[Offline pages] Moving browser code to android path
[chromium-blink-merge.git] / content / browser / security_exploit_browsertest.cc
blob086d801fe4dce063bd25d0347a4180c1eaec51a7
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/renderer_host/render_view_host_factory.h"
12 #include "content/browser/renderer_host/render_view_host_impl.h"
13 #include "content/browser/web_contents/web_contents_impl.h"
14 #include "content/common/frame_messages.h"
15 #include "content/common/view_messages.h"
16 #include "content/public/browser/browser_context.h"
17 #include "content/public/browser/interstitial_page.h"
18 #include "content/public/browser/interstitial_page_delegate.h"
19 #include "content/public/browser/storage_partition.h"
20 #include "content/public/common/content_switches.h"
21 #include "content/public/common/file_chooser_params.h"
22 #include "content/public/test/browser_test_utils.h"
23 #include "content/public/test/content_browser_test.h"
24 #include "content/public/test/content_browser_test_utils.h"
25 #include "content/public/test/test_utils.h"
26 #include "content/shell/browser/shell.h"
27 #include "ipc/ipc_security_test_util.h"
28 #include "net/dns/mock_host_resolver.h"
29 #include "net/test/embedded_test_server/embedded_test_server.h"
31 using IPC::IpcSecurityTestUtil;
33 namespace content {
35 namespace {
37 // This is a helper function for the tests which attempt to create a
38 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
39 // with the same process and routing ids, which causes a collision.
40 // It creates a couple of windows in process 1, which causes a few routing ids
41 // to be allocated. Then a cross-process navigation is initiated, which causes a
42 // new process 2 to be created and have a pending RenderViewHost for it. The
43 // routing id of the RenderViewHost which is target for a duplicate is set
44 // into |target_routing_id| and the pending RenderViewHost which is used for
45 // the attempt is the return value.
46 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell,
47 int* target_routing_id) {
48 GURL foo("http://foo.com/simple_page.html");
50 // Start off with initial navigation, so we get the first process allocated.
51 NavigateToURL(shell, foo);
52 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell->web_contents()->GetTitle());
54 // Open another window, so we generate some more routing ids.
55 ShellAddedObserver shell2_observer;
56 EXPECT_TRUE(ExecuteScript(
57 shell->web_contents(), "window.open(document.URL + '#2');"));
58 Shell* shell2 = shell2_observer.GetShell();
60 // The new window must be in the same process, but have a new routing id.
61 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
62 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
63 *target_routing_id =
64 shell2->web_contents()->GetRenderViewHost()->GetRoutingID();
65 EXPECT_NE(*target_routing_id,
66 shell->web_contents()->GetRenderViewHost()->GetRoutingID());
68 // Now, simulate a link click coming from the renderer.
69 GURL extension_url("https://bar.com/simple_page.html");
70 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents());
71 wc->GetFrameTree()->root()->navigator()->RequestOpenURL(
72 wc->GetFrameTree()->root()->current_frame_host(), extension_url, nullptr,
73 Referrer(), CURRENT_TAB, false, true);
75 // Since the navigation above requires a cross-process swap, there will be a
76 // speculative/pending RenderFrameHost. Ensure it exists and is in a different
77 // process than the initial page.
78 RenderFrameHostImpl* next_rfh;
79 if (base::CommandLine::ForCurrentProcess()->HasSwitch(
80 switches::kEnableBrowserSideNavigation)) {
81 next_rfh =
82 wc->GetRenderManagerForTesting()->speculative_frame_host();
83 } else {
84 next_rfh = wc->GetRenderManagerForTesting()->pending_frame_host();
87 EXPECT_TRUE(next_rfh);
88 EXPECT_NE(shell->web_contents()->GetRenderProcessHost()->GetID(),
89 next_rfh->GetProcess()->GetID());
91 return next_rfh->render_view_host();
94 } // namespace
97 // The goal of these tests will be to "simulate" exploited renderer processes,
98 // which can send arbitrary IPC messages and confuse browser process internal
99 // state, leading to security bugs. We are trying to verify that the browser
100 // doesn't perform any dangerous operations in such cases.
101 class SecurityExploitBrowserTest : public ContentBrowserTest {
102 public:
103 SecurityExploitBrowserTest() {}
105 void SetUpCommandLine(base::CommandLine* command_line) override {
106 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
108 // Add a host resolver rule to map all outgoing requests to the test server.
109 // This allows us to use "real" hostnames in URLs, which we can use to
110 // create arbitrary SiteInstances.
111 command_line->AppendSwitchASCII(
112 switches::kHostResolverRules,
113 "MAP * " +
114 net::HostPortPair::FromURL(embedded_test_server()->base_url())
115 .ToString() +
116 ",EXCLUDE localhost");
119 protected:
120 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
121 // cause renderer to be killed.
122 void TestFileChooserWithPath(const base::FilePath& path);
125 void SecurityExploitBrowserTest::TestFileChooserWithPath(
126 const base::FilePath& path) {
127 GURL foo("http://foo.com/simple_page.html");
128 NavigateToURL(shell(), foo);
129 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
131 content::RenderViewHost* compromised_renderer =
132 shell()->web_contents()->GetRenderViewHost();
133 content::RenderProcessHostWatcher terminated(
134 shell()->web_contents(),
135 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
137 FileChooserParams params;
138 params.default_file_name = path;
140 ViewHostMsg_RunFileChooser evil(compromised_renderer->GetRoutingID(), params);
142 IpcSecurityTestUtil::PwnMessageReceived(
143 compromised_renderer->GetProcess()->GetChannel(), evil);
144 terminated.Wait();
147 // Ensure that we kill the renderer process if we try to give it WebUI
148 // properties and it doesn't have enabled WebUI bindings.
149 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) {
150 GURL foo("http://foo.com/simple_page.html");
152 NavigateToURL(shell(), foo);
153 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
154 EXPECT_EQ(0,
155 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
157 content::RenderProcessHostWatcher terminated(
158 shell()->web_contents(),
159 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT);
160 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
161 "toolkit", "views");
162 terminated.Wait();
165 // This is a test for crbug.com/312016 attempting to create duplicate
166 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
167 // it in a state with pending RenderViewHost. Before the commit of the new
168 // pending RenderViewHost, this test case creates a new window through the new
169 // process.
170 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
171 AttemptDuplicateRenderViewHost) {
172 int duplicate_routing_id = MSG_ROUTING_NONE;
173 RenderViewHostImpl* pending_rvh =
174 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
175 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
177 // Since this test executes on the UI thread and hopping threads might cause
178 // different timing in the test, let's simulate a CreateNewWindow call coming
179 // from the IO thread.
180 ViewHostMsg_CreateWindow_Params params;
181 DOMStorageContextWrapper* dom_storage_context =
182 static_cast<DOMStorageContextWrapper*>(
183 BrowserContext::GetStoragePartition(
184 shell()->web_contents()->GetBrowserContext(),
185 pending_rvh->GetSiteInstance())->GetDOMStorageContext());
186 scoped_refptr<SessionStorageNamespaceImpl> session_storage(
187 new SessionStorageNamespaceImpl(dom_storage_context));
188 // Cause a deliberate collision in routing ids.
189 int main_frame_routing_id = duplicate_routing_id + 1;
190 pending_rvh->CreateNewWindow(duplicate_routing_id,
191 main_frame_routing_id,
192 params,
193 session_storage.get());
195 // If the above operation doesn't cause a crash, the test has succeeded!
198 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
199 // with the same process and routing ids, which causes a collision. It is almost
200 // identical to the AttemptDuplicateRenderViewHost test case.
201 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
202 AttemptDuplicateRenderWidgetHost) {
203 int duplicate_routing_id = MSG_ROUTING_NONE;
204 RenderViewHostImpl* pending_rvh =
205 PrepareToDuplicateHosts(shell(), &duplicate_routing_id);
206 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id);
208 // Since this test executes on the UI thread and hopping threads might cause
209 // different timing in the test, let's simulate a CreateNewWidget call coming
210 // from the IO thread. Use the existing window routing id to cause a
211 // deliberate collision.
212 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypePage);
214 // If the above operation doesn't crash, the test has succeeded!
217 // This is a test for crbug.com/444198. It tries to send a
218 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
219 // correctly terminate the renderer in these cases.
220 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) {
221 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
222 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
223 #if defined(OS_WIN)
224 TestFileChooserWithPath(
225 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
226 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
227 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
228 #endif
231 class SecurityExploitTestInterstitialPage : public InterstitialPageDelegate {
232 public:
233 explicit SecurityExploitTestInterstitialPage(WebContents* contents) {
234 InterstitialPage* interstitial = InterstitialPage::Create(
235 contents, true, contents->GetLastCommittedURL(), this);
236 interstitial->Show();
239 // InterstitialPageDelegate implementation.
240 void CommandReceived(const std::string& command) override {
241 last_command_ = command;
244 std::string GetHTMLContents() override {
245 return "<html><head><script>"
246 "window.domAutomationController.setAutomationId(1);"
247 "window.domAutomationController.send(\"okay\");"
248 "</script></head>"
249 "<body>this page is an interstitial</body></html>";
252 std::string last_command() { return last_command_; }
254 private:
255 std::string last_command_;
256 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage);
259 // Fails due to InterstitialPage's reliance on PostNonNestableTask
260 // http://crbug.com/432737
261 #if defined(OS_ANDROID)
262 #define MAYBE_InterstitialCommandFromUnderlyingContent \
263 DISABLED_InterstitialCommandFromUnderlyingContent
264 #else
265 #define MAYBE_InterstitialCommandFromUnderlyingContent \
266 InterstitialCommandFromUnderlyingContent
267 #endif
269 // The interstitial should not be controllable by the underlying content.
270 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
271 MAYBE_InterstitialCommandFromUnderlyingContent) {
272 // Start off with initial navigation, to allocate the process.
273 GURL foo("http://foo.com/simple_page.html");
274 NavigateToURL(shell(), foo);
275 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
277 DOMMessageQueue message_queue;
279 // Install and show an interstitial page.
280 SecurityExploitTestInterstitialPage* interstitial =
281 new SecurityExploitTestInterstitialPage(shell()->web_contents());
283 ASSERT_EQ("", interstitial->last_command());
284 content::WaitForInterstitialAttach(shell()->web_contents());
286 InterstitialPage* interstitial_page =
287 shell()->web_contents()->GetInterstitialPage();
288 ASSERT_TRUE(interstitial_page != NULL);
289 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
290 ASSERT_TRUE(interstitial_page->GetDelegateForTesting() == interstitial);
292 // The interstitial page ought to be able to send a message.
293 std::string message;
294 ASSERT_TRUE(message_queue.WaitForMessage(&message));
295 ASSERT_EQ("\"okay\"", message);
296 ASSERT_EQ("\"okay\"", interstitial->last_command());
298 // Send an automation message from the underlying content and wait for it to
299 // be dispatched on this thread. This message should not be received by the
300 // interstitial.
301 content::RenderFrameHost* compromised_renderer =
302 shell()->web_contents()->GetMainFrame();
303 FrameHostMsg_DomOperationResponse evil(compromised_renderer->GetRoutingID(),
304 "evil", MSG_ROUTING_NONE);
305 IpcSecurityTestUtil::PwnMessageReceived(
306 compromised_renderer->GetProcess()->GetChannel(), evil);
308 ASSERT_TRUE(message_queue.WaitForMessage(&message));
309 ASSERT_EQ("evil", message)
310 << "Automation message should be received by WebContents.";
311 ASSERT_EQ("\"okay\"", interstitial->last_command())
312 << "Interstitial should not be affected.";
314 // Send a second message from the interstitial page, and make sure that the
315 // "evil" message doesn't arrive in the intervening period.
316 ASSERT_TRUE(content::ExecuteScript(
317 interstitial_page->GetMainFrame(),
318 "window.domAutomationController.send(\"okay2\");"));
319 ASSERT_TRUE(message_queue.WaitForMessage(&message));
320 ASSERT_EQ("\"okay2\"", message);
321 ASSERT_EQ("\"okay2\"", interstitial->last_command());
324 } // namespace content