[Autofill] Sanitize all data that comes in over IPC.

components/autofill/core/browser/autofill_manager.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/core/browser/autofill_manager.h"
 
 #include <stddef.h>
 
 #include <limits>
 #include <map>
@@ skipping 17 matching lines @@
 #include "components/autofill/core/browser/autofill_manager_delegate.h"
 #include "components/autofill/core/browser/autofill_manager_test_delegate.h"
 #include "components/autofill/core/browser/autofill_metrics.h"
 #include "components/autofill/core/browser/autofill_profile.h"
 #include "components/autofill/core/browser/autofill_type.h"
 #include "components/autofill/core/browser/credit_card.h"
 #include "components/autofill/core/browser/form_structure.h"
 #include "components/autofill/core/browser/personal_data_manager.h"
 #include "components/autofill/core/browser/phone_number.h"
 #include "components/autofill/core/browser/phone_number_i18n.h"
+#include "components/autofill/core/common/autofill_data_sanitizer.h"
 #include "components/autofill/core/common/autofill_pref_names.h"
 #include "components/autofill/core/common/autofill_switches.h"
 #include "components/autofill/core/common/form_data.h"
 #include "components/autofill/core/common/form_data_predictions.h"
 #include "components/autofill/core/common/form_field_data.h"
 #include "components/autofill/core/common/password_form_fill_data.h"
 #include "components/user_prefs/pref_registry_syncable.h"
 #include "grit/component_strings.h"
 #include "third_party/WebKit/public/web/WebAutofillClient.h"
 #include "ui/base/l10n/l10n_util.h"
@@ skipping 175 matching lines @@
 }
 
 void AutofillManager::SetExternalDelegate(AutofillExternalDelegate* delegate) {
   // TODO(jrg): consider passing delegate into the ctor.  That won't
   // work if the delegate has a pointer to the AutofillManager, but
   // future directions may not need such a pointer.
   external_delegate_ = delegate;
   autocomplete_history_manager_->SetExternalDelegate(delegate);
 }
 
+void AutofillManager::ShowAutofillSettings() {
+  manager_delegate_->ShowAutofillSettings();
+}
+
 bool AutofillManager::OnFormSubmitted(const FormData& form,
                                       const TimeTicks& timestamp) {
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedFormData(form))
+    return false;
+
   // Let Autocomplete know as well.
   autocomplete_history_manager_->OnFormSubmitted(form);
 
   // Grab a copy of the form data.
   scoped_ptr<FormStructure> submitted_form(new FormStructure(form));
 
   if (!ShouldUploadForm(*submitted_form))
     return false;
 
   // Don't save data that was submitted through JavaScript.
@@ skipping 49 matching lines @@
                    initial_interaction_timestamp_,
                    timestamp));
   }
 
   return true;
 }
 
 void AutofillManager::OnFormsSeen(const std::vector<FormData>& forms,
                                   const TimeTicks& timestamp,
                                   autofill::FormsSeenState state) {
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedFormDataVector(forms))
+    return;
+
   bool is_post_document_load = state == autofill::DYNAMIC_FORMS_SEEN;
   // If new forms were added dynamically, treat as a new page.
   if (is_post_document_load)
     Reset();
 
   if (!driver_->RendererIsAvailable())
     return;
 
   bool enabled = IsAutofillEnabled();
   if (!has_logged_autofill_enabled_) {
     metric_logger_->LogIsAutofillEnabledAtPageLoad(enabled);
     has_logged_autofill_enabled_ = true;
   }
 
   if (!enabled)
     return;
 
   forms_loaded_timestamp_ = timestamp;
   ParseForms(forms);
 }
 
 void AutofillManager::OnTextFieldDidChange(const FormData& form,
                                            const FormFieldData& field,
                                            const TimeTicks& timestamp) {
+  // Bail if the arguments appear to be corrupt.

[palmer, 2013/12/20 19:53:36]

Nit: I'd drop the instances of this comment. The function names say it all.

[Ilya Sherman, 2013/12/20 23:54:52]

Done.

+  if (!IsSanitizedFormData(form) || !IsSanitizedFormFieldData(field))
+    return;
+
   FormStructure* form_structure = NULL;
   AutofillField* autofill_field = NULL;
   if (!GetCachedFormAndField(form, field, &form_structure, &autofill_field))
     return;
 
   if (!user_did_type_) {
     user_did_type_ = true;
     metric_logger_->LogUserHappinessMetric(AutofillMetrics::USER_DID_TYPE);
   }
 
@@ skipping 10 matching lines @@
   }
 
   UpdateInitialInteractionTimestamp(timestamp);
 }
 
 void AutofillManager::OnQueryFormFieldAutofill(int query_id,
                                                const FormData& form,
                                                const FormFieldData& field,
                                                const gfx::RectF& bounding_box,
                                                bool display_warning) {
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedFormData(form) || !IsSanitizedFormFieldData(field))
+    return;
+
   std::vector<base::string16> values;
   std::vector<base::string16> labels;
   std::vector<base::string16> icons;
   std::vector<int> unique_ids;
 
   external_delegate_->OnQuery(query_id,
                               form,
                               field,
                               bounding_box,
                               display_warning);
@@ skipping 67 matching lines @@
   // hand off what we generated and they will send the results back to the
   // renderer.
   autocomplete_history_manager_->OnGetAutocompleteSuggestions(
       query_id, field.name, field.value, values, labels, icons, unique_ids);
 }
 
 void AutofillManager::OnFillAutofillFormData(int query_id,
                                              const FormData& form,
                                              const FormFieldData& field,
                                              int unique_id) {
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedFormData(form) || !IsSanitizedFormFieldData(field))
+    return;
+
   const AutofillDataModel* data_model = NULL;
   size_t variant = 0;
   FormStructure* form_structure = NULL;
   AutofillField* autofill_field = NULL;
   // NOTE: RefreshDataModels may invalidate |data_model| because it causes the
   // PersonalDataManager to reload Mac address book entries. Thus it must come
   // before GetProfileOrCreditCard.
   if (!RefreshDataModels() ||
       !driver_->RendererIsAvailable() ||
       !GetProfileOrCreditCard(unique_id, &data_model, &variant) ||
@@ skipping 60 matching lines @@
 
   autofilled_form_signatures_.push_front(form_structure->FormSignature());
   // Only remember the last few forms that we've seen, both to avoid false
   // positives and to avoid wasting memory.
   if (autofilled_form_signatures_.size() > kMaxRecentFormSignaturesToRemember)
     autofilled_form_signatures_.pop_back();
 
   driver_->SendFormDataToRenderer(query_id, result);
 }
 
-void AutofillManager::OnShowAutofillDialog() {
-  manager_delegate_->ShowAutofillSettings();
-}
-
 void AutofillManager::OnDidPreviewAutofillFormData() {
   if (test_delegate_)
     test_delegate_->DidPreviewFormData();
 }
 
 void AutofillManager::OnDidFillAutofillFormData(const TimeTicks& timestamp) {
   if (test_delegate_)
     test_delegate_->DidFillFormData();
 
   metric_logger_->LogUserHappinessMetric(AutofillMetrics::USER_DID_AUTOFILL);
@@ skipping 53 matching lines @@
 const std::vector<FormStructure*>& AutofillManager::GetFormStructures() {
   return form_structures_.get();
 }
 
 void AutofillManager::SetTestDelegate(
     autofill::AutofillManagerTestDelegate* delegate) {
   test_delegate_ = delegate;
 }
 
 void AutofillManager::OnAddPasswordFormMapping(
-      const FormFieldData& form,
+      const FormFieldData& username_field,
       const PasswordFormFillData& fill_data) {
-  external_delegate_->AddPasswordFormMapping(form, fill_data);
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedFormFieldData(username_field) ||
+      !IsSanitizedPasswordFormFillData(fill_data))
+    return;
+
+  external_delegate_->AddPasswordFormMapping(username_field, fill_data);
 }
 
 void AutofillManager::OnShowPasswordSuggestions(
     const FormFieldData& field,
     const gfx::RectF& bounds,
     const std::vector<base::string16>& suggestions,
     const std::vector<base::string16>& realms) {
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedString16Vector(suggestions) ||
+      !IsSanitizedString16Vector(realms) ||
+      suggestions.size() != realms.size())
+    return;
+
   external_delegate_->OnShowPasswordSuggestions(suggestions,
                                                 realms,
                                                 field,
                                                 bounds);
 }
 
 void AutofillManager::OnSetDataList(const std::vector<base::string16>& values,
                                     const std::vector<base::string16>& labels) {
-  if (values.size() != labels.size())
+  // Bail if the arguments appear to be corrupt.
+  if (!IsSanitizedString16Vector(values) ||
+      !IsSanitizedString16Vector(labels) ||
+      values.size() != labels.size())
     return;
 
   external_delegate_->SetCurrentDataListValues(values, labels);
 }
 
 void AutofillManager::OnLoadedServerPredictions(
     const std::string& response_xml) {
   // Parse and store the server predictions.
   FormStructure::ParseQueryResponse(response_xml,
                                     form_structures_.get(),
@@ skipping 469 matching lines @@
     return false;
 
   // Disregard forms that we wouldn't ever autofill in the first place.
   if (!form.ShouldBeParsed(true))
     return false;
 
   return true;
 }
 
 }  // namespace autofill