Re-subimission of https://codereview.chromium.org/1041213003/
[chromium-blink-merge.git] / content / browser / security_exploit_browsertest.cc
blob62d3b62c674820a133f13cd26ed52bbca5d346cc
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/renderer_host/render_view_host_factory.h"
12 #include "content/browser/renderer_host/render_view_host_impl.h"
13 #include "content/browser/web_contents/web_contents_impl.h"
14 #include "content/common/frame_messages.h"
15 #include "content/common/view_messages.h"
16 #include "content/public/browser/browser_context.h"
17 #include "content/public/browser/interstitial_page.h"
18 #include "content/public/browser/interstitial_page_delegate.h"
19 #include "content/public/browser/storage_partition.h"
20 #include "content/public/common/content_switches.h"
21 #include "content/public/common/file_chooser_params.h"
22 #include "content/public/test/browser_test_utils.h"
23 #include "content/public/test/content_browser_test.h"
24 #include "content/public/test/content_browser_test_utils.h"
25 #include "content/public/test/test_utils.h"
26 #include "content/shell/browser/shell.h"
27 #include "ipc/ipc_security_test_util.h"
28 #include "net/dns/mock_host_resolver.h"
29 #include "net/test/embedded_test_server/embedded_test_server.h"
31 using IPC::IpcSecurityTestUtil;
33 namespace content {
35 namespace {
37 // This is a helper function for the tests which attempt to create a
38 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
39 // with the same process and routing ids, which causes a collision.
40 // It creates a couple of windows in process 1, which causes a few routing ids
41 // to be allocated. Then a cross-process navigation is initiated, which causes a
42 // new process 2 to be created and have a pending RenderViewHost for it. The
43 // routing id of the RenderViewHost which is target for a duplicate is set
44 // into |target_routing_id| and the pending RenderViewHost which is used for
45 // the attempt is the return value.
46 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
47 int* target_routing_id) {
48 GURL foo("http://foo.com/simple_page.html");
50 // Start off with initial navigation, so we get the first process allocated.
51 NavigateToURL(shell, foo);
52 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell->web_contents()->GetTitle());
54 // Open another window, so we generate some more routing ids.
55 ShellAddedObserver shell2_observer;
56 EXPECT_TRUE(ExecuteScript(
57 shell->web_contents(), "window.open(document.URL + '#2');"));
58 Shell* shell2 = shell2_observer.GetShell();
60 // The new window must be in the same process, but have a new routing id.
61 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
62 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
63 *target_routing_id =
64 shell2->web_contents()->GetRenderViewHost()->GetRoutingID();
65 EXPECT_NE(*target_routing_id,
66 shell->web_contents()->GetRenderViewHost()->GetRoutingID());
68 // Now, simulate a link click coming from the renderer.
69 GURL extension_url("https://bar.com/simple_page.html");
70 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents());
71 wc->GetFrameTree()->root()->navigator()->RequestOpenURL(
72 wc->GetFrameTree()->root()->current_frame_host(), extension_url, nullptr,
73 Referrer(), CURRENT_TAB, false, true);
75 // Since the navigation above requires a cross-process swap, there will be a
76 // pending RenderViewHost. Ensure it exists and is in a different process
77 // than the initial page.
78 RenderViewHostImpl* pending_rvh =
79 wc->GetRenderManagerForTesting()->pending_render_view_host();
80 EXPECT_TRUE(pending_rvh != NULL);
81 EXPECT_NE(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
82 pending_rvh->GetProcess()->GetID());
84 return pending_rvh;
87 } // namespace
90 // The goal of these tests will be to "simulate" exploited renderer processes,
91 // which can send arbitrary IPC messages and confuse browser process internal
92 // state, leading to security bugs. We are trying to verify that the browser
93 // doesn't perform any dangerous operations in such cases.
94 class SecurityExploitBrowserTest : public ContentBrowserTest {
95 public:
96 SecurityExploitBrowserTest() {}
98 void SetUpCommandLine(base::CommandLine* command_line) override {
99 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
101 // Add a host resolver rule to map all outgoing requests to the test server.
102 // This allows us to use "real" hostnames in URLs, which we can use to
103 // create arbitrary SiteInstances.
104 command_line->AppendSwitchASCII(
105 switches::kHostResolverRules,
106 "MAP * " +
107 net::HostPortPair::FromURL(embedded_test_server()->base_url())
108 .ToString() +
109 ",EXCLUDE localhost");
112 protected:
113 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
114 // cause renderer to be killed.
115 void TestFileChooserWithPath(const base::FilePath& path);
118 void SecurityExploitBrowserTest::TestFileChooserWithPath(
119 const base::FilePath& path) {
120 GURL foo("http://foo.com/simple_page.html");
121 NavigateToURL(shell(), foo);
122 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
124 content::RenderViewHost* compromised_renderer =
125 shell()->web_contents()->GetRenderViewHost();
126 content::RenderProcessHostWatcher terminated(
127 shell()->web_contents(),
128 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
130 FileChooserParams params;
131 params.default_file_name = path;
133 ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
135 IpcSecurityTestUtil::PwnMessageReceived(
136 compromised_renderer->GetProcess()->GetChannel(), evil);
137 terminated.Wait();
140 // Ensure that we kill the renderer process if we try to give it WebUI
141 // properties and it doesn't have enabled WebUI bindings.
142 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
143 GURL foo("http://foo.com/simple_page.html");
145 NavigateToURL(shell(), foo);
146 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
147 EXPECT_EQ(0,
148 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
150 content::RenderProcessHostWatcher terminated(
151 shell()->web_contents(),
152 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
153 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
154 "toolkit", "views");
155 terminated.Wait();
158 // This is a test for crbug.com/312016 attempting to create duplicate
159 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
160 // it in a state with pending RenderViewHost. Before the commit of the new
161 // pending RenderViewHost, this test case creates a new window through the new
162 // process.
163 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
164 AttemptDuplicateRenderViewHost) {
165 int duplicate_routing_id = MSG_ROUTING_NONE;
166 RenderViewHostImpl* pending_rvh =
167 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
168 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
170 // Since this test executes on the UI thread and hopping threads might cause
171 // different timing in the test, let's simulate a CreateNewWindow call coming
172 // from the IO thread.
173 ViewHostMsg_CreateWindow_Params params;
174 DOMStorageContextWrapper* dom_storage_context =
175 static_cast<DOMStorageContextWrapper*>(
176 BrowserContext::GetStoragePartition(
177 shell()->web_contents()->GetBrowserContext(),
178 pending_rvh->GetSiteInstance())->GetDOMStorageContext());
179 scoped_refptr<SessionStorageNamespaceImpl> session_storage(
180 new SessionStorageNamespaceImpl(dom_storage_context));
181 // Cause a deliberate collision in routing ids.
182 int main_frame_routing_id = duplicate_routing_id + 1;
183 pending_rvh->CreateNewWindow(duplicate_routing_id,
184 main_frame_routing_id,
185 params,
186 session_storage.get());
188 // If the above operation doesn't cause a crash, the test has succeeded!
191 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
192 // with the same process and routing ids, which causes a collision. It is almost
193 // identical to the AttemptDuplicateRenderViewHost test case.
194 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
195 AttemptDuplicateRenderWidgetHost) {
196 int duplicate_routing_id = MSG_ROUTING_NONE;
197 RenderViewHostImpl* pending_rvh =
198 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
199 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
201 // Since this test executes on the UI thread and hopping threads might cause
202 // different timing in the test, let's simulate a CreateNewWidget call coming
203 // from the IO thread. Use the existing window routing id to cause a
204 // deliberate collision.
205 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect);
207 // If the above operation doesn't crash, the test has succeeded!
210 // This is a test for crbug.com/444198. It tries to send a
211 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
212 // correctly terminate the renderer in these cases.
213 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
214 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
215 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
216 #if defined(OS_WIN)
217 TestFileChooserWithPath(
218 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
219 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
220 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
221 #endif
224 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
225 public:
226 explicit SecurityExploitTestInterstitialPage(WebContents* contents) {
227 InterstitialPage* interstitial = InterstitialPage::Create(
228 contents, true, contents->GetLastCommittedURL(), this);
229 interstitial->Show();
232 // InterstitialPageDelegate implementation.
233 void CommandReceived(const std::string& command) override {
234 last_command_ = command;
237 std::string GetHTMLContents() override {
238 return "<html><head><script>"
239 "window.domAutomationController.setAutomationId(1);"
240 "window.domAutomationController.send(\"okay\");"
241 "</script></head>"
242 "<body>this page is an interstitial</body></html>";
245 std::string last_command() { return last_command_; }
247 private:
248 std::string last_command_;
249 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage);
252 // Fails due to InterstitialPage's reliance on PostNonNestableTask
253 // http://crbug.com/432737
254 #if defined(OS_ANDROID)
255 #define MAYBE_InterstitialCommandFromUnderlyingContent \
256 DISABLED_InterstitialCommandFromUnderlyingContent
257 #else
258 #define MAYBE_InterstitialCommandFromUnderlyingContent \
259 InterstitialCommandFromUnderlyingContent
260 #endif
262 // The interstitial should not be controllable by the underlying content.
263 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
264 MAYBE_InterstitialCommandFromUnderlyingContent) {
265 // Start off with initial navigation, to allocate the process.
266 GURL foo("http://foo.com/simple_page.html");
267 NavigateToURL(shell(), foo);
268 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
270 DOMMessageQueue message_queue;
272 // Install and show an interstitial page.
273 SecurityExploitTestInterstitialPage* interstitial =
274 new SecurityExploitTestInterstitialPage(shell()->web_contents());
276 ASSERT_EQ("", interstitial->last_command());
277 content::WaitForInterstitialAttach(shell()->web_contents());
279 InterstitialPage* interstitial_page =
280 shell()->web_contents()->GetInterstitialPage();
281 ASSERT_TRUE(interstitial_page != NULL);
282 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
283 ASSERT_TRUE(interstitial_page->GetDelegateForTesting() == interstitial);
285 // The interstitial page ought to be able to send a message.
286 std::string message;
287 ASSERT_TRUE(message_queue.WaitForMessage(&message));
288 ASSERT_EQ("\"okay\"", message);
289 ASSERT_EQ("\"okay\"", interstitial->last_command());
291 // Send an automation message from the underlying content and wait for it to
292 // be dispatched on this thread. This message should not be received by the
293 // interstitial.
294 content::RenderFrameHost* compromised_renderer =
295 shell()->web_contents()->GetMainFrame();
296 FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
297 "evil", MSG_ROUTING_NONE);
298 IpcSecurityTestUtil::PwnMessageReceived(
299 compromised_renderer->GetProcess()->GetChannel(), evil);
301 ASSERT_TRUE(message_queue.WaitForMessage(&message));
302 ASSERT_EQ("evil", message)
303 << "Automation message should be received by WebContents.";
304 ASSERT_EQ("\"okay\"", interstitial->last_command())
305 << "Interstitial should not be affected.";
307 // Send a second message from the interstitial page, and make sure that the
308 // "evil" message doesn't arrive in the intervening period.
309 ASSERT_TRUE(content::ExecuteScript(
310 interstitial_page->GetMainFrame(),
311 "window.domAutomationController.send(\"okay2\");"));
312 ASSERT_TRUE(message_queue.WaitForMessage(&message));
313 ASSERT_EQ("\"okay2\"", message);
314 ASSERT_EQ("\"okay2\"", interstitial->last_command());
317 } // namespace content