[Autofill] Sanitize all data that comes in over IPC.

components/autofill/core/common/autofill_data_sanitizer.cc

Index: components/autofill/core/common/autofill_data_sanitizer.cc
diff --git a/components/autofill/core/common/autofill_data_sanitizer.cc b/components/autofill/core/common/autofill_data_sanitizer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2c4897889af14233db145bcec15a66cc26566184
--- /dev/null
+++ b/components/autofill/core/common/autofill_data_sanitizer.cc
@@ -0,0 +1,118 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/autofill/core/common/autofill_data_sanitizer.h"
+
+#include "components/autofill/core/common/form_data.h"
+#include "components/autofill/core/common/form_field_data.h"
+#include "components/autofill/core/common/password_form_fill_data.h"
+#include "url/gurl.h"
+
+namespace autofill {
+
+// Constants to enforce data size caps, so as to avoid sending overly large

[palmer, 2013/12/20 19:53:36]

Nit: Don't need to repeat these comments from the .h file.

[Ilya Sherman, 2013/12/20 23:54:52]

Whoops, copy/pasta.  Done.

+// messages over IPC:
+
+// The maximum string size supported by Autofill.
+const size_t kMaxDataLength = 1024;

[palmer, 2013/12/20 19:53:36]

If you find in the future that you need to increase this limit (or that of
|kMaxListSize|), that is OK. FWIW.

[Ilya Sherman, 2013/12/20 23:54:52]

Ack.

+
+// The maximum list size supported by Autofill.
+const size_t kMaxListSize = 256;
+
+bool IsSanitizedString(const std::string& str) {

[palmer, 2013/12/20 19:53:36]

FYI: "Sanitized" often means *transformed* in some way (e.g. POSIX shell
metacharacters escaped, or the like). Here, you are simply asserting some notion
of validity, without doing any transformation. I might therefore call these
functions isFooValid(const Foo& foo).

[Ilya Sherman, 2013/12/20 23:54:52]

Done.

+  return str.size() <= kMaxDataLength;
+}
+
+bool IsSanitizedString16(const base::string16& str) {
+  return str.size() <= kMaxDataLength;
+}
+
+bool IsSanitizedGURL(const GURL& url) {
+  return url.is_valid() && url.spec().size() <= kMaxDataLength;

[palmer, 2013/12/20 19:53:36]

By doing this, you are in effect asserting a limit on GURLs distinct from any
internal limits GURL may assert (a very quick skim suggests it's not asserting
any limits at the moment, but perhaps it could someday).

That is OK, since the limit you set is (presumably) reasonable for Autofill. But
something to keep in mind.

[Ilya Sherman, 2013/12/20 23:54:52]

Ack.

+}
+
+bool IsSanitizedFormFieldData(const FormFieldData& field) {
+  return
+      IsSanitizedString16(field.label) &&
+      IsSanitizedString16(field.name) &&
+      IsSanitizedString16(field.value) &&
+      IsSanitizedString(field.form_control_type) &&
+      IsSanitizedString(field.autocomplete_attribute) &&
+      IsSanitizedString16Vector(field.option_values) &&
+      IsSanitizedString16Vector(field.option_contents);
+}
+
+bool IsSanitizedFormData(const FormData& form) {
+  if (!IsSanitizedString16(form.name) ||
+      !IsSanitizedString16(form.method) ||
+      !IsSanitizedGURL(form.origin) ||
+      !IsSanitizedGURL(form.action))
+    return false;
+
+  if (form.fields.size() > kMaxListSize)
+    return false;
+
+  for (std::vector<FormFieldData>::const_iterator it = form.fields.begin();
+       it != form.fields.end(); ++it) {
+    if (!IsSanitizedFormFieldData(*it))
+      return false;
+  }
+
+  return true;
+}
+
+bool IsSanitizedPasswordFormFillData(const PasswordFormFillData& form) {
+  if (!IsSanitizedFormData(form.basic_data) ||
+      !IsSanitizedString(form.preferred_realm))
+    return false;
+
+  for (PasswordFormFillData::LoginCollection::const_iterator it =
+           form.additional_logins.begin();
+       it != form.additional_logins.end(); ++it) {
+    if (!IsSanitizedString16(it->first) ||
+        !IsSanitizedString16(it->second.password) ||
+        !IsSanitizedString(it->second.realm))
+      return false;
+  }
+
+  for (PasswordFormFillData::UsernamesCollection::const_iterator it =
+           form.other_possible_usernames.begin();
+       it != form.other_possible_usernames.end(); ++it) {
+    if (!IsSanitizedString16(it->first.username) ||
+        !IsSanitizedString16(it->first.password) ||
+        !IsSanitizedString(it->first.realm) ||
+        !IsSanitizedString16Vector(it->second))
+      return false;
+  }
+
+  return true;
+}
+
+bool IsSanitizedString16Vector(const std::vector<base::string16>& v) {
+  if (v.size() > kMaxListSize)
+    return false;
+
+  for (std::vector<base::string16>::const_iterator it = v.begin();
+       it != v.end(); ++it) {
+    if (!IsSanitizedString16(*it))
+      return false;
+  }
+
+  return true;
+}
+
+bool IsSanitizedFormDataVector(const std::vector<FormData>& v) {
+  if (v.size() > kMaxListSize)
+    return false;
+
+  for (std::vector<FormData>::const_iterator it = v.begin(); it != v.end();
+       ++it) {
+    if (!IsSanitizedFormData(*it))
+      return false;
+  }
+
+  return true;
+}
+
+}  // namespace autofill