| // Copyright 2024 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/extensions/api/messaging/launch_context.h" |
| |
| #include <windows.h> |
| |
| #include <shellapi.h> |
| |
| #include <string> |
| #include <utility> |
| |
| #include "base/check.h" |
| #include "base/containers/span.h" |
| #include "base/files/file.h" |
| #include "base/files/file_path.h" |
| #include "base/functional/bind.h" |
| #include "base/functional/callback.h" |
| #include "base/location.h" |
| #include "base/logging.h" |
| #include "base/numerics/safe_conversions.h" |
| #include "base/process/launch.h" |
| #include "base/process/process.h" |
| #include "base/strings/strcat.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/stringprintf.h" |
| #include "base/strings/utf_string_conversions.h" |
| #include "base/task/sequenced_task_runner.h" |
| #include "base/time/time.h" |
| #include "base/win/registry.h" |
| #include "base/win/scoped_handle.h" |
| #include "build/branding_buildflags.h" |
| #include "crypto/random.h" |
| #include "net/base/file_stream.h" |
| #include "net/base/net_errors.h" |
| |
| namespace extensions { |
| |
| namespace { |
| |
| // Reads path to the native messaging host manifest from a specific subkey in |
| // the registry. Returns false if the path isn't found. |
| bool GetManifestPathWithFlagsFromSubkey(HKEY root_key, |
| DWORD flags, |
| const wchar_t* subkey, |
| const std::wstring& host_name, |
| std::wstring* result) { |
| base::win::RegKey key; |
| |
| return key.Open(root_key, subkey, KEY_QUERY_VALUE | flags) == ERROR_SUCCESS && |
| key.OpenKey(host_name.c_str(), KEY_QUERY_VALUE | flags) == |
| ERROR_SUCCESS && |
| key.ReadValue(nullptr, result) == ERROR_SUCCESS; |
| } |
| |
| // Reads path to the native messaging host manifest from the registry. Returns |
| // false if the path isn't found. |
| bool GetManifestPathWithFlags(HKEY root_key, |
| DWORD flags, |
| const std::wstring& host_name, |
| std::wstring* result) { |
| #if BUILDFLAG(CHROMIUM_BRANDING) |
| static constexpr wchar_t kChromiumNativeMessagingRegistryKey[] = |
| L"SOFTWARE\\Chromium\\NativeMessagingHosts"; |
| |
| // Try to read the path using the Chromium-specific registry for Chromium. |
| // If that fails, fallback to Chrome-specific registry key below. |
| if (GetManifestPathWithFlagsFromSubkey(root_key, flags, |
| kChromiumNativeMessagingRegistryKey, |
| host_name, result)) { |
| return true; |
| } |
| #endif |
| |
| static constexpr wchar_t kChromeNativeMessagingRegistryKey[] = |
| L"SOFTWARE\\Google\\Chrome\\NativeMessagingHosts"; |
| |
| return GetManifestPathWithFlagsFromSubkey( |
| root_key, flags, kChromeNativeMessagingRegistryKey, host_name, result); |
| } |
| |
| bool GetManifestPath(HKEY root_key, |
| const std::wstring& host_name, |
| std::wstring* result) { |
| // First check 32-bit registry and then try 64-bit. |
| return GetManifestPathWithFlags(root_key, KEY_WOW64_32KEY, host_name, |
| result) || |
| GetManifestPathWithFlags(root_key, KEY_WOW64_64KEY, host_name, result); |
| } |
| |
| // If the Host is an executable, we will invoke it directly to avoid problems |
| // if CMD.exe is unavailable due to OS policy or other configuration issues |
| // on the client. See https://crbug.com/335558 for details. |
| base::Process LaunchNativeExeDirectly(const std::wstring& command, |
| base::LaunchOptions& options, |
| const std::wstring& in_pipe_name, |
| const std::wstring& out_pipe_name) { |
| // When calling the Host executable directly, we must first wrap our Named |
| // Pipes into HANDLEs returned from CreateFileW(). We must configure the |
| // handle's security attributes to allow the file handle to be inherited |
| // into the launched process. |
| SECURITY_ATTRIBUTES sa_attr = {}; |
| sa_attr.nLength = sizeof(SECURITY_ATTRIBUTES); |
| sa_attr.bInheritHandle = TRUE; |
| sa_attr.lpSecurityDescriptor = nullptr; |
| |
| base::win::ScopedHandle stdout_file( |
| ::CreateFileW(out_pipe_name.c_str(), FILE_WRITE_DATA | SYNCHRONIZE, 0, |
| &sa_attr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0)); |
| if (!stdout_file.IsValid()) { |
| LOG(ERROR) << "Failed to open write handle for stdout."; |
| return base::Process(); |
| } |
| |
| base::win::ScopedHandle stdin_file( |
| ::CreateFileW(in_pipe_name.c_str(), FILE_READ_DATA | SYNCHRONIZE, 0, |
| &sa_attr, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0)); |
| if (!stdin_file.IsValid()) { |
| LOG(ERROR) << "Failed to open read handle for stdin."; |
| return base::Process(); |
| } |
| |
| options.stdin_handle = stdin_file.Get(); |
| options.stdout_handle = stdout_file.Get(); |
| options.stderr_handle = ::GetStdHandle(STD_ERROR_HANDLE); |
| options.handles_to_inherit.push_back(options.stdin_handle); |
| options.handles_to_inherit.push_back(options.stdout_handle); |
| |
| // Inherit Chrome's STD_ERROR_HANDLE, if set, into the Native Host. If Chrome |
| // was not started with standard error redirected, this value will be null. |
| if (options.stderr_handle != NULL) { |
| options.handles_to_inherit.push_back(options.stderr_handle); |
| } |
| |
| return base::LaunchProcess(command, options); |
| } |
| |
| // For non-executable Hosts, we will use the legacy approach whereby we |
| // invoke CMD.exe and instruct it to launch the Host, passing references to |
| // our Named Pipes. |
| base::Process LaunchNativeHostViaCmd(const std::wstring& command, |
| base::LaunchOptions& options, |
| const std::wstring& in_pipe_name, |
| const std::wstring& out_pipe_name) { |
| DWORD comspec_length = ::GetEnvironmentVariable(L"COMSPEC", NULL, 0); |
| if (comspec_length == 0) { |
| LOG(ERROR) << "COMSPEC is not set"; |
| return base::Process(); |
| } |
| std::wstring comspec; |
| ::GetEnvironmentVariable( |
| L"COMSPEC", base::WriteInto(&comspec, comspec_length), comspec_length); |
| |
| return base::LaunchProcess( |
| base::StrCat({comspec, L" /d /s /c \"", command, L"\" < ", in_pipe_name, |
| L" > ", out_pipe_name}), |
| options); |
| } |
| |
| } // namespace |
| |
| // static |
| base::FilePath LaunchContext::FindManifest(const std::string& host_name, |
| bool allow_user_level_hosts, |
| std::string& error_message) { |
| std::wstring host_name_wide = base::UTF8ToWide(host_name); |
| |
| // If permitted, look in HKEY_CURRENT_USER first. If the manifest isn't found |
| // there, then try HKEY_LOCAL_MACHINE. https://crbug.com/1034919#c6 |
| std::wstring path_str; |
| bool found = false; |
| if (allow_user_level_hosts) { |
| found = GetManifestPath(HKEY_CURRENT_USER, host_name_wide, &path_str); |
| } |
| if (!found) { |
| found = GetManifestPath(HKEY_LOCAL_MACHINE, host_name_wide, &path_str); |
| } |
| |
| if (!found) { |
| error_message = |
| "Native messaging host " + host_name + " is not registered."; |
| return base::FilePath(); |
| } |
| |
| base::FilePath manifest_path(path_str); |
| if (!manifest_path.IsAbsolute()) { |
| error_message = "Path to native messaging host manifest must be absolute."; |
| return base::FilePath(); |
| } |
| |
| return manifest_path; |
| } |
| |
| // static |
| std::optional<LaunchContext::ProcessState> LaunchContext::LaunchNativeProcess( |
| const base::CommandLine& command_line, |
| bool native_hosts_executables_launch_directly) { |
| // Timeout for the IO pipes. |
| const DWORD kTimeoutMs = 5000; |
| |
| // Windows will use default buffer size when 0 is passed to |
| // CreateNamedPipeW(). |
| const DWORD kBufferSize = 0; |
| |
| if (!command_line.GetProgram().IsAbsolute()) { |
| LOG(ERROR) << "Native Messaging host path must be absolute."; |
| return std::nullopt; |
| } |
| |
| uint64_t pipe_name_token; |
| crypto::RandBytes(base::byte_span_from_ref(pipe_name_token)); |
| const std::wstring pipe_name_token_str = |
| base::ASCIIToWide(base::StringPrintf("%llx", pipe_name_token)); |
| const std::wstring out_pipe_name = |
| L"\\\\.\\pipe\\chrome.nativeMessaging.out." + pipe_name_token_str; |
| const std::wstring in_pipe_name = |
| L"\\\\.\\pipe\\chrome.nativeMessaging.in." + pipe_name_token_str; |
| |
| // Create the pipes to read and write from. |
| base::win::ScopedHandle stdout_pipe(::CreateNamedPipeW( |
| out_pipe_name.c_str(), |
| PIPE_ACCESS_INBOUND | FILE_FLAG_OVERLAPPED | |
| FILE_FLAG_FIRST_PIPE_INSTANCE, |
| PIPE_TYPE_BYTE, 1, kBufferSize, kBufferSize, kTimeoutMs, NULL)); |
| if (!stdout_pipe.IsValid()) { |
| LOG(ERROR) << "Failed to create pipe " << out_pipe_name; |
| return std::nullopt; |
| } |
| |
| base::win::ScopedHandle stdin_pipe(::CreateNamedPipeW( |
| in_pipe_name.c_str(), |
| PIPE_ACCESS_OUTBOUND | FILE_FLAG_OVERLAPPED | |
| FILE_FLAG_FIRST_PIPE_INSTANCE, |
| PIPE_TYPE_BYTE, 1, kBufferSize, kBufferSize, kTimeoutMs, NULL)); |
| if (!stdin_pipe.IsValid()) { |
| LOG(ERROR) << "Failed to create pipe " << in_pipe_name; |
| return std::nullopt; |
| } |
| |
| std::wstring command = command_line.GetCommandLineString(); |
| base::LaunchOptions options; |
| options.current_directory = command_line.GetProgram().DirName(); |
| options.start_hidden = true; |
| |
| const bool use_direct_launch = |
| native_hosts_executables_launch_directly && |
| command_line.GetProgram().MatchesFinalExtension(L".exe"); |
| |
| base::Process launched_process; |
| if (use_direct_launch) { |
| // Compat: If the target is SUBSYSTEM_WINDOWS, then don't set |start_hidden| |
| // in order to mimic legacy behavior: https://crbug.com/1442359. |
| // A Windows executable will have LOWORD of 0x4550. A GUI executable will |
| // have a non-Zero HIWORD while a console executable will have a 0 HIWORD. |
| uintptr_t exe_type = ::SHGetFileInfoW( |
| command_line.GetProgram().value().c_str(), 0, NULL, 0, SHGFI_EXETYPE); |
| if ((LOWORD(exe_type) == 0x4550) && (HIWORD(exe_type) != 0)) { |
| options.start_hidden = false; |
| } |
| |
| launched_process = |
| LaunchNativeExeDirectly(command, options, in_pipe_name, out_pipe_name); |
| } else { |
| launched_process = |
| LaunchNativeHostViaCmd(command, options, in_pipe_name, out_pipe_name); |
| } |
| |
| if (!launched_process.IsValid()) { |
| LOG(ERROR) << "Error launching process " |
| << command_line.GetProgram().MaybeAsASCII(); |
| return std::nullopt; |
| } |
| |
| return ProcessState(std::move(launched_process), std::move(stdout_pipe), |
| std::move(stdin_pipe)); |
| } |
| |
| void LaunchContext::ConnectPipes(base::ScopedPlatformFile read_file, |
| base::ScopedPlatformFile write_file) { |
| DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); |
| CHECK(native_process_.IsValid()); |
| |
| read_stream_ = std::make_unique<net::FileStream>( |
| base::File(std::move(read_file), /*async=*/true), |
| background_task_runner_); |
| write_stream_ = std::make_unique<net::FileStream>( |
| base::File(std::move(write_file), /*async=*/true), |
| background_task_runner_); |
| |
| const int read_result = read_stream_->ConnectNamedPipe( |
| base::BindOnce(&LaunchContext::OnReadStreamConnectResult, GetWeakPtr())); |
| const int write_result = write_stream_->ConnectNamedPipe( |
| base::BindOnce(&LaunchContext::OnWriteStreamConnectResult, GetWeakPtr())); |
| |
| read_pipe_connected_ = read_result == net::OK; |
| write_pipe_connected_ = write_result == net::OK; |
| |
| if ((!read_pipe_connected_ && read_result != net::ERR_IO_PENDING) || |
| (!write_pipe_connected_ && write_result != net::ERR_IO_PENDING)) { |
| // Failed connecting to one of the pipes to talk to the host. |
| OnFailure(NativeProcessLauncher::RESULT_FAILED_TO_START); |
| return; |
| } |
| |
| if (read_pipe_connected_ && write_pipe_connected_) { |
| // The host has already connected to both pipes. |
| OnSuccess(base::kInvalidPlatformFile, std::move(read_stream_), |
| std::move(write_stream_)); |
| return; |
| } |
| |
| // Wait for calls to one or both of the StreamConnectResult methods once the |
| // connect operation(s) complete. In the meantime, watch the host process to |
| // make sure it doesn't tip over while waiting. |
| process_watcher_.StartWatchingOnce(native_process_.Handle(), this); |
| } |
| |
| void LaunchContext::OnReadStreamConnectResult(int net_error) { |
| DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); |
| if (net_error != net::OK) { |
| // Failed to connect. |
| OnFailure(NativeProcessLauncher::RESULT_FAILED_TO_START); |
| return; |
| } |
| // The host has connected to the read pipe. |
| read_pipe_connected_ = true; |
| OnPipeConnected(); |
| } |
| |
| void LaunchContext::OnWriteStreamConnectResult(int net_error) { |
| DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); |
| if (net_error != net::OK) { |
| // Failed to connect. |
| OnFailure(NativeProcessLauncher::RESULT_FAILED_TO_START); |
| return; |
| } |
| // The host has connected to the write pipe. |
| write_pipe_connected_ = true; |
| OnPipeConnected(); |
| } |
| |
| void LaunchContext::OnPipeConnected() { |
| DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); |
| if (!read_pipe_connected_ || !write_pipe_connected_) { |
| return; // At least one pipe's result is still outstanding. |
| } |
| process_watcher_.StopWatching(); |
| OnSuccess(base::kInvalidPlatformFile, std::move(read_stream_), |
| std::move(write_stream_)); |
| } |
| |
| void LaunchContext::OnObjectSignaled(HANDLE object) { |
| DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); |
| // The host process has terminated unexpectedly. |
| CHECK_EQ(object, native_process_.Handle()); |
| int exit_code = 0; // EXIT_SUCCESS |
| if (native_process_.WaitForExitWithTimeout({}, &exit_code)) { |
| LOG(ERROR) << "Native Messaging host process exited with code " |
| << exit_code; |
| } else { |
| LOG(ERROR) << "Native Messaging host process exited unexpectedly"; |
| } |
| OnFailure(NativeProcessLauncher::RESULT_FAILED_TO_START); |
| } |
| |
| } // namespace extensions |
