1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/command_line.h" 6 #include "base/containers/hash_tables.h" 7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" 8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" 9 #include "content/browser/renderer_host/render_view_host_factory.h" 10 #include "content/browser/renderer_host/render_view_host_impl.h" 11 #include "content/browser/web_contents/web_contents_impl.h" 12 #include "content/common/view_messages.h" 13 #include "content/public/browser/browser_context.h" 14 #include "content/public/browser/notification_service.h" 15 #include "content/public/browser/notification_types.h" 16 #include "content/public/browser/storage_partition.h" 17 #include "content/public/common/content_switches.h" 18 #include "content/public/test/browser_test_utils.h" 19 #include "content/public/test/test_utils.h" 20 #include "content/shell/browser/shell.h" 21 #include "content/test/content_browser_test.h" 22 #include "content/test/content_browser_test_utils.h" 23 24 namespace content { 25 26 namespace { 27 28 // This is a helper function for the tests which attempt to create a 29 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects 30 // with the same process and routing ids, which causes a collision. 31 // It creates a couple of windows in process 1, which causes a few routing ids 32 // to be allocated. Then a cross-process navigation is initiated, which causes a 33 // new process 2 to be created and have a pending RenderViewHost for it. The 34 // routing id of the RenderViewHost which is target for a duplicate is set 35 // into |target_routing_id| and the pending RenderViewHost which is used for 36 // the attempt is the return value. 37 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell, 38 int* target_routing_id) { 39 GURL foo("http://foo.com/files/simple_page.html"); 40 41 // Start off with initial navigation, so we get the first process allocated. 42 NavigateToURL(shell, foo); 43 44 // Open another window, so we generate some more routing ids. 45 ShellAddedObserver shell2_observer; 46 EXPECT_TRUE(ExecuteScript( 47 shell->web_contents(), "window.open(document.URL + '#2');")); 48 Shell* shell2 = shell2_observer.GetShell(); 49 50 // The new window must be in the same process, but have a new routing id. 51 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(), 52 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID()); 53 *target_routing_id = 54 shell2->web_contents()->GetRenderViewHost()->GetRoutingID(); 55 EXPECT_NE(*target_routing_id, 56 shell->web_contents()->GetRenderViewHost()->GetRoutingID()); 57 58 // Now, simulate a link click coming from the renderer. 59 GURL extension_url("https://bar.com/files/simple_page.html"); 60 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents()); 61 wc->RequestOpenURL( 62 shell->web_contents()->GetRenderViewHost(), extension_url, 63 Referrer(), CURRENT_TAB, wc->GetFrameTree()->root()->frame_id(), 64 false, true); 65 66 // Since the navigation above requires a cross-process swap, there will be a 67 // pending RenderViewHost. Ensure it exists and is in a different process 68 // than the initial page. 69 RenderViewHostImpl* pending_rvh = 70 wc->GetRenderManagerForTesting()->pending_render_view_host(); 71 EXPECT_TRUE(pending_rvh != NULL); 72 EXPECT_NE(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(), 73 pending_rvh->GetProcess()->GetID()); 74 75 return pending_rvh; 76 } 77 78 } // namespace 79 80 81 // The goal of these tests will be to "simulate" exploited renderer processes, 82 // which can send arbitrary IPC messages and confuse browser process internal 83 // state, leading to security bugs. We are trying to verify that the browser 84 // doesn't perform any dangerous operations in such cases. 85 class SecurityExploitBrowserTest : public ContentBrowserTest { 86 public: 87 SecurityExploitBrowserTest() {} 88 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { 89 ASSERT_TRUE(test_server()->Start()); 90 91 // Add a host resolver rule to map all outgoing requests to the test server. 92 // This allows us to use "real" hostnames in URLs, which we can use to 93 // create arbitrary SiteInstances. 94 command_line->AppendSwitchASCII( 95 switches::kHostResolverRules, 96 "MAP * " + test_server()->host_port_pair().ToString() + 97 ",EXCLUDE localhost"); 98 } 99 }; 100 101 // Ensure that we kill the renderer process if we try to give it WebUI 102 // properties and it doesn't have enabled WebUI bindings. 103 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { 104 GURL foo("http://foo.com/files/simple_page.html"); 105 106 NavigateToURL(shell(), foo); 107 EXPECT_EQ(0, 108 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings()); 109 110 content::WindowedNotificationObserver terminated( 111 content::NOTIFICATION_RENDERER_PROCESS_CLOSED, 112 content::NotificationService::AllSources()); 113 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty( 114 "toolkit", "views"); 115 terminated.Wait(); 116 } 117 118 // This is a test for crbug.com/312016 attempting to create duplicate 119 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves 120 // it in a state with pending RenderViewHost. Before the commit of the new 121 // pending RenderViewHost, this test case creates a new window through the new 122 // process. 123 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, 124 AttemptDuplicateRenderViewHost) { 125 int duplicate_routing_id = MSG_ROUTING_NONE; 126 RenderViewHostImpl* pending_rvh = 127 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); 128 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); 129 130 // Since this test executes on the UI thread and hopping threads might cause 131 // different timing in the test, let's simulate a CreateNewWindow call coming 132 // from the IO thread. 133 ViewHostMsg_CreateWindow_Params params; 134 DOMStorageContextWrapper* dom_storage_context = 135 static_cast<DOMStorageContextWrapper*>( 136 BrowserContext::GetStoragePartition( 137 shell()->web_contents()->GetBrowserContext(), 138 pending_rvh->GetSiteInstance())->GetDOMStorageContext()); 139 scoped_refptr<SessionStorageNamespaceImpl> session_storage( 140 new SessionStorageNamespaceImpl(dom_storage_context)); 141 // Cause a deliberate collision in routing ids. 142 int main_frame_routing_id = duplicate_routing_id + 1; 143 pending_rvh->CreateNewWindow( 144 duplicate_routing_id, main_frame_routing_id, params, session_storage); 145 146 // If the above operation doesn't cause a crash, the test has succeeded! 147 } 148 149 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts 150 // with the same process and routing ids, which causes a collision. It is almost 151 // identical to the AttemptDuplicateRenderViewHost test case. 152 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, 153 AttemptDuplicateRenderWidgetHost) { 154 int duplicate_routing_id = MSG_ROUTING_NONE; 155 RenderViewHostImpl* pending_rvh = 156 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); 157 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); 158 159 // Since this test executes on the UI thread and hopping threads might cause 160 // different timing in the test, let's simulate a CreateNewWidget call coming 161 // from the IO thread. Use the existing window routing id to cause a 162 // deliberate collision. 163 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); 164 165 // If the above operation doesn't crash, the test has succeeded! 166 } 167 168 } // namespace content 169
