search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Make USB permissions work in the new permission message system
[chromium-blink-merge.git] / content / browser / security_exploit_browsertest.cc
blob5f51e86ef88506cc0d4d1522a63dc1993bfeb625
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/frame_host/render_frame_host_impl.h"
12 #include "content/browser/renderer_host/render_view_host_factory.h"
13 #include "content/browser/renderer_host/render_view_host_impl.h"
14 #include "content/browser/web_contents/web_contents_impl.h"
15 #include "content/common/frame_messages.h"
16 #include "content/common/resource_messages.h"
17 #include "content/common/view_messages.h"
18 #include "content/public/browser/browser_context.h"
19 #include "content/public/browser/content_browser_client.h"
20 #include "content/public/browser/interstitial_page.h"
21 #include "content/public/browser/interstitial_page_delegate.h"
22 #include "content/public/browser/storage_partition.h"
23 #include "content/public/common/appcache_info.h"
24 #include "content/public/common/content_switches.h"
25 #include "content/public/common/file_chooser_params.h"
26 #include "content/public/test/browser_test_utils.h"
27 #include "content/public/test/content_browser_test.h"
28 #include "content/public/test/content_browser_test_utils.h"
29 #include "content/public/test/test_utils.h"
30 #include "content/shell/browser/shell.h"
31 #include "content/test/test_content_browser_client.h"
32 #include "ipc/ipc_security_test_util.h"
33 #include "net/dns/mock_host_resolver.h"
34 #include "net/test/embedded_test_server/embedded_test_server.h"
35
36 using IPC::IpcSecurityTestUtil;
37
38 namespace content {
39
40 namespace {
41
42 // This is a helper function for the tests which attempt to create a
43 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
44 // with the same process and routing ids, which causes a collision.
45 // It creates a couple of windows in process 1, which causes a few routing ids
46 // to be allocated. Then a cross-process navigation is initiated, which causes a
47 // new process 2 to be created and have a pending RenderViewHost for it. The
48 // routing id of the RenderViewHost which is target for a duplicate is set
49 // into |target_routing_id| and the pending RenderViewHost which is used for
50 // the attempt is the return value.
51 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
52 int* target_routing_id) {
53 GURL foo("http://foo.com/simple_page.html");
54
55 // Start off with initial navigation, so we get the first process allocated.
56 NavigateToURL(shell, foo);
57 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell->web_contents()->GetTitle());
58
59 // Open another window, so we generate some more routing ids.
60 ShellAddedObserver shell2_observer;
61 EXPECT_TRUE(ExecuteScript(
62 shell->web_contents(), "window.open(document.URL + '#2');"));
63 Shell* shell2 = shell2_observer.GetShell();
64
65 // The new window must be in the same process, but have a new routing id.
66 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
67 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
68 *target_routing_id =
69 shell2->web_contents()->GetRenderViewHost()->GetRoutingID();
70 EXPECT_NE(*target_routing_id,
71 shell->web_contents()->GetRenderViewHost()->GetRoutingID());
72
73 // Now, simulate a link click coming from the renderer.
74 GURL extension_url("https://bar.com/simple_page.html");
75 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents());
76 wc->GetFrameTree()->root()->navigator()->RequestOpenURL(
77 wc->GetFrameTree()->root()->current_frame_host(), extension_url, nullptr,
78 Referrer(), CURRENT_TAB, false, true);
79
80 // Since the navigation above requires a cross-process swap, there will be a
81 // speculative/pending RenderFrameHost. Ensure it exists and is in a different
82 // process than the initial page.
83 RenderFrameHostImpl* next_rfh;
84 if (base::CommandLine::ForCurrentProcess()->HasSwitch(
85 switches::kEnableBrowserSideNavigation)) {
86 next_rfh =
87 wc->GetRenderManagerForTesting()->speculative_frame_host();
88 } else {
89 next_rfh = wc->GetRenderManagerForTesting()->pending_frame_host();
90 }
91
92 EXPECT_TRUE(next_rfh);
93 EXPECT_NE(shell->web_contents()->GetRenderProcessHost()->GetID(),
94 next_rfh->GetProcess()->GetID());
95
96 return next_rfh->render_view_host();
97 }
98
99 ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
100 ResourceHostMsg_Request request;
101 request.method = "GET";
102 request.url = GURL("http://bar.com/simple_page.html");
103 request.first_party_for_cookies = GURL(origin);
104 request.referrer_policy = blink::WebReferrerPolicyDefault;
105 request.headers = base::StringPrintf("Origin: %s\r\n", origin);
106 request.load_flags = 0;
107 request.origin_pid = 0;
108 request.resource_type = RESOURCE_TYPE_XHR;
109 request.request_context = 0;
110 request.appcache_host_id = kAppCacheNoHostId;
111 request.download_to_file = false;
112 request.should_reset_appcache = false;
113 request.is_main_frame = true;
114 request.parent_is_main_frame = false;
115 request.parent_render_frame_id = -1;
116 request.transition_type = ui::PAGE_TRANSITION_LINK;
117 request.allow_download = true;
118 return request;
119 }
120
121 } // namespace
122
123
124 // The goal of these tests will be to "simulate" exploited renderer processes,
125 // which can send arbitrary IPC messages and confuse browser process internal
126 // state, leading to security bugs. We are trying to verify that the browser
127 // doesn't perform any dangerous operations in such cases.
128 class SecurityExploitBrowserTest : public ContentBrowserTest {
129 public:
130 SecurityExploitBrowserTest() {}
131
132 void SetUpCommandLine(base::CommandLine* command_line) override {
133 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
134
135 // Add a host resolver rule to map all outgoing requests to the test server.
136 // This allows us to use "real" hostnames in URLs, which we can use to
137 // create arbitrary SiteInstances.
138 command_line->AppendSwitchASCII(
139 switches::kHostResolverRules,
140 "MAP * " +
141 net::HostPortPair::FromURL(embedded_test_server()->base_url())
142 .ToString() +
143 ",EXCLUDE localhost");
144 }
145
146 protected:
147 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
148 // cause renderer to be killed.
149 void TestFileChooserWithPath(const base::FilePath& path);
150 };
151
152 void SecurityExploitBrowserTest::TestFileChooserWithPath(
153 const base::FilePath& path) {
154 GURL foo("http://foo.com/simple_page.html");
155 NavigateToURL(shell(), foo);
156 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
157
158 RenderViewHost* compromised_renderer =
159 shell()->web_contents()->GetRenderViewHost();
160 RenderProcessHostWatcher terminated(
161 shell()->web_contents(),
162 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
163
164 FileChooserParams params;
165 params.default_file_name = path;
166
167 ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
168
169 IpcSecurityTestUtil::PwnMessageReceived(
170 compromised_renderer->GetProcess()->GetChannel(), evil);
171 terminated.Wait();
172 }
173
174 // Ensure that we kill the renderer process if we try to give it WebUI
175 // properties and it doesn't have enabled WebUI bindings.
176 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
177 GURL foo("http://foo.com/simple_page.html");
178
179 NavigateToURL(shell(), foo);
180 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
181 EXPECT_EQ(0,
182 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
183
184 RenderProcessHostWatcher terminated(
185 shell()->web_contents(),
186 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
187 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
188 "toolkit", "views");
189 terminated.Wait();
190 }
191
192 // This is a test for crbug.com/312016 attempting to create duplicate
193 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
194 // it in a state with pending RenderViewHost. Before the commit of the new
195 // pending RenderViewHost, this test case creates a new window through the new
196 // process.
197 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
198 AttemptDuplicateRenderViewHost) {
199 int duplicate_routing_id = MSG_ROUTING_NONE;
200 RenderViewHostImpl* pending_rvh =
201 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
202 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
203
204 // Since this test executes on the UI thread and hopping threads might cause
205 // different timing in the test, let's simulate a CreateNewWindow call coming
206 // from the IO thread.
207 ViewHostMsg_CreateWindow_Params params;
208 DOMStorageContextWrapper* dom_storage_context =
209 static_cast<DOMStorageContextWrapper*>(
210 BrowserContext::GetStoragePartition(
211 shell()->web_contents()->GetBrowserContext(),
212 pending_rvh->GetSiteInstance())->GetDOMStorageContext());
213 scoped_refptr<SessionStorageNamespaceImpl> session_storage(
214 new SessionStorageNamespaceImpl(dom_storage_context));
215 // Cause a deliberate collision in routing ids.
216 int main_frame_routing_id = duplicate_routing_id + 1;
217 pending_rvh->CreateNewWindow(duplicate_routing_id,
218 main_frame_routing_id,
219 params,
220 session_storage.get());
221
222 // If the above operation doesn't cause a crash, the test has succeeded!
223 }
224
225 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
226 // with the same process and routing ids, which causes a collision. It is almost
227 // identical to the AttemptDuplicateRenderViewHost test case.
228 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
229 AttemptDuplicateRenderWidgetHost) {
230 int duplicate_routing_id = MSG_ROUTING_NONE;
231 RenderViewHostImpl* pending_rvh =
232 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
233 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
234
235 // Since this test executes on the UI thread and hopping threads might cause
236 // different timing in the test, let's simulate a CreateNewWidget call coming
237 // from the IO thread. Use the existing window routing id to cause a
238 // deliberate collision.
239 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypePage);
240
241 // If the above operation doesn't crash, the test has succeeded!
242 }
243
244 // This is a test for crbug.com/444198. It tries to send a
245 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
246 // correctly terminate the renderer in these cases.
247 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
248 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
249 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
250 #if defined(OS_WIN)
251 TestFileChooserWithPath(
252 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
253 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
254 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
255 #endif
256 }
257
258 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
259 public:
260 explicit SecurityExploitTestInterstitialPage(WebContents* contents) {
261 InterstitialPage* interstitial = InterstitialPage::Create(
262 contents, true, contents->GetLastCommittedURL(), this);
263 interstitial->Show();
264 }
265
266 // InterstitialPageDelegate implementation.
267 void CommandReceived(const std::string& command) override {
268 last_command_ = command;
269 }
270
271 std::string GetHTMLContents() override {
272 return "<html><head><script>"
273 "window.domAutomationController.setAutomationId(1);"
274 "window.domAutomationController.send(\"okay\");"
275 "</script></head>"
276 "<body>this page is an interstitial</body></html>";
277 }
278
279 std::string last_command() { return last_command_; }
280
281 private:
282 std::string last_command_;
283 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage);
284 };
285
286 // Fails due to InterstitialPage's reliance on PostNonNestableTask
287 // http://crbug.com/432737
288 #if defined(OS_ANDROID)
289 #define MAYBE_InterstitialCommandFromUnderlyingContent \
290 DISABLED_InterstitialCommandFromUnderlyingContent
291 #else
292 #define MAYBE_InterstitialCommandFromUnderlyingContent \
293 InterstitialCommandFromUnderlyingContent
294 #endif
295
296 // The interstitial should not be controllable by the underlying content.
297 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
298 MAYBE_InterstitialCommandFromUnderlyingContent) {
299 // Start off with initial navigation, to allocate the process.
300 GURL foo("http://foo.com/simple_page.html");
301 NavigateToURL(shell(), foo);
302 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
303
304 DOMMessageQueue message_queue;
305
306 // Install and show an interstitial page.
307 SecurityExploitTestInterstitialPage* interstitial =
308 new SecurityExploitTestInterstitialPage(shell()->web_contents());
309
310 ASSERT_EQ("", interstitial->last_command());
311 WaitForInterstitialAttach(shell()->web_contents());
312
313 InterstitialPage* interstitial_page =
314 shell()->web_contents()->GetInterstitialPage();
315 ASSERT_TRUE(interstitial_page != NULL);
316 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
317 ASSERT_TRUE(interstitial_page->GetDelegateForTesting() == interstitial);
318
319 // The interstitial page ought to be able to send a message.
320 std::string message;
321 ASSERT_TRUE(message_queue.WaitForMessage(&message));
322 ASSERT_EQ("\"okay\"", message);
323 ASSERT_EQ("\"okay\"", interstitial->last_command());
324
325 // Send an automation message from the underlying content and wait for it to
326 // be dispatched on this thread. This message should not be received by the
327 // interstitial.
328 RenderFrameHost* compromised_renderer =
329 shell()->web_contents()->GetMainFrame();
330 FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
331 "evil", MSG_ROUTING_NONE);
332 IpcSecurityTestUtil::PwnMessageReceived(
333 compromised_renderer->GetProcess()->GetChannel(), evil);
334
335 ASSERT_TRUE(message_queue.WaitForMessage(&message));
336 ASSERT_EQ("evil", message)
337 << "Automation message should be received by WebContents.";
338 ASSERT_EQ("\"okay\"", interstitial->last_command())
339 << "Interstitial should not be affected.";
340
341 // Send a second message from the interstitial page, and make sure that the
342 // "evil" message doesn't arrive in the intervening period.
343 ASSERT_TRUE(ExecuteScript(interstitial_page->GetMainFrame(),
344 "window.domAutomationController.send(\"okay2\");"));
345 ASSERT_TRUE(message_queue.WaitForMessage(&message));
346 ASSERT_EQ("\"okay2\"", message);
347 ASSERT_EQ("\"okay2\"", interstitial->last_command());
348 }
349
350 class IsolatedAppContentBrowserClient : public TestContentBrowserClient {
351 public:
352 bool IsIllegalOrigin(content::ResourceContext* resource_context,
353 int child_process_id,
354 const GURL& origin) override {
355 // Simulate a case where an app origin is not in an app process.
356 return true;
357 }
358 };
359
360 // Renderer processes should not be able to spoof Origin HTTP headers.
361 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
362 // Create a set of IPC messages with various Origin headers.
363 ResourceHostMsg_Request chrome_origin_msg(
364 CreateXHRRequestWithOrigin("chrome://settings"));
365 ResourceHostMsg_Request embedder_isolated_origin_msg(
366 CreateXHRRequestWithOrigin("https://isolated.bar.com"));
367 ResourceHostMsg_Request invalid_origin_msg(
368 CreateXHRRequestWithOrigin("invalidurl"));
369 ResourceHostMsg_Request invalid_scheme_origin_msg(
370 CreateXHRRequestWithOrigin("fake-scheme://foo"));
371
372 GURL web_url("http://foo.com/simple_page.html");
373 NavigateToURL(shell(), web_url);
374 RenderFrameHost* web_rfh = shell()->web_contents()->GetMainFrame();
375
376 // Web processes cannot make XHRs with chrome:// Origin headers.
377 {
378 RenderProcessHostWatcher web_process_killed(
379 web_rfh->GetProcess(),
380 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
381 IPC::IpcSecurityTestUtil::PwnMessageReceived(
382 web_rfh->GetProcess()->GetChannel(),
383 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
384 chrome_origin_msg));
385 web_process_killed.Wait();
386 }
387
388 // Web processes cannot make XHRs with URLs that the content embedder expects
389 // to have process isolation. Ideally this would test chrome-extension://
390 // URLs for Chrome Apps, but those can't be tested inside content/ and the
391 // ResourceHostMsg_Request IPC can't be created in a test outside content/.
392 NavigateToURL(shell(), web_url);
393 {
394 // Set up a ContentBrowserClient that simulates an app URL in a non-app
395 // process.
396 IsolatedAppContentBrowserClient app_client;
397 ContentBrowserClient* old_client = SetBrowserClientForTesting(&app_client);
398 RenderProcessHostWatcher web_process_killed(
399 web_rfh->GetProcess(),
400 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
401 IPC::IpcSecurityTestUtil::PwnMessageReceived(
402 web_rfh->GetProcess()->GetChannel(),
403 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
404 embedder_isolated_origin_msg));
405 web_process_killed.Wait();
406 SetBrowserClientForTesting(old_client);
407 }
408
409 // Web processes cannot make XHRs with invalid Origin headers.
410 NavigateToURL(shell(), web_url);
411 {
412 RenderProcessHostWatcher web_process_killed(
413 web_rfh->GetProcess(),
414 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
415 IPC::IpcSecurityTestUtil::PwnMessageReceived(
416 web_rfh->GetProcess()->GetChannel(),
417 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
418 invalid_origin_msg));
419 web_process_killed.Wait();
420 }
421
422 // Web processes cannot make XHRs with invalid scheme Origin headers.
423 NavigateToURL(shell(), web_url);
424 {
425 RenderProcessHostWatcher web_process_killed(
426 web_rfh->GetProcess(),
427 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
428 IPC::IpcSecurityTestUtil::PwnMessageReceived(
429 web_rfh->GetProcess()->GetChannel(),
430 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
431 invalid_scheme_origin_msg));
432 web_process_killed.Wait();
433 }
434 }
435
436 } // namespace content