1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
content / browser / file_system / browser_file_system_helper_unittest.cc [blame]
// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <memory>
#include <string>
#include <vector>
#include "base/files/file_path.h"
#include "base/files/scoped_temp_dir.h"
#include "base/memory/scoped_refptr.h"
#include "base/task/single_thread_task_runner.h"
#include "base/test/null_task_runner.h"
#include "content/browser/child_process_security_policy_impl.h"
#include "content/browser/file_system/browser_file_system_helper.h"
#include "content/public/common/content_client.h"
#include "content/public/common/drop_data.h"
#include "content/public/test/browser_task_environment.h"
#include "content/public/test/test_browser_context.h"
#include "content/public/test/test_utils.h"
#include "net/base/filename_util.h"
#include "storage/browser/file_system/external_mount_points.h"
#include "storage/browser/file_system/file_system_backend.h"
#include "storage/browser/file_system/file_system_options.h"
#include "storage/browser/file_system/file_system_url.h"
#include "storage/browser/file_system/isolated_context.h"
#include "storage/browser/quota/quota_manager_proxy.h"
#include "storage/common/file_system/file_system_types.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "third_party/blink/public/common/storage_key/storage_key.h"
#include "url/gurl.h"
#include "url/origin.h"
namespace content {
namespace browser_file_system_helper_unittest {
const int kRendererID = 42;
TEST(BrowserFileSystemHelperTest,
PrepareDropDataForChildProcess_FileSystemFiles) {
base::ScopedTempDir temp_dir;
ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
// We need the task environment to use a separate IO thread so that the
// ChildProcessSecurityPolicy checks which perform different logic
// based on whether they are called on the UI thread or the IO thread do the
// right thing.
BrowserTaskEnvironment task_environment{
content::BrowserTaskEnvironment::REAL_IO_THREAD};
TestBrowserContext browser_context;
ChildProcessSecurityPolicyImpl* p =
ChildProcessSecurityPolicyImpl::GetInstance();
p->AddForTesting(kRendererID, &browser_context);
// Prepare |original_file| FileSystemURL that comes from a |sensitive_origin|.
// This attempts to simulate for unit testing the drive URL from
// https://crbug.com/705295#c23.
const GURL kSensitiveOrigin(GetWebUIURL("hhaomjibdihmijegdhdafkllkbggdgoj"));
const char kMountName[] = "drive-testuser%40gmail.com-hash";
const base::FilePath kTestPath(FILE_PATH_LITERAL("root/dir/testfile.jpg"));
base::FilePath mount_path = temp_dir.GetPath().AppendASCII(kMountName);
scoped_refptr<storage::ExternalMountPoints> external_mount_points =
storage::ExternalMountPoints::CreateRefCounted();
EXPECT_TRUE(external_mount_points->RegisterFileSystem(
kMountName, storage::FileSystemType::kFileSystemTypeTest,
storage::FileSystemMountOption(), mount_path));
storage::FileSystemURL original_file =
external_mount_points->CreateExternalFileSystemURL(
blink::StorageKey::CreateFirstParty(
url::Origin::Create(kSensitiveOrigin)),
kMountName, kTestPath);
EXPECT_TRUE(original_file.is_valid());
EXPECT_EQ(kSensitiveOrigin, original_file.origin().GetURL());
// Prepare fake FileSystemContext to use in the test.
storage::FileSystemOptions file_system_options(
storage::FileSystemOptions::PROFILE_MODE_NORMAL,
/*force_in_memory=*/false, std::vector<std::string>());
auto test_file_system_context = storage::FileSystemContext::Create(
/*io_task_runner=*/base::MakeRefCounted<base::NullTaskRunner>(),
/*file_task_runner=*/base::MakeRefCounted<base::NullTaskRunner>(),
std::move(external_mount_points), /*special_storage_policy=*/nullptr,
/*quota_manager_proxy=*/nullptr,
std::vector<std::unique_ptr<storage::FileSystemBackend>>(),
std::vector<storage::URLRequestAutoMountHandler>(),
/*partition_path=*/base::FilePath(), file_system_options);
// Prepare content::DropData containing |file_system_url|.
DropData::FileSystemFileInfo filesystem_file_info;
filesystem_file_info.url = original_file.ToGURL();
filesystem_file_info.size = 123;
filesystem_file_info.filesystem_id = original_file.filesystem_id();
DropData drop_data;
drop_data.file_system_files.push_back(filesystem_file_info);
// Verify that initially no access is be granted to the |kSensitiveOrigin|.
EXPECT_FALSE(p->CanCommitURL(kRendererID, kSensitiveOrigin));
// Verify that initially no access is granted to the |original_file|.
EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, original_file));
// Invoke the API under test to grant access to |drop_data|.
PrepareDropDataForChildProcess(&drop_data, p, kRendererID,
test_file_system_context.get());
// Verify that |drop_data| is mostly unchanged.
EXPECT_EQ(0u, drop_data.filenames.size());
EXPECT_EQ(1u, drop_data.file_system_files.size());
EXPECT_EQ(123, drop_data.file_system_files[0].size);
// It is okay if |drop_data.file_system_files[0].url| and
// |drop_data.file_system_files[0].filesystem_id| change (to aid in enforcing
// proper access patterns that are verified below).
// Verify that the URL didn't change *too* much.
const GURL crack_url = drop_data.file_system_files[0].url;
storage::FileSystemURL dropped_file =
test_file_system_context->CrackURLInFirstPartyContext(crack_url);
EXPECT_TRUE(dropped_file.is_valid());
EXPECT_EQ(original_file.origin(), dropped_file.origin());
EXPECT_EQ(original_file.path().BaseName(), dropped_file.path().BaseName());
// Verify that there is still no access to |kSensitiveOrigin|.
EXPECT_FALSE(p->CanCommitURL(kRendererID, kSensitiveOrigin));
// Verify that there is still no access to |original_file|.
EXPECT_FALSE(p->CanReadFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, original_file));
EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, original_file));
// Verify that read access (and no other access) is granted for
// |dropped_file|.
EXPECT_TRUE(p->CanReadFileSystemFile(kRendererID, dropped_file));
EXPECT_FALSE(p->CanWriteFileSystemFile(kRendererID, dropped_file));
EXPECT_FALSE(p->CanCreateFileSystemFile(kRendererID, dropped_file));
EXPECT_FALSE(p->CanCopyIntoFileSystemFile(kRendererID, dropped_file));
EXPECT_FALSE(p->CanDeleteFileSystemFile(kRendererID, dropped_file));
p->Remove(kRendererID);
}
TEST(BrowserFileSystemHelperTest, PrepareDropDataForChildProcess_LocalFiles) {
// Install a custom ContentBrowserClient that overrides IsHandledURL() to
// return `true` for file URLs, just like regular Chromium would. This is
// necessary for ChildProcessSecurityPolicy::CanRequestURL() checks to work
// more accurately, since it allows URLs not destined for the browser itself
// (i.e., when IsHandledURL() returns false).
class LocalFileTestBrowserClient : public ContentBrowserClient {
public:
LocalFileTestBrowserClient() = default;
bool IsHandledURL(const GURL& url) override { return url.SchemeIsFile(); }
} test_browser_client;
auto* old_browser_client = SetBrowserClientForTesting(&test_browser_client);
base::ScopedTempDir temp_dir;
ASSERT_TRUE(temp_dir.CreateUniqueTempDir());
// We need the task environment to use a separate IO thread so that the
// ChildProcessSecurityPolicy checks which perform different logic
// based on whether they are called on the UI thread or the IO thread do the
// right thing.
BrowserTaskEnvironment task_environment{
content::BrowserTaskEnvironment::REAL_IO_THREAD};
TestBrowserContext browser_context;
ChildProcessSecurityPolicyImpl* p =
ChildProcessSecurityPolicyImpl::GetInstance();
p->AddForTesting(kRendererID, &browser_context);
// Prepare content::DropData containing some local files.
const base::FilePath kDraggedFile =
temp_dir.GetPath().AppendASCII("dragged_file.txt");
const base::FilePath kOtherFile =
temp_dir.GetPath().AppendASCII("other_file.txt");
DropData drop_data;
drop_data.filenames.push_back(ui::FileInfo(kDraggedFile, base::FilePath()));
// Verify that initially no access is granted to both |kDraggedFile| and
// |kOtherFile|.
EXPECT_FALSE(p->CanReadFile(kRendererID, kDraggedFile));
EXPECT_FALSE(p->CanReadFile(kRendererID, kOtherFile));
EXPECT_FALSE(
p->CanRequestURL(kRendererID, net::FilePathToFileURL(kDraggedFile)));
EXPECT_FALSE(
p->CanCommitURL(kRendererID, net::FilePathToFileURL(kDraggedFile)));
EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, kDraggedFile));
EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, kOtherFile));
EXPECT_FALSE(
p->CanRequestURL(kRendererID, net::FilePathToFileURL(kOtherFile)));
EXPECT_FALSE(
p->CanCommitURL(kRendererID, net::FilePathToFileURL(kOtherFile)));
// Invoke the API under test to grant access to |drop_data|.
PrepareDropDataForChildProcess(&drop_data, p, kRendererID, nullptr);
// Verify that |drop_data| is unchanged.
EXPECT_EQ(0u, drop_data.file_system_files.size());
EXPECT_EQ(1u, drop_data.filenames.size());
EXPECT_EQ(kDraggedFile, drop_data.filenames[0].path);
// Verify that read access (and no other access) is granted for
// |kDraggedFile|. The renderer should be allowed to request this file, but
// not commit it.
EXPECT_TRUE(p->CanReadFile(kRendererID, kDraggedFile));
EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, kDraggedFile));
EXPECT_TRUE(
p->CanRequestURL(kRendererID, net::FilePathToFileURL(kDraggedFile)));
EXPECT_FALSE(
p->CanCommitURL(kRendererID, net::FilePathToFileURL(kDraggedFile)));
// Verify that there is still no access for |kOtherFile|.
EXPECT_FALSE(p->CanReadFile(kRendererID, kOtherFile));
EXPECT_FALSE(p->CanCreateReadWriteFile(kRendererID, kOtherFile));
EXPECT_FALSE(
p->CanRequestURL(kRendererID, net::FilePathToFileURL(kOtherFile)));
EXPECT_FALSE(
p->CanCommitURL(kRendererID, net::FilePathToFileURL(kOtherFile)));
p->Remove(kRendererID);
SetBrowserClientForTesting(old_browser_client);
}
} // namespace browser_file_system_helper_unittest
} // namespace content