1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/containers/hash_tables.h"
7 #include "base/strings/utf_string_conversions.h"
8 #include "content/browser/dom_storage/dom_storage_context_wrapper.h"
9 #include "content/browser/dom_storage/session_storage_namespace_impl.h"
10 #include "content/browser/frame_host/navigator.h"
11 #include "content/browser/renderer_host/render_view_host_factory.h"
12 #include "content/browser/renderer_host/render_view_host_impl.h"
13 #include "content/browser/web_contents/web_contents_impl.h"
14 #include "content/common/frame_messages.h"
15 #include "content/common/view_messages.h"
16 #include "content/public/browser/browser_context.h"
17 #include "content/public/browser/interstitial_page.h"
18 #include "content/public/browser/interstitial_page_delegate.h"
19 #include "content/public/browser/storage_partition.h"
20 #include "content/public/common/content_switches.h"
21 #include "content/public/common/file_chooser_params.h"
22 #include "content/public/test/browser_test_utils.h"
23 #include "content/public/test/content_browser_test.h"
24 #include "content/public/test/content_browser_test_utils.h"
25 #include "content/public/test/test_utils.h"
26 #include "content/shell/browser/shell.h"
27 #include "ipc/ipc_security_test_util.h"
28 #include "net/dns/mock_host_resolver.h"
29 #include "net/test/embedded_test_server/embedded_test_server.h"
31 using IPC::IpcSecurityTestUtil
;
37 // This is a helper function for the tests which attempt to create a
38 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects
39 // with the same process and routing ids, which causes a collision.
40 // It creates a couple of windows in process 1, which causes a few routing ids
41 // to be allocated. Then a cross-process navigation is initiated, which causes a
42 // new process 2 to be created and have a pending RenderViewHost for it. The
43 // routing id of the RenderViewHost which is target for a duplicate is set
44 // into |target_routing_id| and the pending RenderViewHost which is used for
45 // the attempt is the return value.
46 RenderViewHostImpl
* PrepareToDuplicateHosts(Shell
* shell
,
47 int* target_routing_id
) {
48 GURL
foo("http://foo.com/simple_page.html");
50 // Start off with initial navigation, so we get the first process allocated.
51 NavigateToURL(shell
, foo
);
52 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell
->web_contents()->GetTitle());
54 // Open another window, so we generate some more routing ids.
55 ShellAddedObserver shell2_observer
;
56 EXPECT_TRUE(ExecuteScript(
57 shell
->web_contents(), "window.open(document.URL + '#2');"));
58 Shell
* shell2
= shell2_observer
.GetShell();
60 // The new window must be in the same process, but have a new routing id.
61 EXPECT_EQ(shell
->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
62 shell2
->web_contents()->GetRenderViewHost()->GetProcess()->GetID());
64 shell2
->web_contents()->GetRenderViewHost()->GetRoutingID();
65 EXPECT_NE(*target_routing_id
,
66 shell
->web_contents()->GetRenderViewHost()->GetRoutingID());
68 // Now, simulate a link click coming from the renderer.
69 GURL
extension_url("https://bar.com/simple_page.html");
70 WebContentsImpl
* wc
= static_cast<WebContentsImpl
*>(shell
->web_contents());
71 wc
->GetFrameTree()->root()->navigator()->RequestOpenURL(
72 wc
->GetFrameTree()->root()->current_frame_host(), extension_url
, nullptr,
73 Referrer(), CURRENT_TAB
, false, true);
75 // Since the navigation above requires a cross-process swap, there will be a
76 // pending RenderViewHost. Ensure it exists and is in a different process
77 // than the initial page.
78 RenderViewHostImpl
* pending_rvh
=
79 wc
->GetRenderManagerForTesting()->pending_render_view_host();
80 EXPECT_TRUE(pending_rvh
!= NULL
);
81 EXPECT_NE(shell
->web_contents()->GetRenderViewHost()->GetProcess()->GetID(),
82 pending_rvh
->GetProcess()->GetID());
90 // The goal of these tests will be to "simulate" exploited renderer processes,
91 // which can send arbitrary IPC messages and confuse browser process internal
92 // state, leading to security bugs. We are trying to verify that the browser
93 // doesn't perform any dangerous operations in such cases.
94 class SecurityExploitBrowserTest
: public ContentBrowserTest
{
96 SecurityExploitBrowserTest() {}
98 void SetUpCommandLine(base::CommandLine
* command_line
) override
{
99 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
101 // Add a host resolver rule to map all outgoing requests to the test server.
102 // This allows us to use "real" hostnames in URLs, which we can use to
103 // create arbitrary SiteInstances.
104 command_line
->AppendSwitchASCII(
105 switches::kHostResolverRules
,
107 net::HostPortPair::FromURL(embedded_test_server()->base_url())
109 ",EXCLUDE localhost");
113 // Tests that a given file path sent in a ViewHostMsg_RunFileChooser will
114 // cause renderer to be killed.
115 void TestFileChooserWithPath(const base::FilePath
& path
);
118 void SecurityExploitBrowserTest::TestFileChooserWithPath(
119 const base::FilePath
& path
) {
120 GURL
foo("http://foo.com/simple_page.html");
121 NavigateToURL(shell(), foo
);
122 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
124 content::RenderViewHost
* compromised_renderer
=
125 shell()->web_contents()->GetRenderViewHost();
126 content::RenderProcessHostWatcher
terminated(
127 shell()->web_contents(),
128 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT
);
130 FileChooserParams params
;
131 params
.default_file_name
= path
;
133 ViewHostMsg_RunFileChooser
evil(compromised_renderer
->GetRoutingID(), params
);
135 IpcSecurityTestUtil::PwnMessageReceived(
136 compromised_renderer
->GetProcess()->GetChannel(), evil
);
140 // Ensure that we kill the renderer process if we try to give it WebUI
141 // properties and it doesn't have enabled WebUI bindings.
142 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
, SetWebUIProperty
) {
143 GURL
foo("http://foo.com/simple_page.html");
145 NavigateToURL(shell(), foo
);
146 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
148 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings());
150 content::RenderProcessHostWatcher
terminated(
151 shell()->web_contents(),
152 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT
);
153 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty(
158 // This is a test for crbug.com/312016 attempting to create duplicate
159 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves
160 // it in a state with pending RenderViewHost. Before the commit of the new
161 // pending RenderViewHost, this test case creates a new window through the new
163 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
164 AttemptDuplicateRenderViewHost
) {
165 int duplicate_routing_id
= MSG_ROUTING_NONE
;
166 RenderViewHostImpl
* pending_rvh
=
167 PrepareToDuplicateHosts(shell(), &duplicate_routing_id
);
168 EXPECT_NE(MSG_ROUTING_NONE
, duplicate_routing_id
);
170 // Since this test executes on the UI thread and hopping threads might cause
171 // different timing in the test, let's simulate a CreateNewWindow call coming
172 // from the IO thread.
173 ViewHostMsg_CreateWindow_Params params
;
174 DOMStorageContextWrapper
* dom_storage_context
=
175 static_cast<DOMStorageContextWrapper
*>(
176 BrowserContext::GetStoragePartition(
177 shell()->web_contents()->GetBrowserContext(),
178 pending_rvh
->GetSiteInstance())->GetDOMStorageContext());
179 scoped_refptr
<SessionStorageNamespaceImpl
> session_storage(
180 new SessionStorageNamespaceImpl(dom_storage_context
));
181 // Cause a deliberate collision in routing ids.
182 int main_frame_routing_id
= duplicate_routing_id
+ 1;
183 pending_rvh
->CreateNewWindow(duplicate_routing_id
,
184 main_frame_routing_id
,
186 session_storage
.get());
188 // If the above operation doesn't cause a crash, the test has succeeded!
191 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts
192 // with the same process and routing ids, which causes a collision. It is almost
193 // identical to the AttemptDuplicateRenderViewHost test case.
194 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
195 AttemptDuplicateRenderWidgetHost
) {
196 int duplicate_routing_id
= MSG_ROUTING_NONE
;
197 RenderViewHostImpl
* pending_rvh
=
198 PrepareToDuplicateHosts(shell(), &duplicate_routing_id
);
199 EXPECT_NE(MSG_ROUTING_NONE
, duplicate_routing_id
);
201 // Since this test executes on the UI thread and hopping threads might cause
202 // different timing in the test, let's simulate a CreateNewWidget call coming
203 // from the IO thread. Use the existing window routing id to cause a
204 // deliberate collision.
205 pending_rvh
->CreateNewWidget(duplicate_routing_id
, blink::WebPopupTypeSelect
);
207 // If the above operation doesn't crash, the test has succeeded!
210 // This is a test for crbug.com/444198. It tries to send a
211 // ViewHostMsg_RunFileChooser containing an invalid path. The browser should
212 // correctly terminate the renderer in these cases.
213 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
, AttemptRunFileChoosers
) {
214 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("../../*.txt")));
215 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("/etc/*.conf")));
217 TestFileChooserWithPath(
218 base::FilePath(FILE_PATH_LITERAL("\\\\evilserver\\evilshare\\*.txt")));
219 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("c:\\*.txt")));
220 TestFileChooserWithPath(base::FilePath(FILE_PATH_LITERAL("..\\..\\*.txt")));
224 class SecurityExploitTestInterstitialPage
: public InterstitialPageDelegate
{
226 explicit SecurityExploitTestInterstitialPage(WebContents
* contents
) {
227 InterstitialPage
* interstitial
= InterstitialPage::Create(
228 contents
, true, contents
->GetLastCommittedURL(), this);
229 interstitial
->Show();
232 // InterstitialPageDelegate implementation.
233 void CommandReceived(const std::string
& command
) override
{
234 last_command_
= command
;
237 std::string
GetHTMLContents() override
{
238 return "<html><head><script>"
239 "window.domAutomationController.setAutomationId(1);"
240 "window.domAutomationController.send(\"okay\");"
242 "<body>this page is an interstitial</body></html>";
245 std::string
last_command() { return last_command_
; }
248 std::string last_command_
;
249 DISALLOW_COPY_AND_ASSIGN(SecurityExploitTestInterstitialPage
);
252 // Fails due to InterstitialPage's reliance on PostNonNestableTask
253 // http://crbug.com/432737
254 #if defined(OS_ANDROID)
255 #define MAYBE_InterstitialCommandFromUnderlyingContent \
256 DISABLED_InterstitialCommandFromUnderlyingContent
258 #define MAYBE_InterstitialCommandFromUnderlyingContent \
259 InterstitialCommandFromUnderlyingContent
262 // The interstitial should not be controllable by the underlying content.
263 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest
,
264 MAYBE_InterstitialCommandFromUnderlyingContent
) {
265 // Start off with initial navigation, to allocate the process.
266 GURL
foo("http://foo.com/simple_page.html");
267 NavigateToURL(shell(), foo
);
268 EXPECT_EQ(base::ASCIIToUTF16("OK"), shell()->web_contents()->GetTitle());
270 DOMMessageQueue message_queue
;
272 // Install and show an interstitial page.
273 SecurityExploitTestInterstitialPage
* interstitial
=
274 new SecurityExploitTestInterstitialPage(shell()->web_contents());
276 ASSERT_EQ("", interstitial
->last_command());
277 content::WaitForInterstitialAttach(shell()->web_contents());
279 InterstitialPage
* interstitial_page
=
280 shell()->web_contents()->GetInterstitialPage();
281 ASSERT_TRUE(interstitial_page
!= NULL
);
282 ASSERT_TRUE(shell()->web_contents()->ShowingInterstitialPage());
283 ASSERT_TRUE(interstitial_page
->GetDelegateForTesting() == interstitial
);
285 // The interstitial page ought to be able to send a message.
287 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
288 ASSERT_EQ("\"okay\"", message
);
289 ASSERT_EQ("\"okay\"", interstitial
->last_command());
291 // Send an automation message from the underlying content and wait for it to
292 // be dispatched on this thread. This message should not be received by the
294 content::RenderFrameHost
* compromised_renderer
=
295 shell()->web_contents()->GetMainFrame();
296 FrameHostMsg_DomOperationResponse
evil(compromised_renderer
->GetRoutingID(),
297 "evil", MSG_ROUTING_NONE
);
298 IpcSecurityTestUtil::PwnMessageReceived(
299 compromised_renderer
->GetProcess()->GetChannel(), evil
);
301 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
302 ASSERT_EQ("evil", message
)
303 << "Automation message should be received by WebContents.";
304 ASSERT_EQ("\"okay\"", interstitial
->last_command())
305 << "Interstitial should not be affected.";
307 // Send a second message from the interstitial page, and make sure that the
308 // "evil" message doesn't arrive in the intervening period.
309 ASSERT_TRUE(content::ExecuteScript(
310 interstitial_page
->GetMainFrame(),
311 "window.domAutomationController.send(\"okay2\");"));
312 ASSERT_TRUE(message_queue
.WaitForMessage(&message
));
313 ASSERT_EQ("\"okay2\"", message
);
314 ASSERT_EQ("\"okay2\"", interstitial
->last_command());
317 } // namespace content