// Copyright 2013 The Chromium Authors // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include <stdint.h> #include <optional> #include <tuple> #include "base/command_line.h" #include "base/feature_list.h" #include "base/files/file_util.h" #include "base/functional/bind.h" #include "base/functional/callback_helpers.h" #include "base/memory/ptr_util.h" #include "base/memory/raw_ptr.h" #include "base/memory/weak_ptr.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" #include "base/synchronization/waitable_event.h" #include "base/test/bind.h" #include "base/test/gtest_util.h" #include "base/test/scoped_feature_list.h" #include "base/unguessable_token.h" #include "build/build_config.h" #include "content/browser/attribution_reporting/attribution_manager.h" #include "content/browser/bad_message.h" #include "content/browser/child_process_security_policy_impl.h" #include "content/browser/dom_storage/dom_storage_context_wrapper.h" #include "content/browser/dom_storage/session_storage_namespace_impl.h" #include "content/browser/fenced_frame/fenced_frame.h" #include "content/browser/private_aggregation/private_aggregation_manager.h" #include "content/browser/renderer_host/navigator.h" #include "content/browser/renderer_host/render_frame_host_impl.h" #include "content/browser/renderer_host/render_frame_proxy_host.h" #include "content/browser/renderer_host/render_process_host_impl.h" #include "content/browser/renderer_host/render_view_host_factory.h" #include "content/browser/renderer_host/render_view_host_impl.h" #include "content/browser/web_contents/file_chooser_impl.h" #include "content/browser/web_contents/web_contents_impl.h" #include "content/common/features.h" #include "content/common/frame.mojom.h" #include "content/common/frame_messages.mojom.h" #include "content/common/render_message_filter.mojom.h" #include "content/public/browser/blob_handle.h" #include "content/public/browser/browser_context.h" #include "content/public/browser/browser_task_traits.h" #include "content/public/browser/browser_thread.h" #include "content/public/browser/content_browser_client.h" #include "content/public/browser/file_select_listener.h" #include "content/public/browser/navigation_handle.h" #include "content/public/browser/resource_context.h" #include "content/public/browser/storage_partition.h" #include "content/public/common/bindings_policy.h" #include "content/public/common/content_switches.h" #include "content/public/common/isolated_world_ids.h" #include "content/public/common/url_constants.h" #include "content/public/test/back_forward_cache_util.h" #include "content/public/test/browser_test.h" #include "content/public/test/browser_test_utils.h" #include "content/public/test/content_browser_test.h" #include "content/public/test/content_browser_test_utils.h" #include "content/public/test/fenced_frame_test_util.h" #include "content/public/test/navigation_handle_observer.h" #include "content/public/test/test_frame_navigation_observer.h" #include "content/public/test/test_navigation_observer.h" #include "content/public/test/test_renderer_host.h" #include "content/public/test/test_utils.h" #include "content/shell/browser/shell.h" #include "content/test/content_browser_test_utils_internal.h" #include "content/test/did_commit_navigation_interceptor.h" #include "content/test/frame_host_interceptor.h" #include "content/test/test_content_browser_client.h" #include "ipc/ipc_message.h" #include "ipc/ipc_security_test_util.h" #include "mojo/core/embedder/embedder.h" #include "mojo/public/cpp/bindings/pending_associated_remote.h" #include "mojo/public/cpp/bindings/pending_receiver.h" #include "mojo/public/cpp/bindings/pending_remote.h" #include "mojo/public/cpp/bindings/remote.h" #include "mojo/public/cpp/test_support/test_utils.h" #include "net/base/features.h" #include "net/base/filename_util.h" #include "net/base/network_isolation_key.h" #include "net/dns/mock_host_resolver.h" #include "net/storage_access_api/status.h" #include "net/test/embedded_test_server/controllable_http_response.h" #include "net/test/embedded_test_server/embedded_test_server.h" #include "net/test/embedded_test_server/http_request.h" #include "net/traffic_annotation/network_traffic_annotation_test_helper.h" #include "services/network/public/cpp/features.h" #include "services/network/public/cpp/network_switches.h" #include "services/network/public/cpp/resource_request.h" #include "services/network/public/mojom/fetch_api.mojom.h" #include "services/network/public/mojom/trust_tokens.mojom.h" #include "services/network/public/mojom/url_loader.mojom.h" #include "services/network/test/test_url_loader_client.h" #include "storage/browser/blob/blob_registry_impl.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" #include "third_party/blink/public/common/blob/blob_utils.h" #include "third_party/blink/public/common/fenced_frame/fenced_frame_utils.h" #include "third_party/blink/public/common/frame/fenced_frame_sandbox_flags.h" #include "third_party/blink/public/common/navigation/navigation_policy.h" #include "third_party/blink/public/mojom/blob/blob_url_store.mojom.h" #include "third_party/blink/public/mojom/choosers/file_chooser.mojom.h" #include "third_party/blink/public/mojom/fenced_frame/fenced_frame.mojom.h" #include "third_party/blink/public/mojom/frame/frame.mojom-test-utils.h" #include "third_party/blink/public/mojom/frame/frame.mojom.h" #include "third_party/blink/public/mojom/frame/remote_frame.mojom-test-utils.h" #include "third_party/blink/public/mojom/loader/mixed_content.mojom.h" IpcSecurityTestUtil; HasSubstr; Optional; namespace content { namespace { // This is a helper function for the tests which attempt to create a // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects // with the same process and routing ids, which causes a collision. // It creates a couple of windows in process 1, which causes a few routing ids // to be allocated. Then a cross-process navigation is initiated, which causes a // new process 2 to be created and have a pending RenderViewHost for it. The // routing id of the RenderViewHost which is target for a duplicate is set // into |target_routing_id| and the pending RenderFrameHost which is used for // the attempt is the return value. RenderFrameHostImpl* PrepareToDuplicateHosts(Shell* shell, net::EmbeddedTestServer* server, int* target_routing_id) { … } blink::mojom::OpenURLParamsPtr CreateOpenURLParams(const GURL& url) { … } std::unique_ptr<content::BlobHandle> CreateMemoryBackedBlob( BrowserContext* browser_context, const std::string& contents, const std::string& content_type) { … } // Constructs a WebContentsDelegate that mocks a file dialog. // Unlike content::FileChooserDelegate, this class doesn't make a response in // RunFileChooser(), and a user needs to call Choose(). class DelayedFileChooserDelegate : public WebContentsDelegate { … }; void FileChooserCallback(base::RunLoop* run_loop, blink::mojom::FileChooserResultPtr result) { … } } // namespace // The goal of these tests will be to "simulate" exploited renderer processes, // which can send arbitrary IPC messages and confuse browser process internal // state, leading to security bugs. We are trying to verify that the browser // doesn't perform any dangerous operations in such cases. class SecurityExploitBrowserTest : public ContentBrowserTest { … }; void SecurityExploitBrowserTest::TestFileChooserWithPath( const base::FilePath& path) { … } // Ensure that we kill the renderer process if we try to give it WebUI // properties and it doesn't have enabled WebUI bindings. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { … } // This is a test for crbug.com/312016 attempting to create duplicate // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves // it in a state with pending RenderViewHost. Before the commit of the new // pending RenderViewHost, this test case creates a new window through the new // process. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptDuplicateRenderViewHost) { … } // This is a test for crbug.com/444198. It tries to send a // FrameHostMsg_RunFileChooser containing an invalid path. The browser should // correctly terminate the renderer in these cases. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AttemptRunFileChoosers) { … } // A test for crbug.com/941008. // Calling OpenFileChooser() and EnumerateChosenDirectory() for a single // FileChooser instance had a problem. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, UnexpectedMethodsSequence) { … } class CorsExploitBrowserTest : public ContentBrowserTest { … }; // Test that receiving a commit with incorrect origin properly terminates the // renderer process. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MismatchedOriginOnCommit) { … } // Test that receiving a document.open() URL update with incorrect origin // properly terminates the renderer process. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MismatchedOriginOnDocumentOpenURLUpdate) { … } // Test that same-document navigations cannot go cross-origin (even within the // same site). IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, CrossOriginSameDocumentCommit) { … } // Test that same-document navigations cannot go cross-origin from about:blank // (even within the same site). Uses a subframe to inherit an existing origin. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, CrossOriginSameDocumentCommitFromAboutBlank) { … } // Test that same-document navigations cannot go cross-origin (even within the // same site), in the case that allow_universal_access_from_file_urls is enabled // but the last committed origin is not a file URL. See also // RenderFrameHostManagerTest.EnsureUniversalAccessFromFileSchemeSucceeds for // the intended case that file URLs are allowed to go cross-origin. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, CrossOriginSameDocumentCommitUniversalAccessNonFile) { … } // Test that receiving a commit with a URL with an invalid scheme properly // terminates the renderer process. See https://crbug.com/324934416. // TODO(crbug.com/40092527): This test can be removed once the browser // stops using cross-document URLs computed by the renderer process. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, BadUrlSchemeOnCommit) { … } // Test that receiving a same-document commit with a URL with an invalid scheme // properly terminates the renderer process. See https://crbug.com/324934416. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, BadUrlSchemeOnSameDocumentCommit) { … } namespace { // Interceptor that replaces |interface_params| with the specified // value for the first DidCommitProvisionalLoad message it observes in the given // |web_contents| while in scope. class ScopedInterfaceParamsReplacer : public DidCommitNavigationInterceptor { … }; } // namespace // Test that, as a general rule, not receiving new // DidCommitProvisionalLoadInterfaceParamsPtr for a cross-document navigation // properly terminates the renderer process. There is one exception to this // rule, see: RenderFrameHostImplBrowserTest. // InterfaceProviderRequestIsOptionalForFirstCommit. // TODO(crbug.com/40519010): when all clients are converted to use // BrowserInterfaceBroker, PendingReceiver<InterfaceProvider>-related code will // be removed. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MissingInterfaceProviderOnNonSameDocumentCommit) { … } // Test that a compromised renderer cannot ask to upload an arbitrary file in // OpenURL. This is a regression test for https://crbug.com/726067. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, OpenUrl_ResourceRequestBody) { … } // Forging a navigation commit after the initial empty document will result in a // renderer kill, even if the URL used is about:blank. // See https://crbug.com/766262 for an example advanced case that involves // forging a frame's unique name. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, NonInitialAboutBlankRendererKill) { … } class SecurityExploitBrowserTestMojoBlobURLs : public SecurityExploitBrowserTest { … }; // Check that when site isolation is enabled, an origin can't create a blob URL // for a different origin. Similar to the test above, but checks the // mojo-based Blob URL implementation. See https://crbug.com/886976. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTestMojoBlobURLs, CreateMojoBlobURLInDifferentOrigin) { … } // Check that with site isolation enabled, an origin can't create a filesystem // URL for a different origin. See https://crbug.com/888001. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, CreateFilesystemURLInDifferentOrigin) { … } // Verify that when a compromised renderer tries to navigate a remote frame to // a disallowed URL (e.g., file URL), that navigation is blocked. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, BlockIllegalOpenURLFromRemoteFrame) { … } class RemoteFrameHostInterceptor : public blink::mojom::RemoteFrameHostInterceptorForTesting { … }; // Test verifying that a compromised renderer can't lie about the source_origin // passed along with the RouteMessageEvent() mojo message. See also // https://crbug.com/915721. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, PostMessageSourceOrigin) { … } // Test verifying that a compromised renderer can't lie about the source_origin // passed along with the RouteMessageEvent() mojo message. Similar to the test // above, but exercises a scenario where the source origin is opaque and the // precursor needs to be validated. This provides coverage for messages sent // from sandboxed frames; see https://crbug.com/40606810 and // https://crbug.com/325410297. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, PostMessageOpaqueSourceOrigin) { … } IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidRemoteNavigationInitiator) { … } class BeginNavigationInitiatorReplacer : public FrameHostInterceptor { … }; IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidBeginNavigationInitiator) { … } // Similar to the test above, but ensure that initiator origins are validated // even for opaque origins. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, InvalidBeginNavigationOpaqueInitiator) { … } IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, MissingBeginNavigationInitiator) { … } namespace { // An interceptor class that allows replacing the URL of the commit IPC from // the renderer process to the browser process. class DidCommitUrlReplacer : public DidCommitNavigationInterceptor { … }; } // namespace // Test which verifies that when an exploited renderer process sends a commit // message with URL that the process is not allowed to commit. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, DidCommitInvalidURL) { … } // Test which verifies that when an exploited renderer process sends a commit // message with URL that the process is not allowed to commit. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, DidCommitInvalidURLWithOpaqueOrigin) { … } // Test which verifies that a WebUI process cannot send a commit message with // URL for a web document. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, WebUIProcessDidCommitWebURL) { … } // Test that verifies that if a RenderFrameHost is incorrectly given WebUI // bindings the browser process crashes due to CHECK enforcements. IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, AllowBindingsForNonWebUIProcess) { … } // Tests that a web page cannot bind to a WebUI interface if a WebUI page is the // currently committed RenderFrameHost in the tab (https://crbug.com/1225929). IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, BindToWebUIFromWebViaMojo) { … } class BeginNavigationTransitionReplacer : public FrameHostInterceptor { … }; IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, NonWebbyTransition) { … } class SecurityExploitViaDisabledWebSecurityTest : public SecurityExploitBrowserTest { … }; // Test to verify that an exploited renderer process trying to specify a // non-empty URL for base_url_for_data_url on navigation is correctly // terminated. IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest, ValidateBaseUrlForDataUrl) { … } // Test to verify that an exploited renderer process trying to specify a // empty URL for initiator_base_url on navigation is correctly terminated. IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest, ValidateInitiatorBaseUrlNotEmpty) { … } // Tests what happens when a web renderer asks to begin navigating to a file // url. IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest, WebToFileNavigation) { … } // Tests what happens when a web renderer asks to begin navigating to a // view-source url. IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest, WebToViewSourceNavigation) { … } class BeginNavigationTrustTokenParamsReplacer : public FrameHostInterceptor { … }; class SecurityExploitBrowserTestWithTrustTokensEnabled : public SecurityExploitBrowserTest { … }; // Test that the browser correctly reports a bad message when a child frame // attempts to navigate with a Private State Tokens redemption operation // associated with the navigation, but its parent lacks the // private-state-token-redemption Permissions Policy feature. IN_PROC_BROWSER_TEST_F( SecurityExploitBrowserTestWithTrustTokensEnabled, BrowserForbidsTrustTokenRedemptionWithoutPermissionsPolicy) { … } // Test that the browser correctly reports a bad message when a child frame // attempts to navigate with a Private State Tokens signing operation associated // with the navigation, but its parent lacks the private-state-token-redemption // (sic) Permissions Policy feature. IN_PROC_BROWSER_TEST_F( SecurityExploitBrowserTestWithTrustTokensEnabled, BrowserForbidsTrustTokenSigningWithoutPermissionsPolicy) { … } // Test that the browser correctly reports a bad message when a child frame // attempts to navigate with a Private State Tokens issue operation // associated with the navigation, but its parent lacks the // private-state-token-issuance Permissions Policy feature. IN_PROC_BROWSER_TEST_F( SecurityExploitBrowserTestWithTrustTokensEnabled, BrowserForbidsTrustTokenIssuanceWithoutPermissionsPolicy) { … } IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTestWithTrustTokensEnabled, BrowserForbidsTrustTokenParamsOnMainFrameNav) { … } class FencedFrameSecurityExploitBrowserTestWithTrustTokensEnabled : public SecurityExploitBrowserTestWithTrustTokensEnabled { … }; class FencedFrameBeginNavigationTrustTokenParamsReplacer : public BeginNavigationTrustTokenParamsReplacer { … }; IN_PROC_BROWSER_TEST_F( FencedFrameSecurityExploitBrowserTestWithTrustTokensEnabled, BrowserForbidsTrustTokenParamsOnFencedFrameNav) { … } class SecurityExploitTestFencedFramesDisabled : public SecurityExploitBrowserTest { … }; // Ensure that we kill the renderer process if we try to create a // fenced-frame when the blink::features::kFencedFrames feature is not enabled. IN_PROC_BROWSER_TEST_F(SecurityExploitTestFencedFramesDisabled, CreateFencedFrameWhenFeatureDisabled) { … } // Ensure that we kill the renderer process if we try to do a top-level // navigation using the special _unfencedTop IPC path when we are not inside // a fenced frame. (Test from an iframe instead.) IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, UnfencedTopFromOutsideFencedFrame) { … } class SecurityExploitBrowserTestFencedFrames : public SecurityExploitBrowserTest { … }; IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTestFencedFrames, NavigateFencedFrameToInvalidURL) { … } IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTestFencedFrames, ChangeFencedFrameSandboxFlags) { … } IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTestFencedFrames, PullFocusAcrossFencedBoundary) { … } } // namespace content
Codebase Browser
chromium