1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/renderer_host/render_view_host_factory.h"
12 #include "content/browser/renderer_host/render_view_host_impl.h"
13 #include "content/browser/web_contents/web_contents_impl.h"
14 #include "content/common/frame_messages.h"
15 #include "content/common/view_messages.h"
16 #include "content/public/browser/browser_context.h"
17 #include "content/public/browser/interstitial_page.h"
18 #include "content/public/browser/interstitial_page_delegate.h"
19 #include "content/public/browser/storage_partition.h"
20 #include "content/public/common/content_switches.h"
21 #include "content/public/common/file_chooser_params.h"
22 #include "content/public/test/browser_test_utils.h"
23 #include "content/public/test/content_browser_test.h"
24 #include "content/public/test/content_browser_test_utils.h"
25 #include "content/public/test/test_utils.h"
26 #include "content/shell/browser/shell.h"
27 #include "ipc/ipc_security_test_util.h"
28 #include "net/dns/mock_host_resolver.h"
29 #include "net/test/embedded_test_server/embedded_test_server.h"
31 using IPC::IpcSecurityTestUtil
;
37 // This is a helper function for the tests which attempt to create a
38 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
39 // with the same process and routing ids, which causes a collision.
40 // It creates a couple of windows in process 1, which causes a few routing ids
41 // to be allocated. Then a cross-process navigation is initiated, which causes a
42 // new process 2 to be created and have a pending RenderViewHost for it. The
43 // routing id of the RenderViewHost which is target for a duplicate is set
44 // into |target_routing_id| and the pending RenderViewHost which is used for
45 // the attempt is the return value.
46 RenderViewHostImpl
* PrepareToDuplicateHosts(Shell
* shell
,
47 int* target_routing_id
) {
48 GURL
foo("http://foo.com/simple_page.html");
50 // Start off with initial navigation, so we get the first process allocated.
51 NavigateToURL(shell
, foo
);
52 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell
->web_contents()->GetTitle());
54 // Open another window, so we generate some more routing ids.
55 ShellAddedObserver shell2_observer
;
56 EXPECT_TRUE(ExecuteScript(
57 shell
->web_contents(), "window.open(document.URL + '#2');"));
58 Shell
* shell2
= shell2_observer
.GetShell();
60 // The new window must be in the same process, but have a new routing id.
61 EXPECT_EQ(shell
->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
62 shell2
->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
64 shell2
->web_contents()->GetRenderViewHost()->GetRoutingID();
65 EXPECT_NE(*target_routing_id
,
66 shell
->web_contents()->GetRenderViewHost()->GetRoutingID());
68 // Now, simulate a link click coming from the renderer.
69 GURL
extension_url("https://bar.com/simple_page.html");
70 WebContentsImpl
* wc
= static_cast<WebContentsImpl
*>(shell
->web_contents());
71 wc
->GetFrameTree()->root()->navigator()->RequestOpenURL(
72 wc
->GetFrameTree()->root()->current_frame_host(), extension_url
, nullptr,
73 Referrer(), CURRENT_TAB
, false, true);
75 // Since the navigation above requires a cross-process swap, there will be a
76 // speculative/pending RenderFrameHost. Ensure it exists and is in a different
77 // process than the initial page.
78 RenderFrameHostImpl
* next_rfh
;
79 if (base::CommandLine::ForCurrentProcess()->HasSwitch(
80 switches::kEnableBrowserSideNavigation
)) {
82 wc
->GetRenderManagerForTesting()->speculative_frame_host();
84 next_rfh
= wc
->GetRenderManagerForTesting()->pending_frame_host();
87 EXPECT_TRUE(next_rfh
);
88 EXPECT_NE(shell
->web_contents()->GetRenderProcessHost()->GetID(),
89 next_rfh
->GetProcess()->GetID());
91 return next_rfh
->render_view_host();
97 // The goal of these tests will be to "simulate" exploited renderer processes,
98 // which can send arbitrary IPC messages and confuse browser process internal
99 // state, leading to security bugs. We are trying to verify that the browser
100 // doesn't perform any dangerous operations in such cases.
101 class SecurityExploitBrowserTest
: public ContentBrowserTest
{
103 SecurityExploitBrowserTest() {}
105 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
106 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
108 // Add a host resolver rule to map all outgoing requests to the test server.
109 // This allows us to use "real" hostnames in URLs, which we can use to
110 // create arbitrary SiteInstances.
111 command_line
->AppendSwitchASCII(
112 switches::kHostResolverRules
,
114 net::HostPortPair::FromURL(embedded_test_server()->base_url())
116 ",EXCLUDE localhost");
120 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
121 // cause renderer to be killed.
122 void TestFileChooserWithPath(const base::FilePath
& path
);
125 void SecurityExploitBrowserTest::TestFileChooserWithPath(
126 const base::FilePath
& path
) {
127 GURL
foo("http://foo.com/simple_page.html");
128 NavigateToURL(shell(), foo
);
129 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
131 content::RenderViewHost
* compromised_renderer
=
132 shell()->web_contents()->GetRenderViewHost();
133 content::RenderProcessHostWatcher
terminated(
134 shell()->web_contents(),
135 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT
);
137 FileChooserParams params
;
138 params
.default_file_name
= path
;
140 ViewHostMsg_RunFileChooser
evil(compromised_renderer
->GetRoutingID(), params
);
142 IpcSecurityTestUtil::PwnMessageReceived(
143 compromised_renderer
->GetProcess()->GetChannel(), evil
);
147 // Ensure that we kill the renderer process if we try to give it WebUI
148 // properties and it doesn't have enabled WebUI bindings.
149 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
, SetWebUIProperty
) {
150 GURL
foo("http://foo.com/simple_page.html");
152 NavigateToURL(shell(), foo
);
153 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
155 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
157 content::RenderProcessHostWatcher
terminated(
158 shell()->web_contents(),
159 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT
);
160 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
165 // This is a test for crbug.com/312016 attempting to create duplicate
166 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
167 // it in a state with pending RenderViewHost. Before the commit of the new
168 // pending RenderViewHost, this test case creates a new window through the new
170 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
171 AttemptDuplicateRenderViewHost
) {
172 int duplicate_routing_id
= MSG_ROUTING_NONE
;
173 RenderViewHostImpl
* pending_rvh
=
174 PrepareToDuplicateHosts(shell(), &duplicate_routing_id
);
175 EXPECT_NE(MSG_ROUTING_NONE
, duplicate_routing_id
);
177 // Since this test executes on the UI thread and hopping threads might cause
178 // different timing in the test, let's simulate a CreateNewWindow call coming
179 // from the IO thread.
180 ViewHostMsg_CreateWindow_Params params
;
181 DOMStorageContextWrapper
* dom_storage_context
=
182 static_cast<DOMStorageContextWrapper
*>(
183 BrowserContext::GetStoragePartition(
184 shell()->web_contents()->GetBrowserContext(),
185 pending_rvh
->GetSiteInstance())->GetDOMStorageContext());
186 scoped_refptr
<SessionStorageNamespaceImpl
> session_storage(
187 new SessionStorageNamespaceImpl(dom_storage_context
));
188 // Cause a deliberate collision in routing ids.
189 int main_frame_routing_id
= duplicate_routing_id
+ 1;
190 pending_rvh
->CreateNewWindow(duplicate_routing_id
,
191 main_frame_routing_id
,
193 session_storage
.get());
195 // If the above operation doesn't cause a crash, the test has succeeded!
198 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
199 // with the same process and routing ids, which causes a collision. It is almost
200 // identical to the AttemptDuplicateRenderViewHost test case.
201 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
202 AttemptDuplicateRenderWidgetHost
) {
203 int duplicate_routing_id
= MSG_ROUTING_NONE
;
204 RenderViewHostImpl
* pending_rvh
=
205 PrepareToDuplicateHosts(shell(), &duplicate_routing_id
);
206 EXPECT_NE(MSG_ROUTING_NONE
, duplicate_routing_id
);
208 // Since this test executes on the UI thread and hopping threads might cause
209 // different timing in the test, let's simulate a CreateNewWidget call coming
210 // from the IO thread. Use the existing window routing id to cause a
211 // deliberate collision.
212 pending_rvh
->CreateNewWidget(duplicate_routing_id
, blink::WebPopupTypePage
);
214 // If the above operation doesn't crash, the test has succeeded!
217 // This is a test for crbug.com/444198. It tries to send a
218 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
219 // correctly terminate the renderer in these cases.
220 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
, AttemptRunFileChoosers
) {
221 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
222 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
224 TestFileChooserWithPath(
225 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
226 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
227 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
231 class SecurityExploitTestInterstitialPage
: public InterstitialPageDelegate
{
233 explicit SecurityExploitTestInterstitialPage(WebContents
* contents
) {
234 InterstitialPage
* interstitial
= InterstitialPage::Create(
235 contents
, true, contents
->GetLastCommittedURL(), this);
236 interstitial
->Show();
239 // InterstitialPageDelegate implementation.
240 void CommandReceived(const std::string
& command
) override
{
241 last_command_
= command
;
244 std::string
GetHTMLContents() override
{
245 return "<html><head><script>"
246 "window.domAutomationController.setAutomationId(1);"
247 "window.domAutomationController.send(\"okay\");"
249 "<body>this page is an interstitial</body></html>";
252 std::string
last_command() { return last_command_
; }
255 std::string last_command_
;
256 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage
);
259 // Fails due to InterstitialPage's reliance on PostNonNestableTask
260 // http://crbug.com/432737
261 #if defined(OS_ANDROID)
262 #define MAYBE_InterstitialCommandFromUnderlyingContent \
263 DISABLED_InterstitialCommandFromUnderlyingContent
265 #define MAYBE_InterstitialCommandFromUnderlyingContent \
266 InterstitialCommandFromUnderlyingContent
269 // The interstitial should not be controllable by the underlying content.
270 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
271 MAYBE_InterstitialCommandFromUnderlyingContent
) {
272 // Start off with initial navigation, to allocate the process.
273 GURL
foo("http://foo.com/simple_page.html");
274 NavigateToURL(shell(), foo
);
275 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
277 DOMMessageQueue message_queue
;
279 // Install and show an interstitial page.
280 SecurityExploitTestInterstitialPage
* interstitial
=
281 new SecurityExploitTestInterstitialPage(shell()->web_contents());
283 ASSERT_EQ("", interstitial
->last_command());
284 content::WaitForInterstitialAttach(shell()->web_contents());
286 InterstitialPage
* interstitial_page
=
287 shell()->web_contents()->GetInterstitialPage();
288 ASSERT_TRUE(interstitial_page
!= NULL
);
289 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
290 ASSERT_TRUE(interstitial_page
->GetDelegateForTesting() == interstitial
);
292 // The interstitial page ought to be able to send a message.
294 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
295 ASSERT_EQ("\"okay\"", message
);
296 ASSERT_EQ("\"okay\"", interstitial
->last_command());
298 // Send an automation message from the underlying content and wait for it to
299 // be dispatched on this thread. This message should not be received by the
301 content::RenderFrameHost
* compromised_renderer
=
302 shell()->web_contents()->GetMainFrame();
303 FrameHostMsg_DomOperationResponse
evil(compromised_renderer
->GetRoutingID(),
304 "evil", MSG_ROUTING_NONE
);
305 IpcSecurityTestUtil::PwnMessageReceived(
306 compromised_renderer
->GetProcess()->GetChannel(), evil
);
308 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
309 ASSERT_EQ("evil", message
)
310 << "Automation message should be received by WebContents.";
311 ASSERT_EQ("\"okay\"", interstitial
->last_command())
312 << "Interstitial should not be affected.";
314 // Send a second message from the interstitial page, and make sure that the
315 // "evil" message doesn't arrive in the intervening period.
316 ASSERT_TRUE(content::ExecuteScript(
317 interstitial_page
->GetMainFrame(),
318 "window.domAutomationController.send(\"okay2\");"));
319 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
320 ASSERT_EQ("\"okay2\"", message
);
321 ASSERT_EQ("\"okay2\"", interstitial
->last_command());
324 } // namespace content