search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / content / browser / security_exploit_browsertest.cc
blob55dd9ef8977c63f5178848535939973df30c2af3
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/frame_host/render_frame_host_impl.h"
12 #include "content/browser/renderer_host/render_view_host_factory.h"
13 #include "content/browser/renderer_host/render_view_host_impl.h"
14 #include "content/browser/web_contents/web_contents_impl.h"
15 #include "content/common/frame_messages.h"
16 #include "content/common/resource_messages.h"
17 #include "content/common/view_messages.h"
18 #include "content/public/browser/browser_context.h"
19 #include "content/public/browser/content_browser_client.h"
20 #include "content/public/browser/interstitial_page.h"
21 #include "content/public/browser/interstitial_page_delegate.h"
22 #include "content/public/browser/storage_partition.h"
23 #include "content/public/common/appcache_info.h"
24 #include "content/public/common/content_switches.h"
25 #include "content/public/common/file_chooser_params.h"
26 #include "content/public/test/browser_test_utils.h"
27 #include "content/public/test/content_browser_test.h"
28 #include "content/public/test/content_browser_test_utils.h"
29 #include "content/public/test/test_utils.h"
30 #include "content/shell/browser/shell.h"
31 #include "content/test/test_content_browser_client.h"
32 #include "ipc/ipc_security_test_util.h"
33 #include "net/dns/mock_host_resolver.h"
34 #include "net/test/embedded_test_server/embedded_test_server.h"
35
36 using IPC::IpcSecurityTestUtil;
37
38 namespace content {
39
40 namespace {
41
42 // This is a helper function for the tests which attempt to create a
43 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
44 // with the same process and routing ids, which causes a collision.
45 // It creates a couple of windows in process 1, which causes a few routing ids
46 // to be allocated. Then a cross-process navigation is initiated, which causes a
47 // new process 2 to be created and have a pending RenderViewHost for it. The
48 // routing id of the RenderViewHost which is target for a duplicate is set
49 // into |target_routing_id| and the pending RenderViewHost which is used for
50 // the attempt is the return value.
51 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
52 int* target_routing_id) {
53 GURL foo("http://foo.com/simple_page.html");
54
55 // Start off with initial navigation, so we get the first process allocated.
56 NavigateToURL(shell, foo);
57 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell->web_contents()->GetTitle());
58
59 // Open another window, so we generate some more routing ids.
60 ShellAddedObserver shell2_observer;
61 EXPECT_TRUE(ExecuteScript(
62 shell->web_contents(), "window.open(document.URL + '#2');"));
63 Shell* shell2 = shell2_observer.GetShell();
64
65 // The new window must be in the same process, but have a new routing id.
66 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
67 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
68 *target_routing_id =
69 shell2->web_contents()->GetRenderViewHost()->GetRoutingID();
70 EXPECT_NE(*target_routing_id,
71 shell->web_contents()->GetRenderViewHost()->GetRoutingID());
72
73 // Now, simulate a link click coming from the renderer.
74 GURL extension_url("https://bar.com/simple_page.html");
75 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents());
76 wc->GetFrameTree()->root()->navigator()->RequestOpenURL(
77 wc->GetFrameTree()->root()->current_frame_host(), extension_url, nullptr,
78 Referrer(), CURRENT_TAB, false, true);
79
80 // Since the navigation above requires a cross-process swap, there will be a
81 // speculative/pending RenderFrameHost. Ensure it exists and is in a different
82 // process than the initial page.
83 RenderFrameHostImpl* next_rfh;
84 if (base::CommandLine::ForCurrentProcess()->HasSwitch(
85 switches::kEnableBrowserSideNavigation)) {
86 next_rfh =
87 wc->GetRenderManagerForTesting()->speculative_frame_host();
88 } else {
89 next_rfh = wc->GetRenderManagerForTesting()->pending_frame_host();
90 }
91
92 EXPECT_TRUE(next_rfh);
93 EXPECT_NE(shell->web_contents()->GetRenderProcessHost()->GetID(),
94 next_rfh->GetProcess()->GetID());
95
96 return next_rfh->render_view_host();
97 }
98
99 ResourceHostMsg_Request CreateXHRRequestWithOrigin(const char* origin) {
100 ResourceHostMsg_Request request;
101 request.method = "GET";
102 request.url = GURL("http://bar.com/simple_page.html");
103 request.first_party_for_cookies = GURL(origin);
104 request.referrer_policy = blink::WebReferrerPolicyDefault;
105 request.headers = base::StringPrintf("Origin: %s\r\n", origin);
106 request.load_flags = 0;
107 request.origin_pid = 0;
108 request.resource_type = RESOURCE_TYPE_XHR;
109 request.request_context = 0;
110 request.appcache_host_id = kAppCacheNoHostId;
111 request.download_to_file = false;
112 request.should_reset_appcache = false;
113 request.is_main_frame = true;
114 request.parent_is_main_frame = false;
115 request.parent_render_frame_id = -1;
116 request.transition_type = ui::PAGE_TRANSITION_LINK;
117 request.allow_download = true;
118 return request;
119 }
120
121 } // namespace
122
123
124 // The goal of these tests will be to "simulate" exploited renderer processes,
125 // which can send arbitrary IPC messages and confuse browser process internal
126 // state, leading to security bugs. We are trying to verify that the browser
127 // doesn't perform any dangerous operations in such cases.
128 class SecurityExploitBrowserTest : public ContentBrowserTest {
129 public:
130 SecurityExploitBrowserTest() {}
131
132 void SetUpCommandLine(base::CommandLine* command_line) override {
133 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
134
135 // Add a host resolver rule to map all outgoing requests to the test server.
136 // This allows us to use "real" hostnames in URLs, which we can use to
137 // create arbitrary SiteInstances.
138 command_line->AppendSwitchASCII(
139 switches::kHostResolverRules,
140 "MAP * " +
141 net::HostPortPair::FromURL(embedded_test_server()->base_url())
142 .ToString() +
143 ",EXCLUDE localhost");
144 }
145
146 protected:
147 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
148 // cause renderer to be killed.
149 void TestFileChooserWithPath(const base::FilePath& path);
150 };
151
152 void SecurityExploitBrowserTest::TestFileChooserWithPath(
153 const base::FilePath& path) {
154 GURL foo("http://foo.com/simple_page.html");
155 NavigateToURL(shell(), foo);
156 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
157
158 RenderViewHost* compromised_renderer =
159 shell()->web_contents()->GetRenderViewHost();
160 RenderProcessHostWatcher terminated(
161 shell()->web_contents(),
162 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
163
164 FileChooserParams params;
165 params.default_file_name = path;
166
167 ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
168
169 IpcSecurityTestUtil::PwnMessageReceived(
170 compromised_renderer->GetProcess()->GetChannel(), evil);
171 terminated.Wait();
172 }
173
174 // Ensure that we kill the renderer process if we try to give it WebUI
175 // properties and it doesn't have enabled WebUI bindings.
176 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
177 GURL foo("http://foo.com/simple_page.html");
178
179 NavigateToURL(shell(), foo);
180 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
181 EXPECT_EQ(0,
182 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
183
184 RenderProcessHostWatcher terminated(
185 shell()->web_contents(),
186 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
187 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
188 "toolkit", "views");
189 terminated.Wait();
190 }
191
192 // This is a test for crbug.com/312016 attempting to create duplicate
193 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
194 // it in a state with pending RenderViewHost. Before the commit of the new
195 // pending RenderViewHost, this test case creates a new window through the new
196 // process.
197 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
198 AttemptDuplicateRenderViewHost) {
199 int duplicate_routing_id = MSG_ROUTING_NONE;
200 RenderViewHostImpl* pending_rvh =
201 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
202 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
203
204 // Since this test executes on the UI thread and hopping threads might cause
205 // different timing in the test, let's simulate a CreateNewWindow call coming
206 // from the IO thread.
207 ViewHostMsg_CreateWindow_Params params;
208 DOMStorageContextWrapper* dom_storage_context =
209 static_cast<DOMStorageContextWrapper*>(
210 BrowserContext::GetStoragePartition(
211 shell()->web_contents()->GetBrowserContext(),
212 pending_rvh->GetSiteInstance())->GetDOMStorageContext());
213 scoped_refptr<SessionStorageNamespaceImpl> session_storage(
214 new SessionStorageNamespaceImpl(dom_storage_context));
215 // Cause a deliberate collision in routing ids.
216 int main_frame_routing_id = duplicate_routing_id + 1;
217 pending_rvh->CreateNewWindow(duplicate_routing_id,
218 main_frame_routing_id,
219 params,
220 session_storage.get());
221
222 // If the above operation doesn't cause a crash, the test has succeeded!
223 }
224
225 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
226 // with the same process and routing ids, which causes a collision. It is almost
227 // identical to the AttemptDuplicateRenderViewHost test case.
228 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
229 AttemptDuplicateRenderWidgetHost) {
230 int duplicate_routing_id = MSG_ROUTING_NONE;
231 RenderViewHostImpl* pending_rvh =
232 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
233 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
234
235 // Since this test executes on the UI thread and hopping threads might cause
236 // different timing in the test, let's simulate a CreateNewWidget call coming
237 // from the IO thread. Use the existing window routing id to cause a
238 // deliberate collision.
239 pending_rvh->CreateNewWidget(duplicate_routing_id, 0 /* surface_id */,
240 blink::WebPopupTypePage);
241
242 // If the above operation doesn't crash, the test has succeeded!
243 }
244
245 // This is a test for crbug.com/444198. It tries to send a
246 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
247 // correctly terminate the renderer in these cases.
248 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
249 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
250 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
251 #if defined(OS_WIN)
252 TestFileChooserWithPath(
253 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
254 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
255 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
256 #endif
257 }
258
259 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
260 public:
261 explicit SecurityExploitTestInterstitialPage(WebContents* contents) {
262 InterstitialPage* interstitial = InterstitialPage::Create(
263 contents, true, contents->GetLastCommittedURL(), this);
264 interstitial->Show();
265 }
266
267 // InterstitialPageDelegate implementation.
268 void CommandReceived(const std::string& command) override {
269 last_command_ = command;
270 }
271
272 std::string GetHTMLContents() override {
273 return "<html><head><script>"
274 "window.domAutomationController.setAutomationId(1);"
275 "window.domAutomationController.send(\"okay\");"
276 "</script></head>"
277 "<body>this page is an interstitial</body></html>";
278 }
279
280 std::string last_command() { return last_command_; }
281
282 private:
283 std::string last_command_;
284 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage);
285 };
286
287 // Fails due to InterstitialPage's reliance on PostNonNestableTask
288 // http://crbug.com/432737
289 #if defined(OS_ANDROID)
290 #define MAYBE_InterstitialCommandFromUnderlyingContent \
291 DISABLED_InterstitialCommandFromUnderlyingContent
292 #else
293 #define MAYBE_InterstitialCommandFromUnderlyingContent \
294 InterstitialCommandFromUnderlyingContent
295 #endif
296
297 // The interstitial should not be controllable by the underlying content.
298 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
299 MAYBE_InterstitialCommandFromUnderlyingContent) {
300 // Start off with initial navigation, to allocate the process.
301 GURL foo("http://foo.com/simple_page.html");
302 NavigateToURL(shell(), foo);
303 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
304
305 DOMMessageQueue message_queue;
306
307 // Install and show an interstitial page.
308 SecurityExploitTestInterstitialPage* interstitial =
309 new SecurityExploitTestInterstitialPage(shell()->web_contents());
310
311 ASSERT_EQ("", interstitial->last_command());
312 WaitForInterstitialAttach(shell()->web_contents());
313
314 InterstitialPage* interstitial_page =
315 shell()->web_contents()->GetInterstitialPage();
316 ASSERT_TRUE(interstitial_page != NULL);
317 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
318 ASSERT_TRUE(interstitial_page->GetDelegateForTesting() == interstitial);
319
320 // The interstitial page ought to be able to send a message.
321 std::string message;
322 ASSERT_TRUE(message_queue.WaitForMessage(&message));
323 ASSERT_EQ("\"okay\"", message);
324 ASSERT_EQ("\"okay\"", interstitial->last_command());
325
326 // Send an automation message from the underlying content and wait for it to
327 // be dispatched on this thread. This message should not be received by the
328 // interstitial.
329 RenderFrameHost* compromised_renderer =
330 shell()->web_contents()->GetMainFrame();
331 FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
332 "evil", MSG_ROUTING_NONE);
333 IpcSecurityTestUtil::PwnMessageReceived(
334 compromised_renderer->GetProcess()->GetChannel(), evil);
335
336 ASSERT_TRUE(message_queue.WaitForMessage(&message));
337 ASSERT_EQ("evil", message)
338 << "Automation message should be received by WebContents.";
339 ASSERT_EQ("\"okay\"", interstitial->last_command())
340 << "Interstitial should not be affected.";
341
342 // Send a second message from the interstitial page, and make sure that the
343 // "evil" message doesn't arrive in the intervening period.
344 ASSERT_TRUE(ExecuteScript(interstitial_page->GetMainFrame(),
345 "window.domAutomationController.send(\"okay2\");"));
346 ASSERT_TRUE(message_queue.WaitForMessage(&message));
347 ASSERT_EQ("\"okay2\"", message);
348 ASSERT_EQ("\"okay2\"", interstitial->last_command());
349 }
350
351 class IsolatedAppContentBrowserClient : public TestContentBrowserClient {
352 public:
353 bool IsIllegalOrigin(content::ResourceContext* resource_context,
354 int child_process_id,
355 const GURL& origin) override {
356 // Simulate a case where an app origin is not in an app process.
357 return true;
358 }
359 };
360
361 // Renderer processes should not be able to spoof Origin HTTP headers.
362 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidOriginHeaders) {
363 // Create a set of IPC messages with various Origin headers.
364 ResourceHostMsg_Request chrome_origin_msg(
365 CreateXHRRequestWithOrigin("chrome://settings"));
366 ResourceHostMsg_Request embedder_isolated_origin_msg(
367 CreateXHRRequestWithOrigin("https://isolated.bar.com"));
368 ResourceHostMsg_Request invalid_origin_msg(
369 CreateXHRRequestWithOrigin("invalidurl"));
370 ResourceHostMsg_Request invalid_scheme_origin_msg(
371 CreateXHRRequestWithOrigin("fake-scheme://foo"));
372
373 GURL web_url("http://foo.com/simple_page.html");
374 NavigateToURL(shell(), web_url);
375 RenderFrameHost* web_rfh = shell()->web_contents()->GetMainFrame();
376
377 // Web processes cannot make XHRs with chrome:// Origin headers.
378 {
379 RenderProcessHostWatcher web_process_killed(
380 web_rfh->GetProcess(),
381 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
382 IPC::IpcSecurityTestUtil::PwnMessageReceived(
383 web_rfh->GetProcess()->GetChannel(),
384 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
385 chrome_origin_msg));
386 web_process_killed.Wait();
387 }
388
389 // Web processes cannot make XHRs with URLs that the content embedder expects
390 // to have process isolation. Ideally this would test chrome-extension://
391 // URLs for Chrome Apps, but those can't be tested inside content/ and the
392 // ResourceHostMsg_Request IPC can't be created in a test outside content/.
393 NavigateToURL(shell(), web_url);
394 {
395 // Set up a ContentBrowserClient that simulates an app URL in a non-app
396 // process.
397 IsolatedAppContentBrowserClient app_client;
398 ContentBrowserClient* old_client = SetBrowserClientForTesting(&app_client);
399 RenderProcessHostWatcher web_process_killed(
400 web_rfh->GetProcess(),
401 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
402 IPC::IpcSecurityTestUtil::PwnMessageReceived(
403 web_rfh->GetProcess()->GetChannel(),
404 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
405 embedder_isolated_origin_msg));
406 web_process_killed.Wait();
407 SetBrowserClientForTesting(old_client);
408 }
409
410 // Web processes cannot make XHRs with invalid Origin headers.
411 NavigateToURL(shell(), web_url);
412 {
413 RenderProcessHostWatcher web_process_killed(
414 web_rfh->GetProcess(),
415 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
416 IPC::IpcSecurityTestUtil::PwnMessageReceived(
417 web_rfh->GetProcess()->GetChannel(),
418 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
419 invalid_origin_msg));
420 web_process_killed.Wait();
421 }
422
423 // Web processes cannot make XHRs with invalid scheme Origin headers.
424 NavigateToURL(shell(), web_url);
425 {
426 RenderProcessHostWatcher web_process_killed(
427 web_rfh->GetProcess(),
428 RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
429 IPC::IpcSecurityTestUtil::PwnMessageReceived(
430 web_rfh->GetProcess()->GetChannel(),
431 ResourceHostMsg_RequestResource(web_rfh->GetRoutingID(), 1,
432 invalid_scheme_origin_msg));
433 web_process_killed.Wait();
434 }
435 }
436
437 } // namespace content