Battery Status API: add UMA logging for Linux.
[chromium-blink-merge.git] / content / browser / security_exploit_browsertest.cc
blob3971285583aab32f83b253d6b9d0784a7c793786
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
8 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
9 #include "content/browser/frame_host/navigator.h"
10 #include "content/browser/renderer_host/render_view_host_factory.h"
11 #include "content/browser/renderer_host/render_view_host_impl.h"
12 #include "content/browser/web_contents/web_contents_impl.h"
13 #include "content/common/view_messages.h"
14 #include "content/public/browser/browser_context.h"
15 #include "content/public/browser/storage_partition.h"
16 #include "content/public/common/content_switches.h"
17 #include "content/public/test/browser_test_utils.h"
18 #include "content/public/test/content_browser_test.h"
19 #include "content/public/test/content_browser_test_utils.h"
20 #include "content/public/test/test_utils.h"
21 #include "content/shell/browser/shell.h"
23 namespace content {
25 namespace {
27 // This is a helper function for the tests which attempt to create a
28 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
29 // with the same process and routing ids, which causes a collision.
30 // It creates a couple of windows in process 1, which causes a few routing ids
31 // to be allocated. Then a cross-process navigation is initiated, which causes a
32 // new process 2 to be created and have a pending RenderViewHost for it. The
33 // routing id of the RenderViewHost which is target for a duplicate is set
34 // into |target_routing_id| and the pending RenderViewHost which is used for
35 // the attempt is the return value.
36 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
37 int* target_routing_id) {
38 GURL foo("http://foo.com/files/simple_page.html");
40 // Start off with initial navigation, so we get the first process allocated.
41 NavigateToURL(shell, foo);
43 // Open another window, so we generate some more routing ids.
44 ShellAddedObserver shell2_observer;
45 EXPECT_TRUE(ExecuteScript(
46 shell->web_contents(), "window.open(document.URL + '#2');"));
47 Shell* shell2 = shell2_observer.GetShell();
49 // The new window must be in the same process, but have a new routing id.
50 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
51 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
52 *target_routing_id =
53 shell2->web_contents()->GetRenderViewHost()->GetRoutingID();
54 EXPECT_NE(*target_routing_id,
55 shell->web_contents()->GetRenderViewHost()->GetRoutingID());
57 // Now, simulate a link click coming from the renderer.
58 GURL extension_url("https://bar.com/files/simple_page.html");
59 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents());
60 wc->GetFrameTree()->root()->navigator()->RequestOpenURL(
61 wc->GetFrameTree()->root()->current_frame_host(), extension_url,
62 Referrer(), CURRENT_TAB,
63 false, true);
65 // Since the navigation above requires a cross-process swap, there will be a
66 // pending RenderViewHost. Ensure it exists and is in a different process
67 // than the initial page.
68 RenderViewHostImpl* pending_rvh =
69 wc->GetRenderManagerForTesting()->pending_render_view_host();
70 EXPECT_TRUE(pending_rvh != NULL);
71 EXPECT_NE(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
72 pending_rvh->GetProcess()->GetID());
74 return pending_rvh;
77 } // namespace
80 // The goal of these tests will be to "simulate" exploited renderer processes,
81 // which can send arbitrary IPC messages and confuse browser process internal
82 // state, leading to security bugs. We are trying to verify that the browser
83 // doesn't perform any dangerous operations in such cases.
84 class SecurityExploitBrowserTest : public ContentBrowserTest {
85 public:
86 SecurityExploitBrowserTest() {}
87 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
88 ASSERT_TRUE(test_server()->Start());
90 // Add a host resolver rule to map all outgoing requests to the test server.
91 // This allows us to use "real" hostnames in URLs, which we can use to
92 // create arbitrary SiteInstances.
93 command_line->AppendSwitchASCII(
94 switches::kHostResolverRules,
95 "MAP * " + test_server()->host_port_pair().ToString() +
96 ",EXCLUDE localhost");
100 // Ensure that we kill the renderer process if we try to give it WebUI
101 // properties and it doesn't have enabled WebUI bindings.
102 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
103 GURL foo("http://foo.com/files/simple_page.html");
105 NavigateToURL(shell(), foo);
106 EXPECT_EQ(0,
107 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
109 content::RenderProcessHostWatcher terminated(
110 shell()->web_contents(),
111 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
112 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
113 "toolkit", "views");
114 terminated.Wait();
117 // This is a test for crbug.com/312016 attempting to create duplicate
118 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
119 // it in a state with pending RenderViewHost. Before the commit of the new
120 // pending RenderViewHost, this test case creates a new window through the new
121 // process.
122 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
123 AttemptDuplicateRenderViewHost) {
124 int duplicate_routing_id = MSG_ROUTING_NONE;
125 RenderViewHostImpl* pending_rvh =
126 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
127 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
129 // Since this test executes on the UI thread and hopping threads might cause
130 // different timing in the test, let's simulate a CreateNewWindow call coming
131 // from the IO thread.
132 ViewHostMsg_CreateWindow_Params params;
133 DOMStorageContextWrapper* dom_storage_context =
134 static_cast<DOMStorageContextWrapper*>(
135 BrowserContext::GetStoragePartition(
136 shell()->web_contents()->GetBrowserContext(),
137 pending_rvh->GetSiteInstance())->GetDOMStorageContext());
138 scoped_refptr<SessionStorageNamespaceImpl> session_storage(
139 new SessionStorageNamespaceImpl(dom_storage_context));
140 // Cause a deliberate collision in routing ids.
141 int main_frame_routing_id = duplicate_routing_id + 1;
142 pending_rvh->CreateNewWindow(duplicate_routing_id,
143 main_frame_routing_id,
144 params,
145 session_storage.get());
147 // If the above operation doesn't cause a crash, the test has succeeded!
150 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
151 // with the same process and routing ids, which causes a collision. It is almost
152 // identical to the AttemptDuplicateRenderViewHost test case.
153 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
154 AttemptDuplicateRenderWidgetHost) {
155 int duplicate_routing_id = MSG_ROUTING_NONE;
156 RenderViewHostImpl* pending_rvh =
157 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
158 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
160 // Since this test executes on the UI thread and hopping threads might cause
161 // different timing in the test, let's simulate a CreateNewWidget call coming
162 // from the IO thread. Use the existing window routing id to cause a
163 // deliberate collision.
164 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect);
166 // If the above operation doesn't crash, the test has succeeded!
169 } // namespace content