| blob | 0b9ba587de36edc2a0632e11395ab211593f3c7b |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_
6 #define CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_
8 #include <map>
9 #include <set>
10 #include <string>
11 #include <vector>
25 }
30 // Factory for creating SafeBrowsingDatabase. Tests implement this factory
31 // to create fake Databases for testing.
48 };
50 // Encapsulates on-disk databases that for safebrowsing. There are
51 // four databases: browse, download, download whitelist and
52 // client-side detection (csd) whitelist databases. The browse database contains
53 // information about phishing and malware urls. The download database contains
54 // URLs for bad binaries (e.g: those containing virus) and hash of
55 // these downloaded contents. The download whitelist contains whitelisted
56 // download hosting sites as well as whitelisted binary signing certificates
57 // etc. The csd whitelist database contains URLs that will never be considered
58 // as phishing by the client-side phishing detection. These on-disk databases
59 // are shared among all profiles, as it doesn't contain user-specific data. This
60 // object is not thread-safe, i.e. all its methods should be used on the same
61 // thread that it was created on, unless specified otherwise.
64 // Factory method for obtaining a SafeBrowsingDatabase implementation.
65 // It is not thread safe.
66 // The browse list and off-domain inclusion whitelist are always on;
67 // availability of other lists is controlled by the flags on this method.
78 // Makes the passed |factory| the factory used to instantiate
79 // a SafeBrowsingDatabase. This is used for tests.
82 }
86 // Initializes the database with the given filename.
89 // Deletes the current database and creates a new one.
92 // Returns false if |url| is not in the browse database or already was cached
93 // as a miss. If it returns true, |prefix_hits| contains sorted unique
94 // matching hash prefixes which had no cached results and |cache_hits|
95 // contains any matching cached gethash results. This function is safe to
96 // call from any thread.
102 // Returns true iff the given url is on the unwanted software blacklist.
103 // Returns false if |url| is not in the browse database or already was cached
104 // as a miss. If it returns true, |prefix_hits| contains sorted unique
105 // matching hash prefixes which had no cached results and |cache_hits|
106 // contains any matching cached gethash results. This function is safe to
107 // call from any thread.
113 // Returns false if none of |prefixes| are in Download database. If it returns
114 // true, |prefix_hits| should contain the prefixes for the URLs that were in
115 // the database. This function can ONLY be accessed from creation thread.
120 // Returns false if |url| is not on the client-side phishing detection
121 // whitelist. Otherwise, this function returns true. Note: the whitelist
122 // only contains full-length hashes so we don't return any prefix hit. This
123 // function is safe to call from any thread.
126 // The download whitelist is used for two purposes: a white-domain list of
127 // sites that are considered to host only harmless binaries as well as a
128 // whitelist of arbitrary strings such as hashed certificate authorities that
129 // are considered to be trusted. The two methods below let you lookup the
130 // whitelist either for a URL or an arbitrary string. These methods will
131 // return false if no match is found and true otherwise. This function is safe
132 // to call from any thread.
136 // Returns true if |url| is on the off-domain inclusion whitelist.
139 // Populates |prefix_hits| with any prefixes in |prefixes| that have matches
140 // in the database, returning true if there were any matches.
141 //
142 // This function can ONLY be accessed from the creation thread.
147 // Returns false unless the hash of |url| is on the side-effect free
148 // whitelist. This function is safe to call from any thread.
151 // Returns true iff the given IP is currently on the csd malware IP blacklist.
152 // This function is safe to call from any thread.
155 // A database transaction should look like:
156 //
157 // std::vector<SBListChunkRanges> lists;
158 // if (db.UpdateStarted(&lists)) {
159 // // Do something with |lists|.
160 //
161 // // Process add/sub commands.
162 // db.InsertChunks(list_name, chunks);
163 //
164 // // Process adddel/subdel commands.
165 // db.DeleteChunks(chunks_deletes);
166 //
167 // // If passed true, processes the collected chunk info and
168 // // rebuilds the filter. If passed false, rolls everything
169 // // back.
170 // db.UpdateFinished(success);
171 // }
172 //
173 // If UpdateStarted() returns true, the caller MUST eventually call
174 // UpdateFinished(). If it returns false, the caller MUST NOT call
175 // the other functions.
183 // Store the results of a GetHash response. In the case of empty results, we
184 // cache the prefixes until the next update so that we don't have to issue
185 // further GetHash requests we know will be empty. This function is safe to
186 // call from any thread.
192 // Returns true if the malware IP blacklisting killswitch URL is present
193 // in the csd whitelist. This function is safe to call from any thread.
196 // Returns true if the whitelist killswitch URL is present in the csd
197 // whitelist. This function is safe to call from any thread.
200 // The name of the bloom-filter file for the given database file.
201 // NOTE(shess): OBSOLETE. Present for deleting stale files.
205 // The name of the prefix set file for the given database file.
208 // Filename for malware and phishing URL database.
212 // Filename for download URL and download binary hash database.
216 // Filename for client-side phishing detection whitelist databsae.
220 // Filename for download whitelist databsae.
224 // Filename for the off-domain inclusion whitelist databsae.
228 // Filename for extension blacklist database.
232 // Filename for side-effect free whitelist database.
236 // Filename for the csd malware IP blacklist database.
240 // Filename for the unwanted software blacklist database.
244 // Get the prefixes matching the download |urls|.
248 // SafeBrowsing Database failure types for histogramming purposes. Explicitly
249 // label new values and do not re-use old values. Also make sure to reflect
250 // modifications made below in the SB2DatabaseFailure histogram enum.
288 // Memory space for histograms is determined by the max. ALWAYS
289 // ADD NEW VALUES BEFORE THIS ONE.
290 FAILURE_DATABASE_MAX
291 };
296 // The factory used to instantiate a SafeBrowsingDatabase object.
297 // Useful for tests, so they can provide their own implementation of
298 // SafeBrowsingDatabase.
300 };
304 // Create a database with the stores below. Takes ownership of all store
305 // objects handed to this constructor. Ignores all future operations on lists
306 // for which the store is initialized to NULL.
321 // Implement SafeBrowsingDatabase interface.
350 // Returns the value of malware_kill_switch_;
353 // Returns true if the CSD whitelist has everything whitelisted.
363 BrowseFullHashAndPrefixMatching);
365 // A SafeBrowsing whitelist contains a list of whitelisted full-hashes (stored
366 // in a sorted vector) as well as a boolean flag indicating whether all
367 // lookups in the whitelist should be considered matches for safety.
370 // This map holds a csd malware IP blacklist which maps a prefix mask
371 // to a set of hashed blacklisted IP prefixes. Each IP prefix is a hashed
372 // IPv6 IP prefix using SHA-1.
377 // The ThreadSafeStateManager holds the SafeBrowsingDatabase's state which
378 // must be accessed in a thread-safe fashion. It must be constructed on the
379 // SafeBrowsingDatabaseManager's main thread. The main thread will then be the
380 // only thread on which this state can be modified; allowing for unlocked
381 // reads on the main thread and thus avoiding contention while performing
382 // intensive operations such as writing that state to disk. The state can only
383 // be accessed via (Read|Write)Transactions obtained through this class which
384 // will automatically handle thread-safety.
387 // Identifiers for stores held by the ThreadSafeStateManager. Allows helper
388 // methods to start a transaction themselves and keep it as short as
389 // possible rather than force callers to start the transaction early to pass
390 // a store pointer to the said helper methods.
392 CSD,
393 DOWNLOAD,
394 INCLUSION,
395 };
397 BROWSE,
398 SIDE_EFFECT_FREE_WHITELIST,
399 UNWANTED_SOFTWARE,
400 };
402 // Obtained through BeginReadTransaction(NoLockOnMainTaskRunner)?(): a
403 // ReadTransaction allows read-only observations of the
404 // ThreadSafeStateManager's state. The |prefix_gethash_cache_| has a special
405 // allowance to be writable from a ReadTransaction but can't benefit from
406 // unlocked ReadTransactions. ReadTransaction should be held for the
407 // shortest amount of time possible (e.g., release it before computing final
408 // results if possible).
411 // Obtained through BeginWriteTransaction(): a WriteTransaction allows
412 // modification of the ThreadSafeStateManager's state. It should be used for
413 // the shortest amount of time possible (e.g., pre-compute the new state
414 // before grabbing a WriteTransaction to swap it in atomically).
426 // The sequenced task runner for this object, used to verify that its state
427 // is only ever accessed from the runner.
430 // Lock for protecting access to this class' state.
433 SBWhitelist csd_whitelist_;
434 SBWhitelist download_whitelist_;
435 SBWhitelist inclusion_whitelist_;
437 // The IP blacklist should be small. At most a couple hundred IPs.
438 IPBlacklist ip_blacklist_;
440 // PrefixSets to speed up lookups for particularly large lists. The
441 // PrefixSet themselves are never modified, instead a new one is swapped in
442 // on update.
445 side_effect_free_whitelist_prefix_set_;
448 // Cache of gethash results for prefix stores. Entries should not be used if
449 // they are older than their expire_after field. Cached misses will have
450 // empty full_hashes field. Cleared on each update. The cache is "mutable"
451 // as it can be written to from any transaction holding the lock, including
452 // ReadTransactions.
456 };
458 // Forward the above inner-definitions to alleviate some verbosity in the
459 // impl.
465 // Manages the non-thread safe (i.e. only to be accessed to the database's
466 // main thread) state of this class.
477 }
482 }
487 }
492 }
497 }
502 }
507 }
512 }
515 // The sequenced task runner for this object, used to verify that its state
516 // is only ever accessed from the runner.
519 // The base filename passed to Init(), used to generate the store and prefix
520 // set filenames used to store data on disk.
523 // Set if corruption is detected during the course of an update.
524 // Causes the update functions to fail with no side effects, until
525 // the next call to |UpdateStarted()|.
528 // Set to true if any chunks are added or deleted during an update.
529 // Used to optimize away database update.
533 };
536 PrefixSetId prefix_set_id,
540 // Exposed for testing of PrefixSetContainsUrlHashes() on the
541 // PrefixSet backing kMalwareList.
548 PrefixSetId prefix_set_id,
552 // Returns true if the whitelist is disabled or if any of the given hashes
553 // matches the whitelist.
557 // Return the store matching |list_id|.
560 // Deletes the files on disk.
563 // Load the prefix set in "|db_filename| Prefix Set" off disk, if available,
564 // and stores it in the PrefixSet identified by |prefix_set_id|.
565 // |read_failure_type| provides a caller-specific error code to be used on
566 // failure. This method should only ever be called during initialization as
567 // it performs some disk IO while holding a transaction (for the sake of
568 // avoiding uncessary back-and-forth interactions with the lock during
569 // Init()).
572 PrefixSetId prefix_set_id,
573 FailureType read_failure_type);
575 // Writes the current prefix set "|db_filename| Prefix Set" on disk.
576 // |write_failure_type| provides a caller-specific error code to be used on
577 // failure.
579 PrefixSetId prefix_set_id,
580 FailureType write_failure_type);
582 // Loads the given full-length hashes to the given whitelist. If the number
583 // of hashes is too large or if the kill switch URL is on the whitelist
584 // we will whitelist everything.
586 SBWhitelistId whitelist_id);
588 // Parses the IP blacklist from the given full-length hashes.
591 // Helpers for handling database corruption.
592 // |OnHandleCorruptDatabase()| runs |ResetDatabase()| and sets
593 // |corruption_detected_|, |HandleCorruptDatabase()| posts
594 // |OnHandleCorruptDatabase()| to the current thread, to be run
595 // after the current task completes.
596 // TODO(shess): Wire things up to entirely abort the update
597 // transaction when this happens.
601 // Helpers for InsertChunks().
609 // Updates the |store| and stores the result on disk under |store_filename|.
612 FailureType failure_type);
614 // Updates a PrefixStore store for URLs (|url_store|) which is backed on disk
615 // by a "|db_filename| Prefix Set" file. Specific failure types are provided
616 // to highlight the specific store who made the initial request on failure.
617 // |store_full_hashes_in_prefix_set| dictates whether full_hashes from the
618 // |url_store| should be cached in the |prefix_set| as well.
621 PrefixSetId prefix_set_id,
622 FailureType finish_failure_type,
623 FailureType write_failure_type,
627 PrefixSetId prefix_set_id,
628 FailureType failure_type);
632 SBWhitelistId whitelist_id);
635 // Returns a raw pointer to ThreadSafeStateManager's PrefixGetHashCache for
636 // testing. This should only be used in unit tests (where multi-threading and
637 // synchronization are not problematic).
640 // Records a file size histogram for the database or PrefixSet backed by
641 // |filename|.
644 // The sequenced task runner for this object, used to verify that its state
645 // is only ever accessed from the runner and post some tasks to it.
648 ThreadSafeStateManager state_manager_;
650 DatabaseStateManager db_state_manager_;
652 // Underlying persistent stores for chunk data:
653 // - |browse_store_|: For browsing related (phishing and malware URLs)
654 // chunks and prefixes.
655 // - |download_store_|: For download related (download URL and binary hash)
656 // chunks and prefixes.
657 // - |csd_whitelist_store_|: For the client-side phishing detection
658 // whitelist chunks and full-length hashes. This list only contains 256
659 // bit hashes.
660 // - |download_whitelist_store_|: For the download whitelist chunks and
661 // full-length hashes. This list only contains 256 bit hashes.
662 // - |inclusion_whitelist_store_|: For the inclusion whitelist. Same format
663 // as |download_whitelist_store_|.
664 // - |extension_blacklist_store_|: For extension IDs.
665 // - |side_effect_free_whitelist_store_|: For side-effect free whitelist.
666 // - |ip_blacklist_store_|: For IP blacklist.
667 // - |unwanted_software_store_|: For unwanted software list (format
668 // identical to browsing lists).
669 //
670 // The stores themselves will be modified throughout the existence of this
671 // database, but shouldn't ever be swapped out (hence the const scoped_ptr --
672 // which could be swapped for C++11's std::optional when that's available).
673 // They are NonThreadSafe and should thus only be accessed on the database's
674 // main thread as enforced by SafeBrowsingStoreFile's implementation.
685 // Used to schedule resetting the database because of corruption. This factory
686 // and the WeakPtrs it issues should only be used on the database's main
687 // thread.
689 };