1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "base/command_line.h" 6 #include "base/containers/hash_tables.h" 7 #include "content/browser/dom_storage/dom_storage_context_wrapper.h" 8 #include "content/browser/dom_storage/session_storage_namespace_impl.h" 9 #include "content/browser/frame_host/navigator.h" 10 #include "content/browser/renderer_host/render_view_host_factory.h" 11 #include "content/browser/renderer_host/render_view_host_impl.h" 12 #include "content/browser/web_contents/web_contents_impl.h" 13 #include "content/common/view_messages.h" 14 #include "content/public/browser/browser_context.h" 15 #include "content/public/browser/storage_partition.h" 16 #include "content/public/common/content_switches.h" 17 #include "content/public/test/browser_test_utils.h" 18 #include "content/public/test/content_browser_test.h" 19 #include "content/public/test/content_browser_test_utils.h" 20 #include "content/public/test/test_utils.h" 21 #include "content/shell/browser/shell.h" 22 23 namespace content { 24 25 namespace { 26 27 // This is a helper function for the tests which attempt to create a 28 // duplicate RenderViewHost or RenderWidgetHost. It tries to create two objects 29 // with the same process and routing ids, which causes a collision. 30 // It creates a couple of windows in process 1, which causes a few routing ids 31 // to be allocated. Then a cross-process navigation is initiated, which causes a 32 // new process 2 to be created and have a pending RenderViewHost for it. The 33 // routing id of the RenderViewHost which is target for a duplicate is set 34 // into |target_routing_id| and the pending RenderViewHost which is used for 35 // the attempt is the return value. 36 RenderViewHostImpl* PrepareToDuplicateHosts(Shell* shell, 37 int* target_routing_id) { 38 GURL foo("http://foo.com/files/simple_page.html"); 39 40 // Start off with initial navigation, so we get the first process allocated. 41 NavigateToURL(shell, foo); 42 43 // Open another window, so we generate some more routing ids. 44 ShellAddedObserver shell2_observer; 45 EXPECT_TRUE(ExecuteScript( 46 shell->web_contents(), "window.open(document.URL + '#2');")); 47 Shell* shell2 = shell2_observer.GetShell(); 48 49 // The new window must be in the same process, but have a new routing id. 50 EXPECT_EQ(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(), 51 shell2->web_contents()->GetRenderViewHost()->GetProcess()->GetID()); 52 *target_routing_id = 53 shell2->web_contents()->GetRenderViewHost()->GetRoutingID(); 54 EXPECT_NE(*target_routing_id, 55 shell->web_contents()->GetRenderViewHost()->GetRoutingID()); 56 57 // Now, simulate a link click coming from the renderer. 58 GURL extension_url("https://bar.com/files/simple_page.html"); 59 WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell->web_contents()); 60 wc->GetFrameTree()->root()->navigator()->RequestOpenURL( 61 wc->GetFrameTree()->root()->current_frame_host(), extension_url, 62 Referrer(), CURRENT_TAB, 63 false, true); 64 65 // Since the navigation above requires a cross-process swap, there will be a 66 // pending RenderViewHost. Ensure it exists and is in a different process 67 // than the initial page. 68 RenderViewHostImpl* pending_rvh = 69 wc->GetRenderManagerForTesting()->pending_render_view_host(); 70 EXPECT_TRUE(pending_rvh != NULL); 71 EXPECT_NE(shell->web_contents()->GetRenderViewHost()->GetProcess()->GetID(), 72 pending_rvh->GetProcess()->GetID()); 73 74 return pending_rvh; 75 } 76 77 } // namespace 78 79 80 // The goal of these tests will be to "simulate" exploited renderer processes, 81 // which can send arbitrary IPC messages and confuse browser process internal 82 // state, leading to security bugs. We are trying to verify that the browser 83 // doesn't perform any dangerous operations in such cases. 84 class SecurityExploitBrowserTest : public ContentBrowserTest { 85 public: 86 SecurityExploitBrowserTest() {} 87 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE { 88 ASSERT_TRUE(test_server()->Start()); 89 90 // Add a host resolver rule to map all outgoing requests to the test server. 91 // This allows us to use "real" hostnames in URLs, which we can use to 92 // create arbitrary SiteInstances. 93 command_line->AppendSwitchASCII( 94 switches::kHostResolverRules, 95 "MAP * " + test_server()->host_port_pair().ToString() + 96 ",EXCLUDE localhost"); 97 } 98 }; 99 100 // Ensure that we kill the renderer process if we try to give it WebUI 101 // properties and it doesn't have enabled WebUI bindings. 102 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, SetWebUIProperty) { 103 GURL foo("http://foo.com/files/simple_page.html"); 104 105 NavigateToURL(shell(), foo); 106 EXPECT_EQ(0, 107 shell()->web_contents()->GetRenderViewHost()->GetEnabledBindings()); 108 109 content::RenderProcessHostWatcher terminated( 110 shell()->web_contents(), 111 content::RenderProcessHostWatcher::WATCH_FOR_PROCESS_EXIT); 112 shell()->web_contents()->GetRenderViewHost()->SetWebUIProperty( 113 "toolkit", "views"); 114 terminated.Wait(); 115 } 116 117 // This is a test for crbug.com/312016 attempting to create duplicate 118 // RenderViewHosts. SetupForDuplicateHosts sets up this test case and leaves 119 // it in a state with pending RenderViewHost. Before the commit of the new 120 // pending RenderViewHost, this test case creates a new window through the new 121 // process. 122 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, 123 AttemptDuplicateRenderViewHost) { 124 int duplicate_routing_id = MSG_ROUTING_NONE; 125 RenderViewHostImpl* pending_rvh = 126 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); 127 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); 128 129 // Since this test executes on the UI thread and hopping threads might cause 130 // different timing in the test, let's simulate a CreateNewWindow call coming 131 // from the IO thread. 132 ViewHostMsg_CreateWindow_Params params; 133 DOMStorageContextWrapper* dom_storage_context = 134 static_cast<DOMStorageContextWrapper*>( 135 BrowserContext::GetStoragePartition( 136 shell()->web_contents()->GetBrowserContext(), 137 pending_rvh->GetSiteInstance())->GetDOMStorageContext()); 138 scoped_refptr<SessionStorageNamespaceImpl> session_storage( 139 new SessionStorageNamespaceImpl(dom_storage_context)); 140 // Cause a deliberate collision in routing ids. 141 int main_frame_routing_id = duplicate_routing_id + 1; 142 pending_rvh->CreateNewWindow( 143 duplicate_routing_id, main_frame_routing_id, params, session_storage); 144 145 // If the above operation doesn't cause a crash, the test has succeeded! 146 } 147 148 // This is a test for crbug.com/312016. It tries to create two RenderWidgetHosts 149 // with the same process and routing ids, which causes a collision. It is almost 150 // identical to the AttemptDuplicateRenderViewHost test case. 151 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, 152 AttemptDuplicateRenderWidgetHost) { 153 int duplicate_routing_id = MSG_ROUTING_NONE; 154 RenderViewHostImpl* pending_rvh = 155 PrepareToDuplicateHosts(shell(), &duplicate_routing_id); 156 EXPECT_NE(MSG_ROUTING_NONE, duplicate_routing_id); 157 158 // Since this test executes on the UI thread and hopping threads might cause 159 // different timing in the test, let's simulate a CreateNewWidget call coming 160 // from the IO thread. Use the existing window routing id to cause a 161 // deliberate collision. 162 pending_rvh->CreateNewWidget(duplicate_routing_id, blink::WebPopupTypeSelect); 163 164 // If the above operation doesn't crash, the test has succeeded! 165 } 166 167 } // namespace content 168
