload() {
+    UMA_HISTOGRAM_COUNTS("SBClientDownload.SignedOrWhitelistedDownload", 1);
+  }
+
   void CheckWhitelists() {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
-    DownloadCheckResultReason reason = REASON_MAX;
+
     if (!database_manager_.get()) {
-      reason = REASON_SB_DISABLED;
-    } else {
-      const GURL& url = url_chain_.back();
-      if (url.is_valid() && database_manager_->MatchDownloadWhitelistUrl(url)) {
-        VLOG(2) << url << " is on the download whitelist.";
-        reason = REASON_WHITELISTED_URL;
-      }
-      if (reason != REASON_MAX || signature_info_.trusted()) {
-        UMA_HISTOGRAM_COUNTS("SBClientDownload.SignedOrWhitelistedDownload", 1);
-      }
+      PostFinishTask(UNKNOWN, REASON_SB_DISABLED);
+      return;
     }
-    if (reason == REASON_MAX && signature_info_.trusted()) {
+
+    const GURL& url = url_chain_.back();
+    if (url.is_valid() && database_manager_->MatchDownloadWhitelistUrl(url)) {
+      VLOG(2) << url << " is on the download whitelist.";
+      RecordCountOfSignedOrWhitelistedDownload();
+      PostFinishTask(SAFE, REASON_WHITELISTED_URL);
+      return;
+    }
+
+    if (signature_info_.trusted()) {
+      RecordCountOfSignedOrWhitelistedDownload();
       for (int i = 0; i < signature_info_.certificate_chain_size(); ++i) {
         if (CertificateChainIsWhitelisted(
                 signature_info_.certificate_chain(i))) {
-          reason = REASON_TRUSTED_EXECUTABLE;
-          break;
+          PostFinishTask(SAFE, REASON_TRUSTED_EXECUTABLE);
+          return;
         }
       }
     }
-    if (reason != REASON_MAX) {
-      PostFinishTask(SAFE, reason);
-    } else if (!pingback_enabled_) {
-      PostFinishTask(SAFE, REASON_PING_DISABLED);
-    } else {
-      // Currently, the UI only works on Windows so we don't even bother
-      // with pinging the server if we're not on Windows.  TODO(noelutz):
-      // change this code once the UI is done for Linux and Mac.
+
+    if (!pingback_enabled_) {
+      PostFinishTask(UNKNOWN, REASON_PING_DISABLED);
+      return;
+    }
+
+    // Currently, the UI only works on Windows so we don't even bother with
+    // pinging the server if we're not on Windows.
+    // TODO(noelutz): change this code once the UI is done for Linux and Mac.
 #if defined(OS_WIN)
-      // The URLFetcher is owned by the UI thread, so post a message to
-      // start the pingback.
-      BrowserThread::PostTask(
-          BrowserThread::UI,
-          FROM_HERE,
-          base::Bind(&CheckClientDownloadRequest::GetTabRedirects, this));
+    // The URLFetcher is owned by the UI thread, so post a message to
+    // start the pingback.
+    BrowserThread::PostTask(
+        BrowserThread::UI,
+        FROM_HERE,
+        base::Bind(&CheckClientDownloadRequest::GetTabRedirects, this));
 #else
-      PostFinishTask(SAFE, REASON_OS_NOT_SUPPORTED);
+    PostFinishTask(UNKNOWN, REASON_OS_NOT_SUPPORTED);
 #endif
-    }
   }
 
   void GetTabRedirects() {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
     if (!tab_url_.is_valid()) {
       SendRequest();
       return;
     }
 
     Profile* profile = Profile::FromBrowserContext(item_->GetBrowserContext());
@@ skipping 74 matching lines @@
       }
     }
 
     request.set_user_initiated(item_->HasUserGesture());
     request.set_file_basename(
         item_->GetTargetFilePath().BaseName().AsUTF8Unsafe());
     request.set_download_type(type_);
     request.mutable_signature()->CopyFrom(signature_info_);
     request.mutable_image_headers()->CopyFrom(image_headers_);
     if (!request.SerializeToString(&client_download_request_data_)) {
-      FinishRequest(SAFE, REASON_INVALID_REQUEST_PROTO);
+      FinishRequest(UNKNOWN, REASON_INVALID_REQUEST_PROTO);
       return;
     }
 
     VLOG(2) << "Sending a request for URL: "
             << item_->GetUrlChain().back();
     fetcher_.reset(net::URLFetcher::Create(0 /* ID used for testing */,
                                            GetDownloadRequestUrl(),
                                            net::URLFetcher::POST,
                                            this));
     fetcher_->SetLoadFlags(net::LOAD_DISABLE_CACHE);
@@ skipping 35 matching lines @@
       UMA_HISTOGRAM_ENUMERATION("SBClientDownload.DownloadRequestTimeoutStats",
                                 reason,
                                 REASON_MAX);
       if (reason != REASON_REQUEST_CANCELED) {
         UMA_HISTOGRAM_TIMES("SBClientDownload.DownloadRequestTimeoutDuration",
                             base::TimeTicks::Now() - timeout_start_time_);
       }
     }
     if (service_) {
       VLOG(2) << "SafeBrowsing download verdict for: "
-              << item_->DebugString(true) << " verdict:" << reason;
+              << item_->DebugString(true) << " verdict:" << reason
+              << " result:" << result;
       UMA_HISTOGRAM_ENUMERATION("SBClientDownload.CheckDownloadStats",
                                 reason,
                                 REASON_MAX);
       callback_.Run(result);
       item_->RemoveObserver(this);
       item_ = NULL;
       DownloadProtectionService* service = service_;
       service_ = NULL;
       service->RequestFinished(this);
       // DownloadProtectionService::RequestFinished will decrement our refcount,
       // so we may be deleted now.
     } else {
-      callback_.Run(SAFE);
+      callback_.Run(UNKNOWN);
     }
   }
 
   bool CertificateChainIsWhitelisted(
       const ClientDownloadRequest_CertificateChain& chain) {
     DCHECK(BrowserThread::CurrentlyOn(BrowserThread::IO));
     if (chain.element_size() < 2) {
       // We need to have both a signing certificate and its issuer certificate
       // present to construct a whitelist entry.
       return false;
@@ skipping 258 matching lines @@
 GURL DownloadProtectionService::GetDownloadRequestUrl() {
   GURL url(kDownloadRequestUrl);
   std::string api_key = google_apis::GetAPIKey();
   if (!api_key.empty())
     url = url.Resolve("?key=" + net::EscapeQueryParamValue(api_key, true));
 
   return url;
 }
 
 }  // namespace safe_browsing