mojo/public/mojom/base/file_path.mojom - chromium/src - Git at Google

 // Copyright 2016 The Chromium Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 module mojo_base.mojom;

 // Equivalent to base::FilePath. Use sparingly as this type has a number of
 // problematic characteristics. Consider one of the options below where
 // possible.
 //
 // # When sending a FilePath to a less trustworthy process:
 // Use mojo_base.mojom.ReadOnlyFile or mojo_base.mojom.File instead, which
 // both require minimal trust in the remote process. The sender controls
 // exactly what file to open and how to open the file (e.g. read-only). It also
 // means that the less trustworthy process does not need a weaker sandbox to
 // allow it to open the specified path.
 //
 // # When sending a FilePath to a more trustworthy process:
 // The main risk is the less trustworthy sender has control over arbitrary
 // parts of the path, e.g. imagine an IPC that allows the renderer to open the
 // backing database for IndexedDB on a given origin [1]. If the IPC handler
 // incompletely sanitizes incoming paths, this could result in a compromised
 // renderer convincing the browser process / storage service to open an
 // unexpected file on its behalf like /etc/passwd.
 //
 // Instead, use:
 // - mojo_base.mojom.SafeBaseName: allows only a base name to be specified,
 //   i.e. only allows one path component: "hello.txt" is allowed but
 //   "hello/world.txt" is not.
 // - mojo_base.mojom.RelativeFilePath: safer version of mojo_base.mojom.FilePath
 //   that only allows relative paths with no ".." components.
 //
 // [1] The IndexedDB example would be even better if the parameter to specify
 // a specific database is eliminated altogether, e.g. use a Mojo interface
 // scoped to an ExecutionContext. This allows the browser process / storage
 // service to use a trustworthy origin computed only in the browser process to
 // calculate which database file to open and return to the renderer, avoiding
 // the need to trust any explicit parameters from the renderer process.
 [Stable]
 struct FilePath {
   [EnableIf=file_path_is_string]
   string path;

   // This duplicates the contents of mojo_base.mojom.String16. String16 isn't
   // used here due to typemapping dependency problems. base::FilePath is
   // used for the typemap for both variants, but std::u16string and
   // blink::String are used for mojo_base.mojom.String16 typemapping. This
   // mismatch causes problems with dependencies.
   [EnableIf=file_path_is_string16]
   array<uint16> path;
 };

 // Safer version of FilePath that only allows relative paths with no "..", since
 // path traversal components can give surprising results in combination with
 // things like IsParent().
 [Stable]
 struct RelativeFilePath {
   [EnableIf=file_path_is_string]
   string path;

   [EnableIf=file_path_is_string16]
   array<uint16> path;
 };
	// Copyright 2016 The Chromium Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	module mojo_base.mojom;

	// Equivalent to base::FilePath. Use sparingly as this type has a number of
	// problematic characteristics. Consider one of the options below where
	// possible.
	//
	// # When sending a FilePath to a less trustworthy process:
	// Use mojo_base.mojom.ReadOnlyFile or mojo_base.mojom.File instead, which
	// both require minimal trust in the remote process. The sender controls
	// exactly what file to open and how to open the file (e.g. read-only). It also
	// means that the less trustworthy process does not need a weaker sandbox to
	// allow it to open the specified path.
	//
	// # When sending a FilePath to a more trustworthy process:
	// The main risk is the less trustworthy sender has control over arbitrary
	// parts of the path, e.g. imagine an IPC that allows the renderer to open the
	// backing database for IndexedDB on a given origin [1]. If the IPC handler
	// incompletely sanitizes incoming paths, this could result in a compromised
	// renderer convincing the browser process / storage service to open an
	// unexpected file on its behalf like /etc/passwd.
	//
	// Instead, use:
	// - mojo_base.mojom.SafeBaseName: allows only a base name to be specified,
	// i.e. only allows one path component: "hello.txt" is allowed but
	// "hello/world.txt" is not.
	// - mojo_base.mojom.RelativeFilePath: safer version of mojo_base.mojom.FilePath
	// that only allows relative paths with no ".." components.
	//
	// [1] The IndexedDB example would be even better if the parameter to specify
	// a specific database is eliminated altogether, e.g. use a Mojo interface
	// scoped to an ExecutionContext. This allows the browser process / storage
	// service to use a trustworthy origin computed only in the browser process to
	// calculate which database file to open and return to the renderer, avoiding
	// the need to trust any explicit parameters from the renderer process.
	[Stable]
	struct FilePath {
	[EnableIf=file_path_is_string]
	string path;

	// This duplicates the contents of mojo_base.mojom.String16. String16 isn't
	// used here due to typemapping dependency problems. base::FilePath is
	// used for the typemap for both variants, but std::u16string and
	// blink::String are used for mojo_base.mojom.String16 typemapping. This
	// mismatch causes problems with dependencies.
	[EnableIf=file_path_is_string16]
	array<uint16> path;
	};

	// Safer version of FilePath that only allows relative paths with no "..", since
	// path traversal components can give surprising results in combination with
	// things like IsParent().
	[Stable]
	struct RelativeFilePath {
	[EnableIf=file_path_is_string]
	string path;

	[EnableIf=file_path_is_string16]
	array<uint16> path;
	};