sandboxed_extension_unpacker.cc revision 3345a6884c488ff3a535c2c9acdd33d74b37e311
1// Copyright (c) 2010 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "chrome/browser/extensions/sandboxed_extension_unpacker.h" 6 7#include <set> 8 9#include "base/base64.h" 10#include "base/crypto/signature_verifier.h" 11#include "base/file_util.h" 12#include "base/message_loop.h" 13#include "base/scoped_handle.h" 14#include "base/task.h" 15#include "base/utf_string_conversions.h" // TODO(viettrungluu): delete me. 16#include "chrome/browser/chrome_thread.h" 17#include "chrome/browser/extensions/extensions_service.h" 18#include "chrome/browser/renderer_host/resource_dispatcher_host.h" 19#include "chrome/common/chrome_switches.h" 20#include "chrome/common/extensions/extension.h" 21#include "chrome/common/extensions/extension_constants.h" 22#include "chrome/common/extensions/extension_file_util.h" 23#include "chrome/common/extensions/extension_l10n_util.h" 24#include "chrome/common/extensions/extension_unpacker.h" 25#include "chrome/common/json_value_serializer.h" 26#include "gfx/codec/png_codec.h" 27#include "third_party/skia/include/core/SkBitmap.h" 28 29const char SandboxedExtensionUnpacker::kExtensionHeaderMagic[] = "Cr24"; 30 31SandboxedExtensionUnpacker::SandboxedExtensionUnpacker( 32 const FilePath& crx_path, 33 const FilePath& temp_path, 34 ResourceDispatcherHost* rdh, 35 SandboxedExtensionUnpackerClient* client) 36 : crx_path_(crx_path), temp_path_(temp_path), 37 thread_identifier_(ChromeThread::ID_COUNT), 38 rdh_(rdh), client_(client), got_response_(false) { 39} 40 41void SandboxedExtensionUnpacker::Start() { 42 // We assume that we are started on the thread that the client wants us to do 43 // file IO on. 44 CHECK(ChromeThread::GetCurrentThreadIdentifier(&thread_identifier_)); 45 46 // Create a temporary directory to work in. 47 if (!temp_dir_.CreateUniqueTempDirUnderPath(temp_path_)) { 48 ReportFailure("Could not create temporary directory."); 49 return; 50 } 51 52 // Initialize the path that will eventually contain the unpacked extension. 53 extension_root_ = temp_dir_.path().AppendASCII( 54 extension_filenames::kTempExtensionName); 55 56 // Extract the public key and validate the package. 57 if (!ValidateSignature()) 58 return; // ValidateSignature() already reported the error. 59 60 // Copy the crx file into our working directory. 61 FilePath temp_crx_path = temp_dir_.path().Append(crx_path_.BaseName()); 62 if (!file_util::CopyFile(crx_path_, temp_crx_path)) { 63 ReportFailure("Failed to copy extension file to temporary directory."); 64 return; 65 } 66 67 // If we are supposed to use a subprocess, kick off the subprocess. 68 // 69 // TODO(asargent) we shouldn't need to do this branch here - instead 70 // UtilityProcessHost should handle it for us. (http://crbug.com/19192) 71 bool use_utility_process = rdh_ && 72 !CommandLine::ForCurrentProcess()->HasSwitch(switches::kSingleProcess); 73 if (use_utility_process) { 74 // The utility process will have access to the directory passed to 75 // SandboxedExtensionUnpacker. That directory should not contain a 76 // symlink or NTFS reparse point. When the path is used, following 77 // the link/reparse point will cause file system access outside the 78 // sandbox path, and the sandbox will deny the operation. 79 FilePath link_free_crx_path; 80 if (!file_util::NormalizeFilePath(temp_crx_path, &link_free_crx_path)) { 81 LOG(ERROR) << "Could not get the normalized path of " 82 << temp_crx_path.value(); 83#if defined (OS_WIN) 84 // On windows, it is possible to mount a disk without the root of that 85 // disk having a drive letter. The sandbox does not support this. 86 // See crbug/49530 . 87 ReportFailure( 88 "Can not unpack extension. To safely unpack an extension, " 89 "there must be a path to your profile directory that starts " 90 "with a drive letter and does not contain a junction, mount " 91 "point, or symlink. No such path exists for your profile."); 92#else 93 ReportFailure( 94 "Can not unpack extension. To safely unpack an extension, " 95 "there must be a path to your profile directory that does " 96 "not contain a symlink. No such path exists for your profile."); 97#endif 98 return; 99 } 100 101 ChromeThread::PostTask( 102 ChromeThread::IO, FROM_HERE, 103 NewRunnableMethod( 104 this, 105 &SandboxedExtensionUnpacker::StartProcessOnIOThread, 106 link_free_crx_path)); 107 } else { 108 // Otherwise, unpack the extension in this process. 109 ExtensionUnpacker unpacker(temp_crx_path); 110 if (unpacker.Run() && unpacker.DumpImagesToFile() && 111 unpacker.DumpMessageCatalogsToFile()) { 112 OnUnpackExtensionSucceeded(*unpacker.parsed_manifest()); 113 } else { 114 OnUnpackExtensionFailed(unpacker.error_message()); 115 } 116 } 117} 118 119void SandboxedExtensionUnpacker::StartProcessOnIOThread( 120 const FilePath& temp_crx_path) { 121 UtilityProcessHost* host = new UtilityProcessHost( 122 rdh_, this, thread_identifier_); 123 host->StartExtensionUnpacker(temp_crx_path); 124} 125 126void SandboxedExtensionUnpacker::OnUnpackExtensionSucceeded( 127 const DictionaryValue& manifest) { 128 // Skip check for unittests. 129 if (thread_identifier_ != ChromeThread::ID_COUNT) 130 DCHECK(ChromeThread::CurrentlyOn(thread_identifier_)); 131 got_response_ = true; 132 133 scoped_ptr<DictionaryValue> final_manifest(RewriteManifestFile(manifest)); 134 if (!final_manifest.get()) 135 return; 136 137 // Create an extension object that refers to the temporary location the 138 // extension was unpacked to. We use this until the extension is finally 139 // installed. For example, the install UI shows images from inside the 140 // extension. 141 extension_.reset(new Extension(extension_root_)); 142 143 // Localize manifest now, so confirm UI gets correct extension name. 144 std::string error; 145 if (!extension_l10n_util::LocalizeExtension(extension_.get(), 146 final_manifest.get(), 147 &error)) { 148 ReportFailure(error); 149 return; 150 } 151 152 if (!extension_->InitFromValue(*final_manifest, true, &error)) { 153 ReportFailure(std::string("Manifest is invalid: ") + error); 154 return; 155 } 156 157 if (!RewriteImageFiles()) 158 return; 159 160 if (!RewriteCatalogFiles()) 161 return; 162 163 ReportSuccess(); 164} 165 166void SandboxedExtensionUnpacker::OnUnpackExtensionFailed( 167 const std::string& error) { 168 DCHECK(ChromeThread::CurrentlyOn(thread_identifier_)); 169 got_response_ = true; 170 ReportFailure(error); 171} 172 173void SandboxedExtensionUnpacker::OnProcessCrashed() { 174 // Don't report crashes if they happen after we got a response. 175 if (got_response_) 176 return; 177 178 ReportFailure("Utility process crashed while trying to install."); 179} 180 181bool SandboxedExtensionUnpacker::ValidateSignature() { 182 ScopedStdioHandle file(file_util::OpenFile(crx_path_, "rb")); 183 if (!file.get()) { 184 ReportFailure("Could not open crx file for reading"); 185 return false; 186 } 187 188 // Read and verify the header. 189 ExtensionHeader header; 190 size_t len; 191 192 // TODO(erikkay): Yuck. I'm not a big fan of this kind of code, but it 193 // appears that we don't have any endian/alignment aware serialization 194 // code in the code base. So for now, this assumes that we're running 195 // on a little endian machine with 4 byte alignment. 196 len = fread(&header, 1, sizeof(ExtensionHeader), 197 file.get()); 198 if (len < sizeof(ExtensionHeader)) { 199 ReportFailure("Invalid crx header"); 200 return false; 201 } 202 if (strncmp(kExtensionHeaderMagic, header.magic, 203 sizeof(header.magic))) { 204 ReportFailure("Bad magic number"); 205 return false; 206 } 207 if (header.version != kCurrentVersion) { 208 ReportFailure("Bad version number"); 209 return false; 210 } 211 if (header.key_size > kMaxPublicKeySize || 212 header.signature_size > kMaxSignatureSize) { 213 ReportFailure("Excessively large key or signature"); 214 return false; 215 } 216 if (header.key_size == 0) { 217 ReportFailure("Key length is zero"); 218 return false; 219 } 220 221 std::vector<uint8> key; 222 key.resize(header.key_size); 223 len = fread(&key.front(), sizeof(uint8), header.key_size, file.get()); 224 if (len < header.key_size) { 225 ReportFailure("Invalid public key"); 226 return false; 227 } 228 229 std::vector<uint8> signature; 230 signature.resize(header.signature_size); 231 len = fread(&signature.front(), sizeof(uint8), header.signature_size, 232 file.get()); 233 if (len < header.signature_size) { 234 ReportFailure("Invalid signature"); 235 return false; 236 } 237 238 base::SignatureVerifier verifier; 239 if (!verifier.VerifyInit(extension_misc::kSignatureAlgorithm, 240 sizeof(extension_misc::kSignatureAlgorithm), 241 &signature.front(), 242 signature.size(), 243 &key.front(), 244 key.size())) { 245 ReportFailure("Signature verification initialization failed. " 246 "This is most likely caused by a public key in " 247 "the wrong format (should encode algorithm)."); 248 return false; 249 } 250 251 unsigned char buf[1 << 12]; 252 while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0) 253 verifier.VerifyUpdate(buf, len); 254 255 if (!verifier.VerifyFinal()) { 256 ReportFailure("Signature verification failed"); 257 return false; 258 } 259 260 base::Base64Encode(std::string(reinterpret_cast<char*>(&key.front()), 261 key.size()), &public_key_); 262 return true; 263} 264 265void SandboxedExtensionUnpacker::ReportFailure(const std::string& error) { 266 client_->OnUnpackFailure(error); 267} 268 269void SandboxedExtensionUnpacker::ReportSuccess() { 270 // Client takes ownership of temporary directory and extension. 271 client_->OnUnpackSuccess(temp_dir_.Take(), extension_root_, 272 extension_.release()); 273} 274 275DictionaryValue* SandboxedExtensionUnpacker::RewriteManifestFile( 276 const DictionaryValue& manifest) { 277 // Add the public key extracted earlier to the parsed manifest and overwrite 278 // the original manifest. We do this to ensure the manifest doesn't contain an 279 // exploitable bug that could be used to compromise the browser. 280 scoped_ptr<DictionaryValue> final_manifest( 281 static_cast<DictionaryValue*>(manifest.DeepCopy())); 282 final_manifest->SetString(extension_manifest_keys::kPublicKey, public_key_); 283 284 std::string manifest_json; 285 JSONStringValueSerializer serializer(&manifest_json); 286 serializer.set_pretty_print(true); 287 if (!serializer.Serialize(*final_manifest)) { 288 ReportFailure("Error serializing manifest.json."); 289 return NULL; 290 } 291 292 FilePath manifest_path = 293 extension_root_.Append(Extension::kManifestFilename); 294 if (!file_util::WriteFile(manifest_path, 295 manifest_json.data(), manifest_json.size())) { 296 ReportFailure("Error saving manifest.json."); 297 return NULL; 298 } 299 300 return final_manifest.release(); 301} 302 303bool SandboxedExtensionUnpacker::RewriteImageFiles() { 304 ExtensionUnpacker::DecodedImages images; 305 if (!ExtensionUnpacker::ReadImagesFromFile(temp_dir_.path(), &images)) { 306 ReportFailure("Couldn't read image data from disk."); 307 return false; 308 } 309 310 // Delete any images that may be used by the browser. We're going to write 311 // out our own versions of the parsed images, and we want to make sure the 312 // originals are gone for good. 313 std::set<FilePath> image_paths = extension_->GetBrowserImages(); 314 if (image_paths.size() != images.size()) { 315 ReportFailure("Decoded images don't match what's in the manifest."); 316 return false; 317 } 318 319 for (std::set<FilePath>::iterator it = image_paths.begin(); 320 it != image_paths.end(); ++it) { 321 FilePath path = *it; 322 if (path.IsAbsolute() || path.ReferencesParent()) { 323 ReportFailure("Invalid path for browser image."); 324 return false; 325 } 326 if (!file_util::Delete(extension_root_.Append(path), false)) { 327 ReportFailure("Error removing old image file."); 328 return false; 329 } 330 } 331 332 // Write our parsed images back to disk as well. 333 for (size_t i = 0; i < images.size(); ++i) { 334 const SkBitmap& image = images[i].a; 335 FilePath path_suffix = images[i].b; 336 if (path_suffix.IsAbsolute() || path_suffix.ReferencesParent()) { 337 ReportFailure("Invalid path for bitmap image."); 338 return false; 339 } 340 FilePath path = extension_root_.Append(path_suffix); 341 342 std::vector<unsigned char> image_data; 343 // TODO(mpcomplete): It's lame that we're encoding all images as PNG, even 344 // though they may originally be .jpg, etc. Figure something out. 345 // http://code.google.com/p/chromium/issues/detail?id=12459 346 if (!gfx::PNGCodec::EncodeBGRASkBitmap(image, false, &image_data)) { 347 ReportFailure("Error re-encoding theme image."); 348 return false; 349 } 350 351 // Note: we're overwriting existing files that the utility process wrote, 352 // so we can be sure the directory exists. 353 const char* image_data_ptr = reinterpret_cast<const char*>(&image_data[0]); 354 if (!file_util::WriteFile(path, image_data_ptr, image_data.size())) { 355 ReportFailure("Error saving theme image."); 356 return false; 357 } 358 } 359 360 return true; 361} 362 363bool SandboxedExtensionUnpacker::RewriteCatalogFiles() { 364 DictionaryValue catalogs; 365 if (!ExtensionUnpacker::ReadMessageCatalogsFromFile(temp_dir_.path(), 366 &catalogs)) { 367 ReportFailure("Could not read catalog data from disk."); 368 return false; 369 } 370 371 // Write our parsed catalogs back to disk. 372 for (DictionaryValue::key_iterator key_it = catalogs.begin_keys(); 373 key_it != catalogs.end_keys(); ++key_it) { 374 DictionaryValue* catalog; 375 if (!catalogs.GetDictionaryWithoutPathExpansion(*key_it, &catalog)) { 376 ReportFailure("Invalid catalog data."); 377 return false; 378 } 379 380 // TODO(viettrungluu): Fix the |FilePath::FromWStringHack(UTF8ToWide())| 381 // hack and remove the corresponding #include. 382 FilePath relative_path = FilePath::FromWStringHack(UTF8ToWide(*key_it)); 383 relative_path = relative_path.Append(Extension::kMessagesFilename); 384 if (relative_path.IsAbsolute() || relative_path.ReferencesParent()) { 385 ReportFailure("Invalid path for catalog."); 386 return false; 387 } 388 FilePath path = extension_root_.Append(relative_path); 389 390 std::string catalog_json; 391 JSONStringValueSerializer serializer(&catalog_json); 392 serializer.set_pretty_print(true); 393 if (!serializer.Serialize(*catalog)) { 394 ReportFailure("Error serializing catalog."); 395 return false; 396 } 397 398 // Note: we're overwriting existing files that the utility process read, 399 // so we can be sure the directory exists. 400 if (!file_util::WriteFile(path, 401 catalog_json.c_str(), 402 catalog_json.size())) { 403 ReportFailure("Error saving catalog."); 404 return false; 405 } 406 } 407 408 return true; 409} 410