1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <set>
6 #include <string>
7
8 #include "base/basictypes.h"
9 #include "base/files/file_path.h"
10 #include "base/platform_file.h"
11 #include "content/browser/child_process_security_policy_impl.h"
12 #include "content/public/common/url_constants.h"
13 #include "content/test/test_content_browser_client.h"
14 #include "testing/gtest/include/gtest/gtest.h"
15 #include "url/gurl.h"
16 #include "webkit/browser/fileapi/file_permission_policy.h"
17 #include "webkit/browser/fileapi/file_system_url.h"
18 #include "webkit/browser/fileapi/isolated_context.h"
19 #include "webkit/common/fileapi/file_system_types.h"
20
21 namespace content {
22 namespace {
23
24 const int kRendererID = 42;
25 const int kWorkerRendererID = kRendererID + 1;
26
27 #if defined(FILE_PATH_USES_DRIVE_LETTERS)
28 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x)
29 #else
30 #define TEST_PATH(x) FILE_PATH_LITERAL(x)
31 #endif
32
33 class ChildProcessSecurityPolicyTestBrowserClient
34 : public TestContentBrowserClient {
35 public:
ChildProcessSecurityPolicyTestBrowserClient()36 ChildProcessSecurityPolicyTestBrowserClient() {}
37
IsHandledURL(const GURL & url)38 virtual bool IsHandledURL(const GURL& url) OVERRIDE {
39 return schemes_.find(url.scheme()) != schemes_.end();
40 }
41
ClearSchemes()42 void ClearSchemes() {
43 schemes_.clear();
44 }
45
AddScheme(const std::string & scheme)46 void AddScheme(const std::string& scheme) {
47 schemes_.insert(scheme);
48 }
49
50 private:
51 std::set<std::string> schemes_;
52 };
53
54 } // namespace
55
56 class ChildProcessSecurityPolicyTest : public testing::Test {
57 public:
ChildProcessSecurityPolicyTest()58 ChildProcessSecurityPolicyTest() : old_browser_client_(NULL) {
59 }
60
SetUp()61 virtual void SetUp() {
62 old_browser_client_ = SetBrowserClientForTesting(&test_browser_client_);
63
64 // Claim to always handle chrome:// URLs because the CPSP's notion of
65 // allowing WebUI bindings is hard-wired to this particular scheme.
66 test_browser_client_.AddScheme(chrome::kChromeUIScheme);
67
68 // Claim to always handle file:// URLs like the browser would.
69 // net::URLRequest::IsHandledURL() no longer claims support for default
70 // protocols as this is the responsibility of the browser (which is
71 // responsible for adding the appropriate ProtocolHandler).
72 test_browser_client_.AddScheme(chrome::kFileScheme);
73 }
74
TearDown()75 virtual void TearDown() {
76 test_browser_client_.ClearSchemes();
77 SetBrowserClientForTesting(old_browser_client_);
78 }
79
80 protected:
RegisterTestScheme(const std::string & scheme)81 void RegisterTestScheme(const std::string& scheme) {
82 test_browser_client_.AddScheme(scheme);
83 }
84
GrantPermissionsForFile(ChildProcessSecurityPolicyImpl * p,int child_id,const base::FilePath & file,int permissions)85 void GrantPermissionsForFile(ChildProcessSecurityPolicyImpl* p,
86 int child_id,
87 const base::FilePath& file,
88 int permissions) {
89 p->GrantPermissionsForFile(child_id, file, permissions);
90 }
91
CheckHasNoFileSystemPermission(ChildProcessSecurityPolicyImpl * p,const std::string & child_id)92 void CheckHasNoFileSystemPermission(ChildProcessSecurityPolicyImpl* p,
93 const std::string& child_id) {
94 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, child_id));
95 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, child_id));
96 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, child_id));
97 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, child_id));
98 }
99
CheckHasNoFileSystemFilePermission(ChildProcessSecurityPolicyImpl * p,const base::FilePath & file,const fileapi::FileSystemURL & url)100 void CheckHasNoFileSystemFilePermission(ChildProcessSecurityPolicyImpl* p,
101 const base::FilePath& file,
102 const fileapi::FileSystemURL& url) {
103 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
104 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
105 EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, url));
106 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
107 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
108 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
109 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
110 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
111 }
112
113 private:
114 ChildProcessSecurityPolicyTestBrowserClient test_browser_client_;
115 ContentBrowserClient* old_browser_client_;
116 };
117
118
TEST_F(ChildProcessSecurityPolicyTest,IsWebSafeSchemeTest)119 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
120 ChildProcessSecurityPolicyImpl* p =
121 ChildProcessSecurityPolicyImpl::GetInstance();
122
123 EXPECT_TRUE(p->IsWebSafeScheme(kHttpScheme));
124 EXPECT_TRUE(p->IsWebSafeScheme(kHttpsScheme));
125 EXPECT_TRUE(p->IsWebSafeScheme(kFtpScheme));
126 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kDataScheme));
127 EXPECT_TRUE(p->IsWebSafeScheme("feed"));
128 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kBlobScheme));
129 EXPECT_TRUE(p->IsWebSafeScheme(chrome::kFileSystemScheme));
130
131 EXPECT_FALSE(p->IsWebSafeScheme("registered-web-safe-scheme"));
132 p->RegisterWebSafeScheme("registered-web-safe-scheme");
133 EXPECT_TRUE(p->IsWebSafeScheme("registered-web-safe-scheme"));
134
135 EXPECT_FALSE(p->IsWebSafeScheme(chrome::kChromeUIScheme));
136 }
137
TEST_F(ChildProcessSecurityPolicyTest,IsPseudoSchemeTest)138 TEST_F(ChildProcessSecurityPolicyTest, IsPseudoSchemeTest) {
139 ChildProcessSecurityPolicyImpl* p =
140 ChildProcessSecurityPolicyImpl::GetInstance();
141
142 EXPECT_TRUE(p->IsPseudoScheme(chrome::kAboutScheme));
143 EXPECT_TRUE(p->IsPseudoScheme(kJavaScriptScheme));
144 EXPECT_TRUE(p->IsPseudoScheme(kViewSourceScheme));
145
146 EXPECT_FALSE(p->IsPseudoScheme("registered-pseudo-scheme"));
147 p->RegisterPseudoScheme("registered-pseudo-scheme");
148 EXPECT_TRUE(p->IsPseudoScheme("registered-pseudo-scheme"));
149
150 EXPECT_FALSE(p->IsPseudoScheme(chrome::kChromeUIScheme));
151 }
152
TEST_F(ChildProcessSecurityPolicyTest,StandardSchemesTest)153 TEST_F(ChildProcessSecurityPolicyTest, StandardSchemesTest) {
154 ChildProcessSecurityPolicyImpl* p =
155 ChildProcessSecurityPolicyImpl::GetInstance();
156
157 p->Add(kRendererID);
158
159 // Safe
160 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("http://www.google.com/")));
161 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("https://www.paypal.com/")));
162 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("ftp://ftp.gnu.org/")));
163 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("data:text/html,<b>Hi</b>")));
164 EXPECT_TRUE(p->CanRequestURL(kRendererID,
165 GURL("view-source:http://www.google.com/")));
166 EXPECT_TRUE(p->CanRequestURL(
167 kRendererID, GURL("filesystem:http://localhost/temporary/a.gif")));
168
169 // Dangerous
170 EXPECT_FALSE(p->CanRequestURL(kRendererID,
171 GURL("file:///etc/passwd")));
172 EXPECT_FALSE(p->CanRequestURL(kRendererID,
173 GURL("chrome://foo/bar")));
174
175 p->Remove(kRendererID);
176 }
177
TEST_F(ChildProcessSecurityPolicyTest,AboutTest)178 TEST_F(ChildProcessSecurityPolicyTest, AboutTest) {
179 ChildProcessSecurityPolicyImpl* p =
180 ChildProcessSecurityPolicyImpl::GetInstance();
181
182 p->Add(kRendererID);
183
184 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:blank")));
185 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("about:BlAnK")));
186 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:BlAnK")));
187 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("aBouT:blank")));
188
189 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:memory")));
190 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
191 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:cache")));
192 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:hang")));
193
194 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("aBoUt:memory")));
195 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:CrASh")));
196 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("abOuT:cAChe")));
197
198 // Requests for about: pages should be denied.
199 p->GrantRequestURL(kRendererID, GURL("about:crash"));
200 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("about:crash")));
201
202 // These requests for chrome:// pages should be granted.
203 GURL chrome_url("chrome://foo");
204 p->GrantRequestURL(kRendererID, chrome_url);
205 EXPECT_TRUE(p->CanRequestURL(kRendererID, chrome_url));
206
207 p->Remove(kRendererID);
208 }
209
TEST_F(ChildProcessSecurityPolicyTest,JavaScriptTest)210 TEST_F(ChildProcessSecurityPolicyTest, JavaScriptTest) {
211 ChildProcessSecurityPolicyImpl* p =
212 ChildProcessSecurityPolicyImpl::GetInstance();
213
214 p->Add(kRendererID);
215
216 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
217 p->GrantRequestURL(kRendererID, GURL("javascript:alert('xss')"));
218 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("javascript:alert('xss')")));
219
220 p->Remove(kRendererID);
221 }
222
TEST_F(ChildProcessSecurityPolicyTest,RegisterWebSafeSchemeTest)223 TEST_F(ChildProcessSecurityPolicyTest, RegisterWebSafeSchemeTest) {
224 ChildProcessSecurityPolicyImpl* p =
225 ChildProcessSecurityPolicyImpl::GetInstance();
226
227 p->Add(kRendererID);
228
229 // Currently, "asdf" is destined for ShellExecute, so it is allowed.
230 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
231
232 // Once we register "asdf", we default to deny.
233 RegisterTestScheme("asdf");
234 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
235
236 // We can allow new schemes by adding them to the whitelist.
237 p->RegisterWebSafeScheme("asdf");
238 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("asdf:rockers")));
239
240 // Cleanup.
241 p->Remove(kRendererID);
242 }
243
TEST_F(ChildProcessSecurityPolicyTest,CanServiceCommandsTest)244 TEST_F(ChildProcessSecurityPolicyTest, CanServiceCommandsTest) {
245 ChildProcessSecurityPolicyImpl* p =
246 ChildProcessSecurityPolicyImpl::GetInstance();
247
248 p->Add(kRendererID);
249
250 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
251 p->GrantRequestURL(kRendererID, GURL("file:///etc/passwd"));
252 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
253
254 // We should forget our state if we repeat a renderer id.
255 p->Remove(kRendererID);
256 p->Add(kRendererID);
257 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
258 p->Remove(kRendererID);
259 }
260
TEST_F(ChildProcessSecurityPolicyTest,ViewSource)261 TEST_F(ChildProcessSecurityPolicyTest, ViewSource) {
262 ChildProcessSecurityPolicyImpl* p =
263 ChildProcessSecurityPolicyImpl::GetInstance();
264
265 p->Add(kRendererID);
266
267 // View source is determined by the embedded scheme.
268 EXPECT_TRUE(p->CanRequestURL(kRendererID,
269 GURL("view-source:http://www.google.com/")));
270 EXPECT_FALSE(p->CanRequestURL(kRendererID,
271 GURL("view-source:file:///etc/passwd")));
272 EXPECT_FALSE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
273 EXPECT_FALSE(p->CanRequestURL(
274 kRendererID, GURL("view-source:view-source:http://www.google.com/")));
275
276 p->GrantRequestURL(kRendererID, GURL("view-source:file:///etc/passwd"));
277 // View source needs to be able to request the embedded scheme.
278 EXPECT_TRUE(p->CanRequestURL(kRendererID,
279 GURL("view-source:file:///etc/passwd")));
280 EXPECT_TRUE(p->CanRequestURL(kRendererID, GURL("file:///etc/passwd")));
281
282 p->Remove(kRendererID);
283 }
284
TEST_F(ChildProcessSecurityPolicyTest,SpecificFile)285 TEST_F(ChildProcessSecurityPolicyTest, SpecificFile) {
286 ChildProcessSecurityPolicyImpl* p =
287 ChildProcessSecurityPolicyImpl::GetInstance();
288
289 p->Add(kRendererID);
290
291 GURL icon_url("file:///tmp/foo.png");
292 GURL sensitive_url("file:///etc/passwd");
293 EXPECT_FALSE(p->CanRequestURL(kRendererID, icon_url));
294 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
295
296 p->GrantRequestSpecificFileURL(kRendererID, icon_url);
297 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
298 EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
299
300 p->GrantRequestURL(kRendererID, icon_url);
301 EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
302 EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
303
304 p->Remove(kRendererID);
305 }
306
TEST_F(ChildProcessSecurityPolicyTest,FileSystemGrantsTest)307 TEST_F(ChildProcessSecurityPolicyTest, FileSystemGrantsTest) {
308 ChildProcessSecurityPolicyImpl* p =
309 ChildProcessSecurityPolicyImpl::GetInstance();
310
311 p->Add(kRendererID);
312 std::string read_id = fileapi::IsolatedContext::GetInstance()->
313 RegisterFileSystemForVirtualPath(fileapi::kFileSystemTypeTest,
314 "read_filesystem",
315 base::FilePath());
316 std::string read_write_id = fileapi::IsolatedContext::GetInstance()->
317 RegisterFileSystemForVirtualPath(fileapi::kFileSystemTypeTest,
318 "read_write_filesystem",
319 base::FilePath());
320 std::string copy_into_id = fileapi::IsolatedContext::GetInstance()->
321 RegisterFileSystemForVirtualPath(fileapi::kFileSystemTypeTest,
322 "copy_into_filesystem",
323 base::FilePath());
324 std::string delete_from_id = fileapi::IsolatedContext::GetInstance()->
325 RegisterFileSystemForVirtualPath(fileapi::kFileSystemTypeTest,
326 "delete_from_filesystem",
327 base::FilePath());
328
329 // Test initially having no permissions.
330 CheckHasNoFileSystemPermission(p, read_id);
331 CheckHasNoFileSystemPermission(p, read_write_id);
332 CheckHasNoFileSystemPermission(p, copy_into_id);
333 CheckHasNoFileSystemPermission(p, delete_from_id);
334
335 // Testing varying combinations of grants and checks.
336 p->GrantReadFileSystem(kRendererID, read_id);
337 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_id));
338 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, read_id));
339 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_id));
340 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_id));
341
342 p->GrantReadFileSystem(kRendererID, read_write_id);
343 p->GrantWriteFileSystem(kRendererID, read_write_id);
344 EXPECT_TRUE(p->CanReadFileSystem(kRendererID, read_write_id));
345 EXPECT_TRUE(p->CanReadWriteFileSystem(kRendererID, read_write_id));
346 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, read_write_id));
347 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, read_write_id));
348
349 p->GrantCopyIntoFileSystem(kRendererID, copy_into_id);
350 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, copy_into_id));
351 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, copy_into_id));
352 EXPECT_TRUE(p->CanCopyIntoFileSystem(kRendererID, copy_into_id));
353 EXPECT_FALSE(p->CanDeleteFromFileSystem(kRendererID, copy_into_id));
354
355 p->GrantDeleteFromFileSystem(kRendererID, delete_from_id);
356 EXPECT_FALSE(p->CanReadFileSystem(kRendererID, delete_from_id));
357 EXPECT_FALSE(p->CanReadWriteFileSystem(kRendererID, delete_from_id));
358 EXPECT_FALSE(p->CanCopyIntoFileSystem(kRendererID, delete_from_id));
359 EXPECT_TRUE(p->CanDeleteFromFileSystem(kRendererID, delete_from_id));
360
361 // Test revoke permissions on renderer ID removal.
362 p->Remove(kRendererID);
363 CheckHasNoFileSystemPermission(p, read_id);
364 CheckHasNoFileSystemPermission(p, read_write_id);
365 CheckHasNoFileSystemPermission(p, copy_into_id);
366 CheckHasNoFileSystemPermission(p, delete_from_id);
367
368 // Test having no permissions upon re-adding same renderer ID.
369 p->Add(kRendererID);
370 CheckHasNoFileSystemPermission(p, read_id);
371 CheckHasNoFileSystemPermission(p, read_write_id);
372 CheckHasNoFileSystemPermission(p, copy_into_id);
373 CheckHasNoFileSystemPermission(p, delete_from_id);
374
375 // Cleanup.
376 p->Remove(kRendererID);
377 fileapi::IsolatedContext::GetInstance()->RevokeFileSystem(read_id);
378 fileapi::IsolatedContext::GetInstance()->RevokeFileSystem(read_write_id);
379 fileapi::IsolatedContext::GetInstance()->RevokeFileSystem(copy_into_id);
380 fileapi::IsolatedContext::GetInstance()->RevokeFileSystem(delete_from_id);
381 }
382
TEST_F(ChildProcessSecurityPolicyTest,FilePermissionGrantingAndRevoking)383 TEST_F(ChildProcessSecurityPolicyTest, FilePermissionGrantingAndRevoking) {
384 ChildProcessSecurityPolicyImpl* p =
385 ChildProcessSecurityPolicyImpl::GetInstance();
386
387 p->RegisterFileSystemPermissionPolicy(
388 fileapi::kFileSystemTypeTest,
389 fileapi::FILE_PERMISSION_USE_FILE_PERMISSION);
390
391 p->Add(kRendererID);
392 base::FilePath file(TEST_PATH("/dir/testfile"));
393 file = file.NormalizePathSeparators();
394 fileapi::FileSystemURL url = fileapi::FileSystemURL::CreateForTest(
395 GURL("http://foo/"), fileapi::kFileSystemTypeTest, file);
396
397 // Test initially having no permissions.
398 CheckHasNoFileSystemFilePermission(p, file, url);
399
400 // Testing every combination of permissions granting and revoking.
401 p->GrantReadFile(kRendererID, file);
402 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
403 EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, file));
404 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
405 EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, url));
406 EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, url));
407 EXPECT_FALSE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
408 EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, url));
409 EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, url));
410 p->RevokeAllPermissionsForFile(kRendererID, file);
411 CheckHasNoFileSystemFilePermission(p, file, url);
412
413 p->GrantCreateReadWriteFile(kRendererID, file);
414 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
415 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
416 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
417 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
418 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
419 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
420 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
421 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
422 p->RevokeAllPermissionsForFile(kRendererID, file);
423 CheckHasNoFileSystemFilePermission(p, file, url);
424
425 // Test revoke permissions on renderer ID removal.
426 p->GrantCreateReadWriteFile(kRendererID, file);
427 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
428 EXPECT_TRUE(p->CanCreateReadWriteFile(kRendererID, file));
429 EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, url));
430 EXPECT_TRUE(p->CanWriteFileSystemFile(kRendererID, url));
431 EXPECT_TRUE(p->CanCreateFileSystemFile(kRendererID, url));
432 EXPECT_TRUE(p->CanCreateReadWriteFileSystemFile(kRendererID, url));
433 EXPECT_TRUE(p->CanCopyIntoFileSystemFile(kRendererID, url));
434 EXPECT_TRUE(p->CanDeleteFileSystemFile(kRendererID, url));
435 p->Remove(kRendererID);
436 CheckHasNoFileSystemFilePermission(p, file, url);
437
438 // Test having no permissions upon re-adding same renderer ID.
439 p->Add(kRendererID);
440 CheckHasNoFileSystemFilePermission(p, file, url);
441
442 // Cleanup.
443 p->Remove(kRendererID);
444 }
445
TEST_F(ChildProcessSecurityPolicyTest,FilePermissions)446 TEST_F(ChildProcessSecurityPolicyTest, FilePermissions) {
447 base::FilePath granted_file = base::FilePath(TEST_PATH("/home/joe"));
448 base::FilePath sibling_file = base::FilePath(TEST_PATH("/home/bob"));
449 base::FilePath child_file = base::FilePath(TEST_PATH("/home/joe/file"));
450 base::FilePath parent_file = base::FilePath(TEST_PATH("/home"));
451 base::FilePath parent_slash_file = base::FilePath(TEST_PATH("/home/"));
452 base::FilePath child_traversal1 =
453 base::FilePath(TEST_PATH("/home/joe/././file"));
454 base::FilePath child_traversal2 = base::FilePath(
455 TEST_PATH("/home/joe/file/../otherfile"));
456 base::FilePath evil_traversal1 =
457 base::FilePath(TEST_PATH("/home/joe/../../etc/passwd"));
458 base::FilePath evil_traversal2 = base::FilePath(
459 TEST_PATH("/home/joe/./.././../etc/passwd"));
460 base::FilePath self_traversal =
461 base::FilePath(TEST_PATH("/home/joe/../joe/file"));
462 base::FilePath relative_file = base::FilePath(FILE_PATH_LITERAL("home/joe"));
463
464 ChildProcessSecurityPolicyImpl* p =
465 ChildProcessSecurityPolicyImpl::GetInstance();
466
467 // Grant permissions for a file.
468 p->Add(kRendererID);
469 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
470 base::PLATFORM_FILE_OPEN));
471
472 GrantPermissionsForFile(p, kRendererID, granted_file,
473 base::PLATFORM_FILE_OPEN |
474 base::PLATFORM_FILE_OPEN_TRUNCATED |
475 base::PLATFORM_FILE_READ |
476 base::PLATFORM_FILE_WRITE);
477 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
478 base::PLATFORM_FILE_OPEN |
479 base::PLATFORM_FILE_OPEN_TRUNCATED |
480 base::PLATFORM_FILE_READ |
481 base::PLATFORM_FILE_WRITE));
482 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
483 base::PLATFORM_FILE_OPEN |
484 base::PLATFORM_FILE_READ));
485 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
486 base::PLATFORM_FILE_CREATE));
487 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file, 0));
488 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
489 base::PLATFORM_FILE_CREATE |
490 base::PLATFORM_FILE_OPEN_TRUNCATED |
491 base::PLATFORM_FILE_READ |
492 base::PLATFORM_FILE_WRITE));
493 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, sibling_file,
494 base::PLATFORM_FILE_OPEN |
495 base::PLATFORM_FILE_READ));
496 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, parent_file,
497 base::PLATFORM_FILE_OPEN |
498 base::PLATFORM_FILE_READ));
499 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_file,
500 base::PLATFORM_FILE_OPEN |
501 base::PLATFORM_FILE_READ));
502 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal1,
503 base::PLATFORM_FILE_OPEN |
504 base::PLATFORM_FILE_READ));
505 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, child_traversal2,
506 base::PLATFORM_FILE_OPEN |
507 base::PLATFORM_FILE_READ));
508 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal1,
509 base::PLATFORM_FILE_OPEN |
510 base::PLATFORM_FILE_READ));
511 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, evil_traversal2,
512 base::PLATFORM_FILE_OPEN |
513 base::PLATFORM_FILE_READ));
514 // CPSP doesn't allow this case for the sake of simplicity.
515 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, self_traversal,
516 base::PLATFORM_FILE_OPEN |
517 base::PLATFORM_FILE_READ));
518 p->Remove(kRendererID);
519
520 // Grant permissions for the directory the file is in.
521 p->Add(kRendererID);
522 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
523 base::PLATFORM_FILE_OPEN));
524 GrantPermissionsForFile(p, kRendererID, parent_file,
525 base::PLATFORM_FILE_OPEN |
526 base::PLATFORM_FILE_READ);
527 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
528 base::PLATFORM_FILE_OPEN));
529 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
530 base::PLATFORM_FILE_READ |
531 base::PLATFORM_FILE_WRITE));
532 p->Remove(kRendererID);
533
534 // Grant permissions for the directory the file is in (with trailing '/').
535 p->Add(kRendererID);
536 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
537 base::PLATFORM_FILE_OPEN));
538 GrantPermissionsForFile(p, kRendererID, parent_slash_file,
539 base::PLATFORM_FILE_OPEN |
540 base::PLATFORM_FILE_READ);
541 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
542 base::PLATFORM_FILE_OPEN));
543 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
544 base::PLATFORM_FILE_READ |
545 base::PLATFORM_FILE_WRITE));
546
547 // Grant permissions for the file (should overwrite the permissions granted
548 // for the directory).
549 GrantPermissionsForFile(p, kRendererID, granted_file,
550 base::PLATFORM_FILE_TEMPORARY);
551 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
552 base::PLATFORM_FILE_OPEN));
553 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
554 base::PLATFORM_FILE_TEMPORARY));
555
556 // Revoke all permissions for the file (it should inherit its permissions
557 // from the directory again).
558 p->RevokeAllPermissionsForFile(kRendererID, granted_file);
559 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
560 base::PLATFORM_FILE_OPEN |
561 base::PLATFORM_FILE_READ));
562 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
563 base::PLATFORM_FILE_TEMPORARY));
564 p->Remove(kRendererID);
565
566 // Grant file permissions for the file to main thread renderer process,
567 // make sure its worker thread renderer process inherits those.
568 p->Add(kRendererID);
569 GrantPermissionsForFile(p, kRendererID, granted_file,
570 base::PLATFORM_FILE_OPEN |
571 base::PLATFORM_FILE_READ);
572 EXPECT_TRUE(p->HasPermissionsForFile(kRendererID, granted_file,
573 base::PLATFORM_FILE_OPEN |
574 base::PLATFORM_FILE_READ));
575 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, granted_file,
576 base::PLATFORM_FILE_WRITE));
577 p->AddWorker(kWorkerRendererID, kRendererID);
578 EXPECT_TRUE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
579 base::PLATFORM_FILE_OPEN |
580 base::PLATFORM_FILE_READ));
581 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
582 base::PLATFORM_FILE_WRITE));
583 p->Remove(kRendererID);
584 EXPECT_FALSE(p->HasPermissionsForFile(kWorkerRendererID, granted_file,
585 base::PLATFORM_FILE_OPEN |
586 base::PLATFORM_FILE_READ));
587 p->Remove(kWorkerRendererID);
588
589 p->Add(kRendererID);
590 GrantPermissionsForFile(p, kRendererID, relative_file,
591 base::PLATFORM_FILE_OPEN);
592 EXPECT_FALSE(p->HasPermissionsForFile(kRendererID, relative_file,
593 base::PLATFORM_FILE_OPEN));
594 p->Remove(kRendererID);
595 }
596
TEST_F(ChildProcessSecurityPolicyTest,CanServiceWebUIBindings)597 TEST_F(ChildProcessSecurityPolicyTest, CanServiceWebUIBindings) {
598 ChildProcessSecurityPolicyImpl* p =
599 ChildProcessSecurityPolicyImpl::GetInstance();
600
601 GURL url("chrome://thumb/http://www.google.com/");
602
603 p->Add(kRendererID);
604
605 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
606 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
607 p->GrantWebUIBindings(kRendererID);
608 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
609 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
610
611 p->Remove(kRendererID);
612 }
613
TEST_F(ChildProcessSecurityPolicyTest,RemoveRace)614 TEST_F(ChildProcessSecurityPolicyTest, RemoveRace) {
615 ChildProcessSecurityPolicyImpl* p =
616 ChildProcessSecurityPolicyImpl::GetInstance();
617
618 GURL url("file:///etc/passwd");
619 base::FilePath file(TEST_PATH("/etc/passwd"));
620
621 p->Add(kRendererID);
622
623 p->GrantRequestURL(kRendererID, url);
624 p->GrantReadFile(kRendererID, file);
625 p->GrantWebUIBindings(kRendererID);
626
627 EXPECT_TRUE(p->CanRequestURL(kRendererID, url));
628 EXPECT_TRUE(p->CanReadFile(kRendererID, file));
629 EXPECT_TRUE(p->HasWebUIBindings(kRendererID));
630
631 p->Remove(kRendererID);
632
633 // Renderers are added and removed on the UI thread, but the policy can be
634 // queried on the IO thread. The ChildProcessSecurityPolicy needs to be
635 // prepared to answer policy questions about renderers who no longer exist.
636
637 // In this case, we default to secure behavior.
638 EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
639 EXPECT_FALSE(p->CanReadFile(kRendererID, file));
640 EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
641 }
642
643 } // namespace content
644
