| // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include <set> |
| #include <string> |
| |
| #include "base/files/file_path.h" |
| #include "base/logging.h" |
| #include "base/synchronization/waitable_event.h" |
| #include "base/test/bind_test_util.h" |
| #include "base/test/mock_log.h" |
| #include "content/browser/child_process_security_policy_impl.h" |
| #include "content/browser/site_instance_impl.h" |
| #include "content/public/common/bindings_policy.h" |
| #include "content/public/common/url_constants.h" |
| #include "content/public/test/test_browser_thread_bundle.h" |
| #include "content/test/test_content_browser_client.h" |
| #include "storage/browser/fileapi/file_permission_policy.h" |
| #include "storage/browser/fileapi/file_system_url.h" |
| #include "storage/browser/fileapi/isolated_context.h" |
| #include "storage/common/fileapi/file_system_types.h" |
| #include "testing/gmock/include/gmock/gmock.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| #include "url/gurl.h" |
| #include "url/origin.h" |
| |
| namespace content { |
| namespace { |
| |
| const int kRendererID = 42; |
| |
| #if defined(FILE_PATH_USES_DRIVE_LETTERS) |
| #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x) |
| #else |
| #define TEST_PATH(x) FILE_PATH_LITERAL(x) |
| #endif |
| |
| class ChildProcessSecurityPolicyTestBrowserClient |
| : public TestContentBrowserClient { |
| public: |
| ChildProcessSecurityPolicyTestBrowserClient() {} |
| |
| bool IsHandledURL(const GURL& url) override { |
| return schemes_.find(url.scheme()) != schemes_.end(); |
| } |
| |
| void ClearSchemes() { |
| schemes_.clear(); |
| } |
| |
| void AddScheme(const std::string& scheme) { |
| schemes_.insert(scheme); |
| } |
| |
| private: |
| std::set<std::string> schemes_; |
| }; |
| |
| } // namespace |
| |
| class ChildProcessSecurityPolicyTest : public testing::Test { |
| public: |
| ChildProcessSecurityPolicyTest() |
| : thread_bundle_(TestBrowserThreadBundle::REAL_IO_THREAD), |
| old_browser_client_(nullptr) {} |
| |
| void SetUp() override { |
| old_browser_client_ = SetBrowserClientForTesting(&test_browser_client_); |
| |
| // Claim to always handle chrome:// URLs because the CPSP's notion of |
| // allowing WebUI bindings is hard-wired to this particular scheme. |
| test_browser_client_.AddScheme(kChromeUIScheme); |
| |
| // Claim to always handle file:// URLs like the browser would. |
| // net::URLRequest::IsHandledURL() no longer claims support for default |
| // protocols as this is the responsibility of the browser (which is |
| // responsible for adding the appropriate ProtocolHandler). |
| test_browser_client_.AddScheme(url::kFileScheme); |
| } |
| |
| void TearDown() override { |
| test_browser_client_.ClearSchemes(); |
| SetBrowserClientForTesting(old_browser_client_); |
| } |
| |
| protected: |
| void RegisterTestScheme(const std::string& scheme) { |
| test_browser_client_.AddScheme(scheme); |
| } |
| |
| void GrantPermissionsForFile(ChildProcessSecurityPolicyImpl* p, |
| int child_id, |
| const base::FilePath& file, |
| int permissions) { |
| p->GrantPermissionsForFile(child_id, file, permissions); |
| } |
| |
| void CheckHasNoFileSystemPermission(ChildProcessSecurityPolicyImpl* p, |
| const std::string& child_id) { |
| EXPECT_FALSE(p->CanReadFileSystem(kRendererID, child_id)); |
| EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, child_id)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, child_id)); |
| EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, child_id)); |
| } |
| |
| void CheckHasNoFileSystemFilePermission(ChildProcessSecurityPolicyImpl* p, |
| const base::FilePath& file, |
| const storage::FileSystemURL& url) { |
| EXPECT_FALSE(p->CanReadFile(kRendererID, file)); |
| EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file)); |
| EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url)); |
| } |
| |
| private: |
| TestBrowserThreadBundle thread_bundle_; |
| ChildProcessSecurityPolicyTestBrowserClient test_browser_client_; |
| ContentBrowserClient* old_browser_client_; |
| }; |
| |
| |
| TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpScheme)); |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kHttpsScheme)); |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kFtpScheme)); |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kDataScheme)); |
| EXPECT_TRUE(p->IsWebSafeScheme("feed")); |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kBlobScheme)); |
| EXPECT_TRUE(p->IsWebSafeScheme(url::kFileSystemScheme)); |
| |
| EXPECT_FALSE(p->IsWebSafeScheme("registered-web-safe-scheme")); |
| p->RegisterWebSafeScheme("registered-web-safe-scheme"); |
| EXPECT_TRUE(p->IsWebSafeScheme("registered-web-safe-scheme")); |
| |
| EXPECT_FALSE(p->IsWebSafeScheme(kChromeUIScheme)); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| EXPECT_TRUE(p->IsPseudoScheme(url::kAboutScheme)); |
| EXPECT_TRUE(p->IsPseudoScheme(url::kJavaScriptScheme)); |
| EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme)); |
| |
| EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme")); |
| p->RegisterPseudoScheme("registered-pseudo-scheme"); |
| EXPECT_TRUE(p->IsPseudoScheme("registered-pseudo-scheme")); |
| |
| EXPECT_FALSE(p->IsPseudoScheme(kChromeUIScheme)); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| // Safe to request, redirect or commit. |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>"))); |
| EXPECT_TRUE(p->CanRequestURL( |
| kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("http://www.google.com/"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("https://www.paypal.com/"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("ftp://ftp.gnu.org/"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("data:text/html,<b>Hi</b>"))); |
| EXPECT_TRUE( |
| p->CanRedirectToURL(GURL("filesystem:http://localhost/temporary/a.gif"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("http://www.google.com/"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("https://www.paypal.com/"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("ftp://ftp.gnu.org/"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("data:text/html,<b>Hi</b>"))); |
| EXPECT_TRUE(p->CanCommitURL( |
| kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"))); |
| EXPECT_TRUE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("http://www.google.com/"))); |
| EXPECT_TRUE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("https://www.paypal.com/"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("ftp://ftp.gnu.org/"))); |
| EXPECT_TRUE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("data:text/html,<b>Hi</b>"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader( |
| kRendererID, GURL("filesystem:http://localhost/temporary/a.gif"))); |
| |
| // Dangerous to request, commit, or set as origin header. |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("chrome://foo/bar"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("view-source:http://www.google.com/"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("chrome://foo/bar"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("chrome://foo/bar"))); |
| EXPECT_FALSE( |
| p->CanCommitURL(kRendererID, GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("chrome://foo/bar"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader( |
| kRendererID, GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL(kUnreachableWebDataURL))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL(kUnreachableWebDataURL))); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, BlobSchemeTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| EXPECT_TRUE( |
| p->CanRequestURL(kRendererID, GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("blob:null/some-guid"))); |
| EXPECT_TRUE( |
| p->CanRequestURL(kRendererID, GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("blob:NulL/some-guid"))); |
| EXPECT_TRUE( |
| p->CanRequestURL(kRendererID, GURL("blob:NulL/some-guid#fragment"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("blob:NulL/some-guid?query"))); |
| EXPECT_FALSE(p->CanRequestURL( |
| kRendererID, GURL("blob:http://username@localhost/some-guid"))); |
| EXPECT_FALSE(p->CanRequestURL( |
| kRendererID, GURL("blob:http://username @localhost/some-guid"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("blob:blob:some-guid"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("blob:some-guid"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("blob:filesystem:http://localhost/path"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("filesystem:blob:http://localhost/guid"))); |
| |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:null/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:NulL/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:NulL/some-guid#fragment"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:NulL/some-guid?query"))); |
| EXPECT_TRUE( |
| p->CanRedirectToURL(GURL("blob:http://username@localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL( |
| GURL("blob:http://username @localhost/some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:blob:some-guid"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("blob:some-guid"))); |
| EXPECT_TRUE( |
| p->CanRedirectToURL(GURL("blob:filesystem:http://localhost/path"))); |
| EXPECT_FALSE( |
| p->CanRedirectToURL(GURL("filesystem:blob:http://localhost/guid"))); |
| |
| EXPECT_TRUE( |
| p->CanCommitURL(kRendererID, GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("blob:null/some-guid"))); |
| EXPECT_TRUE( |
| p->CanCommitURL(kRendererID, GURL("blob:http://localhost/some-guid"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("blob:NulL/some-guid"))); |
| EXPECT_TRUE( |
| p->CanCommitURL(kRendererID, GURL("blob:NulL/some-guid#fragment"))); |
| EXPECT_FALSE(p->CanCommitURL( |
| kRendererID, GURL("blob:http://username@localhost/some-guid"))); |
| EXPECT_FALSE(p->CanCommitURL( |
| kRendererID, GURL("blob:http://username @localhost/some-guid"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("blob:blob:some-guid"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("blob:some-guid"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("blob:filesystem:http://localhost/path"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("filesystem:blob:http://localhost/guid"))); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, AboutTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:BlAnK"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK"))); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("about:blank"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:BlAnK"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("aBouT:BlAnK"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("aBouT:blank"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:blank"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:BlAnK"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBouT:BlAnK"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("aBouT:blank"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("about:blank"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:BlAnK"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:BlAnK"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("aBouT:blank"))); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:srcdoc"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:srcdoc"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("about:srcdoc"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:srcdoc"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:SRCDOC"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:SRCDOC"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:SRCDOC"))); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:version"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:crash"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:cache"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:hang"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:version"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:cache"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:hang"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:version"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:cache"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:hang"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:version"))); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:version"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("aBoUt:version"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:CrASh"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("abOuT:cAChe"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:CrASh"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("abOuT:cAChe"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("aBoUt:version"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:CrASh"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("abOuT:cAChe"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("aBoUt:version"))); |
| |
| // Requests for about: pages should be denied. |
| p->GrantCommitURL(kRendererID, GURL("about:crash")); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("about:crash"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("about:crash"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("about:crash"))); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')"))); |
| p->GrantCommitURL(kRendererID, GURL("javascript:alert('xss')")); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("javascript:alert('xss')"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("javascript:alert('xss')"))); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| // Currently, "asdf" is destined for ShellExecute, so it is allowed to be |
| // requested but not committed. |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("asdf:rockers"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers"))); |
| |
| // Once we register "asdf", we default to deny. |
| RegisterTestScheme("asdf"); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("asdf:rockers"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers"))); |
| |
| // We can allow new schemes by adding them to the whitelist. |
| p->RegisterWebSafeScheme("asdf"); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("asdf:rockers"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("asdf:rockers"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("asdf:rockers"))); |
| |
| // Cleanup. |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| p->GrantCommitURL(kRendererID, GURL("file:///etc/passwd")); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| |
| // We should forget our state if we repeat a renderer id. |
| p->Remove(kRendererID); |
| p->Add(kRendererID); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, ViewSource) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| // Child processes cannot request view source URLs. |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, |
| GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanRequestURL( |
| kRendererID, GURL("view-source:view-source:http://www.google.com/"))); |
| |
| // Child processes cannot be redirected to view source URLs. |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("view-source:file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanRedirectToURL( |
| GURL("view-source:view-source:http://www.google.com/"))); |
| |
| // View source URLs don't actually commit; the renderer is put into view |
| // source mode, and the inner URL commits. |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL( |
| kRendererID, GURL("view-source:view-source:http://www.google.com/"))); |
| |
| // View source URLs should not be setable as origin headers |
| EXPECT_FALSE(p->CanSetAsOriginHeader( |
| kRendererID, GURL("view-source:http://www.google.com/"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, |
| GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader( |
| kRendererID, GURL("view-source:view-source:http://www.google.com/"))); |
| |
| p->GrantCommitURL(kRendererID, GURL("view-source:file:///etc/passwd")); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_TRUE(p->CanRedirectToURL(GURL("file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE( |
| p->CanSetAsOriginHeader(kRendererID, GURL("file:///etc/passwd"))); |
| EXPECT_FALSE( |
| p->CanRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanRedirectToURL(GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, |
| GURL("view-source:file:///etc/passwd"))); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, |
| GURL("view-source:file:///etc/passwd"))); |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, GrantCommitURLToNonStandardScheme) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| const GURL url("httpxml://awesome"); |
| const GURL url2("httpxml://also-awesome"); |
| |
| ASSERT_TRUE(url::Origin::Create(url).opaque()); |
| ASSERT_TRUE(url::Origin::Create(url2).opaque()); |
| RegisterTestScheme("httpxml"); |
| |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url2)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url2)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url2)); |
| |
| // GrantCommitURL with a non-standard scheme should grant commit access to the |
| // entire scheme. |
| p->GrantCommitURL(kRendererID, url); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url2)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url2)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url2)); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| GURL icon_url("file:///tmp/foo.png"); |
| GURL sensitive_url("file:///etc/passwd"); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(icon_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(sensitive_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url)); |
| |
| p->GrantRequestSpecificFileURL(kRendererID, icon_url); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(icon_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(sensitive_url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, sensitive_url)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, sensitive_url)); |
| |
| p->GrantCommitURL(kRendererID, icon_url); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url)); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(icon_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(sensitive_url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, icon_url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, sensitive_url)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, icon_url)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, sensitive_url)); |
| |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| std::string read_id = |
| storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath( |
| storage::kFileSystemTypeTest, "read_filesystem", base::FilePath()); |
| std::string read_write_id = |
| storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath( |
| storage::kFileSystemTypeTest, |
| "read_write_filesystem", |
| base::FilePath()); |
| std::string copy_into_id = |
| storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath( |
| storage::kFileSystemTypeTest, |
| "copy_into_filesystem", |
| base::FilePath()); |
| std::string delete_from_id = |
| storage::IsolatedContext::GetInstance()->RegisterFileSystemForVirtualPath( |
| storage::kFileSystemTypeTest, |
| "delete_from_filesystem", |
| base::FilePath()); |
| |
| // Test initially having no permissions. |
| CheckHasNoFileSystemPermission(p, read_id); |
| CheckHasNoFileSystemPermission(p, read_write_id); |
| CheckHasNoFileSystemPermission(p, copy_into_id); |
| CheckHasNoFileSystemPermission(p, delete_from_id); |
| |
| // Testing varying combinations of grants and checks. |
| p->GrantReadFileSystem(kRendererID, read_id); |
| EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_id)); |
| EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, read_id)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_id)); |
| EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_id)); |
| |
| p->GrantReadFileSystem(kRendererID, read_write_id); |
| p->GrantWriteFileSystem(kRendererID, read_write_id); |
| EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_write_id)); |
| EXPECT_TRUE(p->CanReadWriteFileSystem(kRendererID, read_write_id)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_write_id)); |
| EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_write_id)); |
| |
| p->GrantCopyIntoFileSystem(kRendererID, copy_into_id); |
| EXPECT_FALSE(p->CanReadFileSystem(kRendererID, copy_into_id)); |
| EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, copy_into_id)); |
| EXPECT_TRUE(p->CanCopyIntoFileSystem(kRendererID, copy_into_id)); |
| EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, copy_into_id)); |
| |
| p->GrantDeleteFromFileSystem(kRendererID, delete_from_id); |
| EXPECT_FALSE(p->CanReadFileSystem(kRendererID, delete_from_id)); |
| EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, delete_from_id)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, delete_from_id)); |
| EXPECT_TRUE(p->CanDeleteFromFileSystem(kRendererID, delete_from_id)); |
| |
| // Test revoke permissions on renderer ID removal. |
| p->Remove(kRendererID); |
| CheckHasNoFileSystemPermission(p, read_id); |
| CheckHasNoFileSystemPermission(p, read_write_id); |
| CheckHasNoFileSystemPermission(p, copy_into_id); |
| CheckHasNoFileSystemPermission(p, delete_from_id); |
| |
| // Test having no permissions upon re-adding same renderer ID. |
| p->Add(kRendererID); |
| CheckHasNoFileSystemPermission(p, read_id); |
| CheckHasNoFileSystemPermission(p, read_write_id); |
| CheckHasNoFileSystemPermission(p, copy_into_id); |
| CheckHasNoFileSystemPermission(p, delete_from_id); |
| |
| // Cleanup. |
| p->Remove(kRendererID); |
| storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_id); |
| storage::IsolatedContext::GetInstance()->RevokeFileSystem(read_write_id); |
| storage::IsolatedContext::GetInstance()->RevokeFileSystem(copy_into_id); |
| storage::IsolatedContext::GetInstance()->RevokeFileSystem(delete_from_id); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->RegisterFileSystemPermissionPolicy( |
| storage::kFileSystemTypeTest, |
| storage::FILE_PERMISSION_USE_FILE_PERMISSION); |
| |
| p->Add(kRendererID); |
| base::FilePath file(TEST_PATH("/dir/testfile")); |
| file = file.NormalizePathSeparators(); |
| storage::FileSystemURL url = storage::FileSystemURL::CreateForTest( |
| GURL("http://foo/"), storage::kFileSystemTypeTest, file); |
| |
| // Test initially having no permissions. |
| CheckHasNoFileSystemFilePermission(p, file, url); |
| |
| // Testing every combination of permissions granting and revoking. |
| p->GrantReadFile(kRendererID, file); |
| EXPECT_TRUE(p->CanReadFile(kRendererID, file)); |
| EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file)); |
| EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url)); |
| EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url)); |
| p->RevokeAllPermissionsForFile(kRendererID, file); |
| CheckHasNoFileSystemFilePermission(p, file, url); |
| |
| p->GrantCreateReadWriteFile(kRendererID, file); |
| EXPECT_TRUE(p->CanReadFile(kRendererID, file)); |
| EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file)); |
| EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url)); |
| p->RevokeAllPermissionsForFile(kRendererID, file); |
| CheckHasNoFileSystemFilePermission(p, file, url); |
| |
| // Test revoke permissions on renderer ID removal. |
| p->GrantCreateReadWriteFile(kRendererID, file); |
| EXPECT_TRUE(p->CanReadFile(kRendererID, file)); |
| EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file)); |
| EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url)); |
| EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url)); |
| p->Remove(kRendererID); |
| CheckHasNoFileSystemFilePermission(p, file, url); |
| |
| // Test having no permissions upon re-adding same renderer ID. |
| p->Add(kRendererID); |
| CheckHasNoFileSystemFilePermission(p, file, url); |
| |
| // Cleanup. |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) { |
| base::FilePath granted_file = base::FilePath(TEST_PATH("/home/joe")); |
| base::FilePath sibling_file = base::FilePath(TEST_PATH("/home/bob")); |
| base::FilePath child_file = base::FilePath(TEST_PATH("/home/joe/file")); |
| base::FilePath parent_file = base::FilePath(TEST_PATH("/home")); |
| base::FilePath parent_slash_file = base::FilePath(TEST_PATH("/home/")); |
| base::FilePath child_traversal1 = |
| base::FilePath(TEST_PATH("/home/joe/././file")); |
| base::FilePath child_traversal2 = base::FilePath( |
| TEST_PATH("/home/joe/file/../otherfile")); |
| base::FilePath evil_traversal1 = |
| base::FilePath(TEST_PATH("/home/joe/../../etc/passwd")); |
| base::FilePath evil_traversal2 = base::FilePath( |
| TEST_PATH("/home/joe/./.././../etc/passwd")); |
| base::FilePath self_traversal = |
| base::FilePath(TEST_PATH("/home/joe/../joe/file")); |
| base::FilePath relative_file = base::FilePath(FILE_PATH_LITERAL("home/joe")); |
| |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| // Grant permissions for a file. |
| p->Add(kRendererID); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| |
| GrantPermissionsForFile(p, kRendererID, granted_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_OPEN_TRUNCATED | |
| base::File::FLAG_READ | |
| base::File::FLAG_WRITE); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_OPEN_TRUNCATED | |
| base::File::FLAG_READ | |
| base::File::FLAG_WRITE)); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_CREATE)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, 0)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_CREATE | |
| base::File::FLAG_OPEN_TRUNCATED | |
| base::File::FLAG_READ | |
| base::File::FLAG_WRITE)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, sibling_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, parent_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal1, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal2, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal1, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal2, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| // CPSP doesn't allow this case for the sake of simplicity. |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, self_traversal, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| p->Remove(kRendererID); |
| |
| // Grant permissions for the directory the file is in. |
| p->Add(kRendererID); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| GrantPermissionsForFile(p, kRendererID, parent_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_READ | |
| base::File::FLAG_WRITE)); |
| p->Remove(kRendererID); |
| |
| // Grant permissions for the directory the file is in (with trailing '/'). |
| p->Add(kRendererID); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| GrantPermissionsForFile(p, kRendererID, parent_slash_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_READ | |
| base::File::FLAG_WRITE)); |
| |
| // Grant permissions for the file (should overwrite the permissions granted |
| // for the directory). |
| GrantPermissionsForFile(p, kRendererID, granted_file, |
| base::File::FLAG_TEMPORARY); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN)); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_TEMPORARY)); |
| |
| // Revoke all permissions for the file (it should inherit its permissions |
| // from the directory again). |
| p->RevokeAllPermissionsForFile(kRendererID, granted_file); |
| EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_OPEN | |
| base::File::FLAG_READ)); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, |
| base::File::FLAG_TEMPORARY)); |
| p->Remove(kRendererID); |
| |
| |
| p->Add(kRendererID); |
| GrantPermissionsForFile(p, kRendererID, relative_file, |
| base::File::FLAG_OPEN); |
| EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, relative_file, |
| base::File::FLAG_OPEN)); |
| p->Remove(kRendererID); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| const GURL url("chrome://thumb/http://www.google.com/"); |
| const GURL other_url("chrome://not-thumb/"); |
| const url::Origin origin = url::Origin::Create(url); |
| { |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantWebUIBindings(kRendererID, BINDINGS_POLICY_WEB_UI); |
| |
| EXPECT_TRUE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantCommitOrigin(kRendererID, origin); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->Remove(kRendererID); |
| } |
| { |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantWebUIBindings(kRendererID, BINDINGS_POLICY_MOJO_WEB_UI); |
| |
| EXPECT_TRUE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantCommitOrigin(kRendererID, origin); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->Remove(kRendererID); |
| } |
| { |
| p->Add(kRendererID); |
| |
| EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantWebUIBindings(kRendererID, |
| BINDINGS_POLICY_WEB_UI | BINDINGS_POLICY_MOJO_WEB_UI); |
| |
| EXPECT_TRUE(p->HasWebUIBindings(kRendererID)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->GrantCommitOrigin(kRendererID, origin); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, other_url)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, other_url)); |
| EXPECT_TRUE(p->CanRedirectToURL(other_url)); |
| |
| p->Remove(kRendererID); |
| } |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| GURL url("file:///etc/passwd"); |
| base::FilePath file(TEST_PATH("/etc/passwd")); |
| |
| p->Add(kRendererID); |
| |
| p->GrantCommitURL(kRendererID, url); |
| p->GrantReadFile(kRendererID, file); |
| p->GrantWebUIBindings(kRendererID, |
| BINDINGS_POLICY_WEB_UI | BINDINGS_POLICY_MOJO_WEB_UI); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| EXPECT_TRUE(p->CanReadFile(kRendererID, file)); |
| EXPECT_TRUE(p->HasWebUIBindings(kRendererID)); |
| |
| p->Remove(kRendererID); |
| |
| // Renderers are added and removed on the UI thread, but the policy can be |
| // queried on the IO thread. The ChildProcessSecurityPolicy needs to be |
| // prepared to answer policy questions about renderers who no longer exist. |
| |
| // In this case, we default to secure behavior. |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url)); |
| EXPECT_TRUE(p->CanRedirectToURL(url)); |
| EXPECT_FALSE(p->CanReadFile(kRendererID, file)); |
| EXPECT_FALSE(p->HasWebUIBindings(kRendererID)); |
| } |
| |
| TEST_F(ChildProcessSecurityPolicyTest, RemoveRace_CanAccessDataForOrigin) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| GURL url("file:///etc/passwd"); |
| |
| p->Add(kRendererID); |
| |
| base::WaitableEvent ready_for_remove_event; |
| base::WaitableEvent remove_called_event; |
| base::WaitableEvent pending_remove_complete_event; |
| |
| bool io_before_remove = false; |
| bool io_while_remove_pending = false; |
| bool io_after_remove_complete = false; |
| bool ui_before_remove = false; |
| bool ui_while_remove_pending = false; |
| bool ui_after_remove_complete = false; |
| |
| // Post a task that will run on the IO thread before the task that |
| // Remove() will post to the IO thread. |
| base::PostTaskWithTraits( |
| FROM_HERE, {BrowserThread::IO}, base::BindLambdaForTesting([&]() { |
| // Capture state on the IO thread before Remove() is called. |
| io_before_remove = p->CanAccessDataForOrigin(kRendererID, url); |
| |
| // Tell the UI thread we are ready for Remove() to be called. |
| ready_for_remove_event.Signal(); |
| |
| // Wait for Remove() to be called on the UI thread. |
| remove_called_event.Wait(); |
| |
| // Capture state after Remove() is called, but before its task on |
| // the IO thread runs. |
| io_while_remove_pending = p->CanAccessDataForOrigin(kRendererID, url); |
| })); |
| |
| ready_for_remove_event.Wait(); |
| |
| ui_before_remove = p->CanAccessDataForOrigin(kRendererID, url); |
| |
| p->Remove(kRendererID); |
| |
| // Post a task to run after the task Remove() posted on the IO thread. |
| base::PostTaskWithTraits( |
| FROM_HERE, {BrowserThread::IO}, base::BindLambdaForTesting([&]() { |
| io_after_remove_complete = p->CanAccessDataForOrigin(kRendererID, url); |
| |
| // Tell the UI thread that the task from Remove() has completed on the |
| // IO thread. |
| pending_remove_complete_event.Signal(); |
| })); |
| |
| // Capture state after Remove() has been called, but before its IO thread |
| // task has run. We know the IO thread task hasn't run yet because the |
| // task we posted before the Remove() call is waiting for us to signal |
| // |remove_called_event|. |
| ui_while_remove_pending = p->CanAccessDataForOrigin(kRendererID, url); |
| |
| // Unblock the IO thread so the pending remove events can run. |
| remove_called_event.Signal(); |
| |
| pending_remove_complete_event.Wait(); |
| |
| ui_after_remove_complete = p->CanAccessDataForOrigin(kRendererID, url); |
| |
| // Verify expected states at various parts of the removal. |
| // Note: IO thread is expected to keep pre-Remove() permissions until its |
| // remove task runs on the IO thread. The UI thread is expected to have no |
| // permissions after Remove() returns. |
| EXPECT_TRUE(io_before_remove); |
| EXPECT_TRUE(io_while_remove_pending); |
| EXPECT_FALSE(io_after_remove_complete); |
| |
| EXPECT_TRUE(ui_before_remove); |
| EXPECT_FALSE(ui_while_remove_pending); |
| EXPECT_FALSE(ui_after_remove_complete); |
| } |
| |
| // Test the granting of origin permissions, and their interactions with |
| // granting scheme permissions. |
| TEST_F(ChildProcessSecurityPolicyTest, OriginGranting) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| p->Add(kRendererID); |
| |
| GURL url_foo1("chrome://foo/resource1"); |
| GURL url_foo2("chrome://foo/resource2"); |
| GURL url_bar("chrome://bar/resource3"); |
| |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo1)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo1)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_bar)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo1)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo1)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar)); |
| |
| p->GrantRequestOrigin(kRendererID, url::Origin::Create(url_foo1)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo1)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_bar)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo1)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo1)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar)); |
| |
| p->GrantCommitOrigin(kRendererID, url::Origin::Create(url_foo1)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo1)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_bar)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar)); |
| |
| // Make sure this doesn't overwrite the earlier commit grants. |
| p->GrantRequestOrigin(kRendererID, url::Origin::Create(url_foo1)); |
| |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanRequestURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanRequestURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo1)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_foo2)); |
| EXPECT_TRUE(p->CanRedirectToURL(url_bar)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanCommitURL(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanCommitURL(kRendererID, url_bar)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo1)); |
| EXPECT_TRUE(p->CanSetAsOriginHeader(kRendererID, url_foo2)); |
| EXPECT_FALSE(p->CanSetAsOriginHeader(kRendererID, url_bar)); |
| |
| p->Remove(kRendererID); |
| } |
| |
| namespace { |
| |
| // Helpers to construct (key, value) entries used to validate the |
| // isolated_origins_ map. |
| auto IsolatedOriginEntry(const url::Origin& origin) { |
| return std::pair<GURL, base::flat_set<url::Origin>>( |
| SiteInstanceImpl::GetSiteForOrigin(origin), {origin}); |
| } |
| |
| auto IsolatedOriginEntry(const url::Origin& origin1, |
| const url::Origin& origin2) { |
| EXPECT_EQ(SiteInstanceImpl::GetSiteForOrigin(origin1), |
| SiteInstanceImpl::GetSiteForOrigin(origin2)); |
| return std::pair<GURL, base::flat_set<url::Origin>>( |
| SiteInstanceImpl::GetSiteForOrigin(origin1), {origin1, origin2}); |
| } |
| |
| } // namespace |
| |
| #define LOCKED_EXPECT_THAT(lock, value, matcher) \ |
| do { \ |
| base::AutoLock auto_lock(lock); \ |
| EXPECT_THAT(value, matcher); \ |
| } while (0); |
| |
| // Verifies ChildProcessSecurityPolicyImpl::AddIsolatedOrigins method. |
| TEST_F(ChildProcessSecurityPolicyTest, AddIsolatedOrigins) { |
| url::Origin foo = url::Origin::Create(GURL("https://foo.com/")); |
| url::Origin bar = url::Origin::Create(GURL("https://bar.com/")); |
| url::Origin baz = url::Origin::Create(GURL("https://baz.com/")); |
| url::Origin quxfoo = url::Origin::Create(GURL("https://qux.foo.com/")); |
| url::Origin baz_http = url::Origin::Create(GURL("http://baz.com/")); |
| url::Origin baz_http_8000 = url::Origin::Create(GURL("http://baz.com:8000/")); |
| url::Origin baz_https_8000 = |
| url::Origin::Create(GURL("https://baz.com:8000/")); |
| url::Origin invalid_etld = url::Origin::Create(GURL("https://gov/")); |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| |
| // Initially there should be no isolated origins. |
| LOCKED_EXPECT_THAT(p->lock_, p->isolated_origins_, testing::IsEmpty()); |
| |
| // Verify deduplication of the argument. |
| p->AddIsolatedOrigins({foo, bar, bar}); |
| LOCKED_EXPECT_THAT(p->lock_, p->isolated_origins_, |
| testing::UnorderedElementsAre(IsolatedOriginEntry(foo), |
| IsolatedOriginEntry(bar))); |
| |
| // Verify that the old set is extended (not replaced). |
| p->AddIsolatedOrigins({baz}); |
| LOCKED_EXPECT_THAT(p->lock_, p->isolated_origins_, |
| testing::UnorderedElementsAre(IsolatedOriginEntry(foo), |
| IsolatedOriginEntry(bar), |
| IsolatedOriginEntry(baz))); |
| |
| // Verify deduplication against the old set. |
| p->AddIsolatedOrigins({foo}); |
| LOCKED_EXPECT_THAT(p->lock_, p->isolated_origins_, |
| testing::UnorderedElementsAre(IsolatedOriginEntry(foo), |
| IsolatedOriginEntry(bar), |
| IsolatedOriginEntry(baz))); |
| |
| // Verify deduplication considers scheme and port differences. Note that |
| // origins that differ only in ports map to the same key. |
| p->AddIsolatedOrigins({baz, baz_http_8000, baz_https_8000}); |
| LOCKED_EXPECT_THAT( |
| p->lock_, p->isolated_origins_, |
| testing::UnorderedElementsAre( |
| IsolatedOriginEntry(foo), IsolatedOriginEntry(bar), |
| IsolatedOriginEntry(baz), IsolatedOriginEntry(baz_http))); |
| |
| // Verify that adding an origin that is invalid for isolation will 1) log a |
| // warning and 2) won't CHECK or crash the browser process, 3) will not add |
| // the invalid origin, but will add the remaining origins passed to |
| // AddIsolatedOrigins. Note that the new |quxfoo| origin should map to the |
| // same key (i.e., the https://foo.com/ site URL) as the existing |foo| |
| // origin. |
| { |
| base::test::MockLog mock_log; |
| EXPECT_CALL(mock_log, |
| Log(::logging::LOG_ERROR, testing::_, testing::_, testing::_, |
| testing::HasSubstr(invalid_etld.Serialize()))) |
| .Times(1); |
| |
| mock_log.StartCapturingLogs(); |
| p->AddIsolatedOrigins({quxfoo, invalid_etld}); |
| LOCKED_EXPECT_THAT( |
| p->lock_, p->isolated_origins_, |
| testing::UnorderedElementsAre( |
| IsolatedOriginEntry(foo, quxfoo), IsolatedOriginEntry(bar), |
| IsolatedOriginEntry(baz), IsolatedOriginEntry(baz_http))); |
| } |
| } |
| |
| // Check that an unsuccessful isolated origin lookup for a URL with an empty |
| // host doesn't crash. See https://crbug.com/882686. |
| TEST_F(ChildProcessSecurityPolicyTest, IsIsolatedOriginWithEmptyHost) { |
| ChildProcessSecurityPolicyImpl* p = |
| ChildProcessSecurityPolicyImpl::GetInstance(); |
| EXPECT_FALSE(p->IsIsolatedOrigin(url::Origin::Create(GURL()))); |
| EXPECT_FALSE(p->IsIsolatedOrigin(url::Origin::Create(GURL("file:///foo")))); |
| } |
| |
| } // namespace content |
