blob: cf724c75c59df577929b529eb046f002e07a7327 [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/download/quarantine/quarantine.h"
#include <windows.h>
#include <wrl/client.h>
#include <cguid.h>
#include <objbase.h>
#include <shellapi.h>
#include <shlobj.h>
#include <shobjidl.h>
#include <wininet.h>
#include <vector>
#include "base/files/file_util.h"
#include "base/guid.h"
#include "base/logging.h"
#include "base/macros.h"
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/string_piece.h"
#include "base/strings/string_split.h"
#include "base/strings/utf_string_conversions.h"
#include "base/threading/thread_restrictions.h"
#include "base/win/scoped_handle.h"
#include "url/gurl.h"
namespace download {
namespace {
// [MS-FSCC] Section 5.6.1
const base::FilePath::CharType kZoneIdentifierStreamSuffix[] =
bool ZoneIdentifierPresentForFile(const base::FilePath& path) {
base::FilePath::StringType zone_identifier_path =
path.value() + kZoneIdentifierStreamSuffix;
base::win::ScopedHandle file(
CreateFile(zone_identifier_path.c_str(), GENERIC_READ, kShare, nullptr,
if (!file.IsValid())
return false;
// The zone identifier contents is expected to be:
// "[ZoneTransfer]\r\nZoneId=3\r\n". The actual ZoneId can be different. A
// buffer of 32 bytes is sufficient for verifying the contents.
std::vector<char> zone_identifier_contents_buffer(32);
DWORD actual_length = 0;
if (!ReadFile(file.Get(), &zone_identifier_contents_buffer.front(),
zone_identifier_contents_buffer.size(), &actual_length,
return false;
std::string zone_identifier_contents(zone_identifier_contents_buffer.begin(),
std::vector<base::StringPiece> lines =
base::SplitStringPiece(zone_identifier_contents, "\n",
return lines.size() > 1 && lines[0] == "[ZoneTransfer]" &&
lines[1].find("ZoneId=") == 0;
// Sets the Zone Identifier on the file to "Internet" (3). Returns true if the
// function succeeds, false otherwise. A failure is expected if alternate
// streams are not supported, like a file on a FAT32 filesystem. This function
// does not invoke Windows Attachment Execution Services.
// |full_path| is the path to the downloaded file.
QuarantineFileResult SetInternetZoneIdentifierDirectly(
const base::FilePath& full_path) {
std::wstring path = full_path.value() + kZoneIdentifierStreamSuffix;
HANDLE file = CreateFile(path.c_str(), GENERIC_WRITE, kShare, nullptr,
return QuarantineFileResult::ANNOTATION_FAILED;
static const char kIdentifier[] = "[ZoneTransfer]\r\nZoneId=3\r\n";
// Don't include trailing null in data written.
static const DWORD kIdentifierSize = arraysize(kIdentifier) - 1;
DWORD written = 0;
BOOL write_result =
WriteFile(file, kIdentifier, kIdentifierSize, &written, nullptr);
BOOL flush_result = FlushFileBuffers(file);
return write_result && flush_result && written == kIdentifierSize
? QuarantineFileResult::OK
: QuarantineFileResult::ANNOTATION_FAILED;
// Invokes IAttachmentExecute::Save on CLSID_AttachmentServices to validate the
// downloaded file. The call may scan the file for viruses and if necessary,
// annotate it with evidence. As a result of the validation, the file may be
// deleted. See:
// IAE::Save() will delete the file if it was found to be blocked by local
// security policy or if it was found to be infected. The call may also delete
// the file due to other failures ( A failure code will
// be returned in these cases.
// The return value is |false| iff the function fails to invoke
// IAttachmentExecute::Save(). If the function returns |true|, then the result
// of invoking IAttachmentExecute::Save() is stored in |save_result|.
// Typical |save_result| values:
// S_OK : The file was okay. If any viruses were found, they were cleaned.
// E_FAIL : Virus infected.
// INET_E_SECURITY_PROBLEM : The file was blocked due to security policy.
// Any other return value indicates an unexpected error during the scan.
// |full_path| : is the path to the downloaded file. This should be the final
// path of the download. Must be present.
// |source_url|: the source URL for the download. If empty, the source will
// be set to 'about:internet'.
// |referrer_url|: the referrer URL for the download. If empty, the referrer
// will not be set.
// |client_guid|: the GUID to be set in the IAttachmentExecute client slot.
// Used to identify the app to the system AV function.
// |save_result|: Receives the result of invoking IAttachmentExecute::Save().
bool InvokeAttachmentServices(const base::FilePath& full_path,
const std::string& source_url,
const std::string& referrer_url,
const GUID& client_guid,
HRESULT* save_result) {
Microsoft::WRL::ComPtr<IAttachmentExecute> attachment_services;
HRESULT hr = ::CoCreateInstance(CLSID_AttachmentServices, nullptr, CLSCTX_ALL,
*save_result = S_OK;
if (FAILED(hr)) {
// The thread must have COM initialized.
return false;
// Note that it is mandatory to check the return values from here on out. If
// setting one of the parameters fails, it could leave the object in a state
// where the final Save() call will also fail.
hr = attachment_services->SetClientGuid(client_guid);
if (FAILED(hr))
return false;
hr = attachment_services->SetLocalPath(full_path.value().c_str());
if (FAILED(hr))
return false;
// The source URL could be empty if it was not a valid URL, or was not HTTP/S,
// or the download was off-the-record. If so, user "about:internet" as a
// fallback URL. The latter is known to reliably map to the Internet zone.
// In addition, URLs that are longer than INTERNET_MAX_URL_LENGTH are also
// known to cause problems for URLMon. Hence also use "about:internet" in
// these cases. See
hr = attachment_services->SetSource(
source_url.empty() || source_url.size() > INTERNET_MAX_URL_LENGTH
? L"about:internet"
: base::UTF8ToWide(source_url).c_str());
if (FAILED(hr))
return false;
// Only set referrer if one is present and shorter than
// INTERNET_MAX_URL_LENGTH. Also, the source_url is authoritative for
// determining the relative danger of |full_path| so we don't consider it an
// error if we have to skip the |referrer_url|.
if (!referrer_url.empty() && referrer_url.size() < INTERNET_MAX_URL_LENGTH) {
hr = attachment_services->SetReferrer(
if (FAILED(hr))
return false;
// This method has been known to take longer than 10 seconds in some
// instances.
*save_result = attachment_services->Save();
return true;
// Maps a return code from an unsuccessful IAttachmentExecute::Save() call to a
// QuarantineFileResult.
QuarantineFileResult FailedSaveResultToQuarantineResult(HRESULT result) {
switch (result) {
case INET_E_SECURITY_PROBLEM: // 0x800c000e
// This is returned if the download was blocked due to security
// restrictions. E.g. if the source URL was in the Restricted Sites zone
// and downloads are blocked on that zone, then the download would be
// deleted and this error code is returned.
return QuarantineFileResult::BLOCKED_BY_POLICY;
case E_FAIL: // 0x80004005
// Returned if an anti-virus product reports an infection in the
// downloaded file during IAE::Save().
return QuarantineFileResult::VIRUS_INFECTED;
// Any other error that occurs during IAttachmentExecute::Save() likely
// indicates a problem with the security check, but not necessarily the
// download. This also includes cases where SUCCEEDED(result) is true. In
// the latter case we are likely dealing with a situation where the file
// is missing after a successful scan. See
return QuarantineFileResult::SECURITY_CHECK_FAILED;
} // namespace
QuarantineFileResult QuarantineFile(const base::FilePath& file,
const GURL& source_url,
const GURL& referrer_url,
const std::string& client_guid) {
int64_t file_size = 0;
if (!base::PathExists(file) || !base::GetFileSize(file, &file_size))
return QuarantineFileResult::FILE_MISSING;
std::string braces_guid = "{" + client_guid + "}";
if (base::IsValidGUID(client_guid)) {
HRESULT hr = CLSIDFromString(base::UTF8ToUTF16(braces_guid).c_str(), &guid);
if (FAILED(hr))
guid = GUID_NULL;
if (file_size == 0 || IsEqualGUID(guid, GUID_NULL)) {
// Calling InvokeAttachmentServices on an empty file can result in the file
// being deleted. Also an anti-virus scan doesn't make a lot of sense to
// perform on an empty file.
return SetInternetZoneIdentifierDirectly(file);
HRESULT save_result = S_OK;
bool attachment_services_available = InvokeAttachmentServices(
file, source_url.spec(), referrer_url.spec(), guid, &save_result);
if (!attachment_services_available)
return SetInternetZoneIdentifierDirectly(file);
// If the download file is missing after the call, then treat this as an
// interrupted download.
// If InvokeAttachmentServices() failed, but the downloaded file is still
// around, then don't interrupt the download. Attachment Execution Services
// deletes the submitted file if the downloaded file is blocked by policy or
// if it was found to be infected.
// If the file is still there, then the error could be due to Windows
// Attachment Services not being available or some other error during the AES
// invocation. In either case, we don't surface the error to the user.
if (!base::PathExists(file))
return FailedSaveResultToQuarantineResult(save_result);
return QuarantineFileResult::OK;
bool IsFileQuarantined(const base::FilePath& file,
const GURL& source_url,
const GURL& referrer_url) {
return ZoneIdentifierPresentForFile(file);
} // namespace download