blob: 35bb23f3a83daf1bef353c13146a5500cfcb72be [file] [log] [blame]
// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "base/command_line.h"
#include "base/macros.h"
#include "base/strings/utf_string_conversions.h"
#include "base/test/histogram_tester.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/browser/ui/browser_commands.h"
#include "chrome/browser/ui/singleton_tabs.h"
#include "chrome/browser/ui/tabs/tab_strip_model.h"
#include "chrome/common/extensions/extension_process_policy.h"
#include "chrome/test/base/in_process_browser_test.h"
#include "chrome/test/base/ui_test_utils.h"
#include "content/public/browser/notification_observer.h"
#include "content/public/browser/notification_service.h"
#include "content/public/browser/notification_types.h"
#include "content/public/browser/render_frame_host.h"
#include "content/public/browser/render_process_host.h"
#include "content/public/browser/resource_request_details.h"
#include "content/public/browser/web_contents_observer.h"
#include "content/public/common/content_switches.h"
#include "content/public/test/browser_test_utils.h"
#include "net/dns/mock_host_resolver.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
// The goal of these tests is to "simulate" exploited renderer processes, which
// can send arbitrary IPC messages and confuse browser process internal state,
// leading to security bugs. We are trying to verify that the browser doesn't
// perform any dangerous operations in such cases.
// This is similar to the tests, but also
// includes chrome/ layer concepts such as extensions.
class ChromeSecurityExploitBrowserTest : public InProcessBrowserTest {
ChromeSecurityExploitBrowserTest() {}
~ChromeSecurityExploitBrowserTest() override {}
void SetUpOnMainThread() override {
host_resolver()->AddRule("*", "");
void SetUpCommandLine(base::CommandLine* command_line) override {
// Since we assume exploited renderer process, it can bypass the same origin
// policy at will. Simulate that by passing the disable-web-security flag.
ChromeExtensionResources) {
// Load a page that requests a chrome-extension:// image through XHR. We
// expect this load to fail, as it is an illegal request.
GURL foo = embedded_test_server()->GetURL("",
content::DOMMessageQueue msg_queue;
ui_test_utils::NavigateToURL(browser(), foo);
std::string status;
std::string expected_status("0");
EXPECT_STREQ(status.c_str(), expected_status.c_str());
// Extension isolation prevents a normal renderer process from being able to
// create a "blob:chrome-extension://" resource.
CreateBlobInExtensionOrigin) {
// This test relies on extensions documents running in extension processes,
// which is guaranteed with --isolate-extensions. Without it, the checks are
// not enforced and this test will time out waiting for the process to be
// killed.
if (!extensions::IsIsolateExtensionsEnabled())
embedded_test_server()->GetURL("", "/title1.html"));
content::RenderFrameHost* rfh =
// All these are attacker controlled values. The UUID is arbitrary.
std::string blob_id = "2ce53a26-0409-45a3-86e5-f8fb9f5566d8";
std::string blob_type = "text/html";
std::string blob_contents = "<script>chrome.extensions</script>";
std::string blob_path = "5881f76e-10d2-410d-8c61-ef210502acfd";
// Target the bookmark manager extension.
std::string target_origin =
// Set up a blob ID and populate it with attacker-controlled value. This
// message is allowed, because this data is not in any origin.
rfh->GetProcess(), blob_id, blob_type, "", blob_contents);
// This IPC should result in a kill because |target_origin| is not commitable
// in |rfh->GetProcess()|.
base::HistogramTester histograms;
content::RenderProcessHostWatcher crash_observer(
rfh->GetProcess(), GURL("blob:" + target_origin + "/" + blob_path),
// If the process is killed, this test passes.
histograms.ExpectUniqueSample("Stability.BadMessageTerminated.Content", 139,
// Extension isolation prevents a normal renderer process from being able to
// create a "filesystem:chrome-extension://sdgkjaghsdg/temporary/" resource.
CreateFilesystemURLInExtensionOrigin) {
GURL page_url =
embedded_test_server()->GetURL("", "/title1.html");
ui_test_utils::NavigateToURL(browser(), page_url);
content::RenderFrameHost* rfh =
// Block the renderer on operation that never completes, to shield it from
// receiving unexpected browser->renderer IPCs that might CHECK.
base::ASCIIToUTF16("var r = new XMLHttpRequest();"
"'GET', '/slow?99999', false);"
"while (1);"));
// JS code that the attacker would like to run in an extension process.
std::string payload = "<html><body>pwned.</body></html>";
std::string payload_type = "text/html";
// Target the bookmark manager extension.
std::string target_origin =
// Set up a blob ID and populate it with the attacker-controlled payload.
// This is allowed, because this data is not in any origin;
// the UUID is arbitrary.
std::string blob_id = "2ce53a26-0409-45a3-86e5-f8fb9f5566d8";
content::PwnMessageHelper::CreateBlobWithPayload(rfh->GetProcess(), blob_id,
payload_type, "", payload);
// Note: a well-behaved renderer would always send the following message here,
// but it's actually not necessary for the original attack to succeed, so we
// omit it. As a result there are some log warnings from the quota observer.
// IPC::IpcSecurityTestUtil::PwnMessageReceived(
// rfh->GetProcess()->GetChannel(),
// FileSystemHostMsg_OpenFileSystem(22, GURL(target_origin),
// storage::kFileSystemTypeTemporary));
GURL target_url =
GURL("filesystem:" + target_origin + "temporary/exploit.html");
content::PwnMessageHelper::FileSystemCreate(rfh->GetProcess(), 23, target_url,
false, false, false);
// Write the blob into the file. If successful, this places an
// attacker-controlled value in a resource on the extension origin.
content::PwnMessageHelper::FileSystemWrite(rfh->GetProcess(), 24, target_url,
blob_id, 0);
// Now navigate to |target_url| in a new tab. It should not contain |payload|.
AddTabAtIndex(0, target_url, ui::PAGE_TRANSITION_TYPED);
rfh = browser()->tab_strip_model()->GetActiveWebContents()->GetMainFrame();
EXPECT_EQ(GURL(target_origin), rfh->GetSiteInstance()->GetSiteURL());
std::string body;
rfh, "window.domAutomationController.send(document.body.innerText);",
if (extensions::IsIsolateExtensionsEnabled()) {
"\nYour file was not found\n\n"
"It may have been moved or deleted.\n"
} else {
// Without --isolate-extensions, the above steps must succeed, since
// unblessed extension frames are allowed in ordinary renderer processes.
EXPECT_EQ("pwned.", body);