sandboxed_extension_unpacker.cc revision 513209b27ff55e2841eac0e4120199c23acce758
1// Copyright (c) 2010 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "chrome/browser/extensions/sandboxed_extension_unpacker.h" 6 7#include <set> 8 9#include "base/base64.h" 10#include "base/crypto/signature_verifier.h" 11#include "base/file_util.h" 12#include "base/file_util_proxy.h" 13#include "base/message_loop.h" 14#include "base/scoped_handle.h" 15#include "base/task.h" 16#include "base/utf_string_conversions.h" // TODO(viettrungluu): delete me. 17#include "chrome/browser/browser_thread.h" 18#include "chrome/browser/extensions/extensions_service.h" 19#include "chrome/browser/renderer_host/resource_dispatcher_host.h" 20#include "chrome/common/chrome_switches.h" 21#include "chrome/common/extensions/extension.h" 22#include "chrome/common/extensions/extension_constants.h" 23#include "chrome/common/extensions/extension_file_util.h" 24#include "chrome/common/extensions/extension_l10n_util.h" 25#include "chrome/common/extensions/extension_unpacker.h" 26#include "chrome/common/json_value_serializer.h" 27#include "gfx/codec/png_codec.h" 28#include "third_party/skia/include/core/SkBitmap.h" 29 30const char SandboxedExtensionUnpacker::kExtensionHeaderMagic[] = "Cr24"; 31 32SandboxedExtensionUnpacker::SandboxedExtensionUnpacker( 33 const FilePath& crx_path, 34 const FilePath& temp_path, 35 ResourceDispatcherHost* rdh, 36 SandboxedExtensionUnpackerClient* client) 37 : crx_path_(crx_path), temp_path_(temp_path), 38 thread_identifier_(BrowserThread::ID_COUNT), 39 rdh_(rdh), client_(client), got_response_(false) { 40} 41 42void SandboxedExtensionUnpacker::Start() { 43 // We assume that we are started on the thread that the client wants us to do 44 // file IO on. 45 CHECK(BrowserThread::GetCurrentThreadIdentifier(&thread_identifier_)); 46 47 // Create a temporary directory to work in. 48 if (!temp_dir_.CreateUniqueTempDirUnderPath(temp_path_)) { 49 ReportFailure("Could not create temporary directory."); 50 return; 51 } 52 53 // Initialize the path that will eventually contain the unpacked extension. 54 extension_root_ = temp_dir_.path().AppendASCII( 55 extension_filenames::kTempExtensionName); 56 57 // Extract the public key and validate the package. 58 if (!ValidateSignature()) 59 return; // ValidateSignature() already reported the error. 60 61 // Copy the crx file into our working directory. 62 FilePath temp_crx_path = temp_dir_.path().Append(crx_path_.BaseName()); 63 if (!file_util::CopyFile(crx_path_, temp_crx_path)) { 64 ReportFailure("Failed to copy extension file to temporary directory."); 65 return; 66 } 67 68 // If we are supposed to use a subprocess, kick off the subprocess. 69 // 70 // TODO(asargent) we shouldn't need to do this branch here - instead 71 // UtilityProcessHost should handle it for us. (http://crbug.com/19192) 72 bool use_utility_process = rdh_ && 73 !CommandLine::ForCurrentProcess()->HasSwitch(switches::kSingleProcess); 74 if (use_utility_process) { 75 // The utility process will have access to the directory passed to 76 // SandboxedExtensionUnpacker. That directory should not contain a 77 // symlink or NTFS reparse point. When the path is used, following 78 // the link/reparse point will cause file system access outside the 79 // sandbox path, and the sandbox will deny the operation. 80 FilePath link_free_crx_path; 81 if (!file_util::NormalizeFilePath(temp_crx_path, &link_free_crx_path)) { 82 LOG(ERROR) << "Could not get the normalized path of " 83 << temp_crx_path.value(); 84#if defined (OS_WIN) 85 // On windows, it is possible to mount a disk without the root of that 86 // disk having a drive letter. The sandbox does not support this. 87 // See crbug/49530 . 88 ReportFailure( 89 "Can not unpack extension. To safely unpack an extension, " 90 "there must be a path to your profile directory that starts " 91 "with a drive letter and does not contain a junction, mount " 92 "point, or symlink. No such path exists for your profile."); 93#else 94 ReportFailure( 95 "Can not unpack extension. To safely unpack an extension, " 96 "there must be a path to your profile directory that does " 97 "not contain a symlink. No such path exists for your profile."); 98#endif 99 return; 100 } 101 102 BrowserThread::PostTask( 103 BrowserThread::IO, FROM_HERE, 104 NewRunnableMethod( 105 this, 106 &SandboxedExtensionUnpacker::StartProcessOnIOThread, 107 link_free_crx_path)); 108 } else { 109 // Otherwise, unpack the extension in this process. 110 ExtensionUnpacker unpacker(temp_crx_path); 111 if (unpacker.Run() && unpacker.DumpImagesToFile() && 112 unpacker.DumpMessageCatalogsToFile()) { 113 OnUnpackExtensionSucceeded(*unpacker.parsed_manifest()); 114 } else { 115 OnUnpackExtensionFailed(unpacker.error_message()); 116 } 117 } 118} 119 120SandboxedExtensionUnpacker::~SandboxedExtensionUnpacker() { 121 base::FileUtilProxy::Delete( 122 BrowserThread::GetMessageLoopProxyForThread(thread_identifier_), 123 temp_dir_.Take(), 124 true, 125 NULL); 126} 127 128void SandboxedExtensionUnpacker::StartProcessOnIOThread( 129 const FilePath& temp_crx_path) { 130 UtilityProcessHost* host = new UtilityProcessHost( 131 rdh_, this, thread_identifier_); 132 host->StartExtensionUnpacker(temp_crx_path); 133} 134 135void SandboxedExtensionUnpacker::OnUnpackExtensionSucceeded( 136 const DictionaryValue& manifest) { 137 // Skip check for unittests. 138 if (thread_identifier_ != BrowserThread::ID_COUNT) 139 DCHECK(BrowserThread::CurrentlyOn(thread_identifier_)); 140 got_response_ = true; 141 142 scoped_ptr<DictionaryValue> final_manifest(RewriteManifestFile(manifest)); 143 if (!final_manifest.get()) 144 return; 145 146 // Create an extension object that refers to the temporary location the 147 // extension was unpacked to. We use this until the extension is finally 148 // installed. For example, the install UI shows images from inside the 149 // extension. 150 151 // Localize manifest now, so confirm UI gets correct extension name. 152 std::string error; 153 if (!extension_l10n_util::LocalizeExtension(extension_root_, 154 final_manifest.get(), 155 &error)) { 156 ReportFailure(error); 157 return; 158 } 159 160 extension_ = Extension::Create( 161 extension_root_, Extension::INTERNAL, *final_manifest, true, &error); 162 163 if (!extension_.get()) { 164 ReportFailure(std::string("Manifest is invalid: ") + error); 165 return; 166 } 167 168 if (!RewriteImageFiles()) 169 return; 170 171 if (!RewriteCatalogFiles()) 172 return; 173 174 ReportSuccess(); 175} 176 177void SandboxedExtensionUnpacker::OnUnpackExtensionFailed( 178 const std::string& error) { 179 DCHECK(BrowserThread::CurrentlyOn(thread_identifier_)); 180 got_response_ = true; 181 ReportFailure(error); 182} 183 184void SandboxedExtensionUnpacker::OnProcessCrashed() { 185 // Don't report crashes if they happen after we got a response. 186 if (got_response_) 187 return; 188 189 ReportFailure("Utility process crashed while trying to install."); 190} 191 192bool SandboxedExtensionUnpacker::ValidateSignature() { 193 ScopedStdioHandle file(file_util::OpenFile(crx_path_, "rb")); 194 if (!file.get()) { 195 ReportFailure("Could not open crx file for reading"); 196 return false; 197 } 198 199 // Read and verify the header. 200 ExtensionHeader header; 201 size_t len; 202 203 // TODO(erikkay): Yuck. I'm not a big fan of this kind of code, but it 204 // appears that we don't have any endian/alignment aware serialization 205 // code in the code base. So for now, this assumes that we're running 206 // on a little endian machine with 4 byte alignment. 207 len = fread(&header, 1, sizeof(ExtensionHeader), 208 file.get()); 209 if (len < sizeof(ExtensionHeader)) { 210 ReportFailure("Invalid crx header"); 211 return false; 212 } 213 if (strncmp(kExtensionHeaderMagic, header.magic, 214 sizeof(header.magic))) { 215 ReportFailure("Bad magic number"); 216 return false; 217 } 218 if (header.version != kCurrentVersion) { 219 ReportFailure("Bad version number"); 220 return false; 221 } 222 if (header.key_size > kMaxPublicKeySize || 223 header.signature_size > kMaxSignatureSize) { 224 ReportFailure("Excessively large key or signature"); 225 return false; 226 } 227 if (header.key_size == 0) { 228 ReportFailure("Key length is zero"); 229 return false; 230 } 231 232 std::vector<uint8> key; 233 key.resize(header.key_size); 234 len = fread(&key.front(), sizeof(uint8), header.key_size, file.get()); 235 if (len < header.key_size) { 236 ReportFailure("Invalid public key"); 237 return false; 238 } 239 240 std::vector<uint8> signature; 241 signature.resize(header.signature_size); 242 len = fread(&signature.front(), sizeof(uint8), header.signature_size, 243 file.get()); 244 if (len < header.signature_size) { 245 ReportFailure("Invalid signature"); 246 return false; 247 } 248 249 base::SignatureVerifier verifier; 250 if (!verifier.VerifyInit(extension_misc::kSignatureAlgorithm, 251 sizeof(extension_misc::kSignatureAlgorithm), 252 &signature.front(), 253 signature.size(), 254 &key.front(), 255 key.size())) { 256 ReportFailure("Signature verification initialization failed. " 257 "This is most likely caused by a public key in " 258 "the wrong format (should encode algorithm)."); 259 return false; 260 } 261 262 unsigned char buf[1 << 12]; 263 while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0) 264 verifier.VerifyUpdate(buf, len); 265 266 if (!verifier.VerifyFinal()) { 267 ReportFailure("Signature verification failed"); 268 return false; 269 } 270 271 base::Base64Encode(std::string(reinterpret_cast<char*>(&key.front()), 272 key.size()), &public_key_); 273 return true; 274} 275 276void SandboxedExtensionUnpacker::ReportFailure(const std::string& error) { 277 client_->OnUnpackFailure(error); 278} 279 280void SandboxedExtensionUnpacker::ReportSuccess() { 281 // Client takes ownership of temporary directory and extension. 282 client_->OnUnpackSuccess(temp_dir_.Take(), extension_root_, extension_); 283 extension_ = NULL; 284} 285 286DictionaryValue* SandboxedExtensionUnpacker::RewriteManifestFile( 287 const DictionaryValue& manifest) { 288 // Add the public key extracted earlier to the parsed manifest and overwrite 289 // the original manifest. We do this to ensure the manifest doesn't contain an 290 // exploitable bug that could be used to compromise the browser. 291 scoped_ptr<DictionaryValue> final_manifest( 292 static_cast<DictionaryValue*>(manifest.DeepCopy())); 293 final_manifest->SetString(extension_manifest_keys::kPublicKey, public_key_); 294 295 std::string manifest_json; 296 JSONStringValueSerializer serializer(&manifest_json); 297 serializer.set_pretty_print(true); 298 if (!serializer.Serialize(*final_manifest)) { 299 ReportFailure("Error serializing manifest.json."); 300 return NULL; 301 } 302 303 FilePath manifest_path = 304 extension_root_.Append(Extension::kManifestFilename); 305 if (!file_util::WriteFile(manifest_path, 306 manifest_json.data(), manifest_json.size())) { 307 ReportFailure("Error saving manifest.json."); 308 return NULL; 309 } 310 311 return final_manifest.release(); 312} 313 314bool SandboxedExtensionUnpacker::RewriteImageFiles() { 315 ExtensionUnpacker::DecodedImages images; 316 if (!ExtensionUnpacker::ReadImagesFromFile(temp_dir_.path(), &images)) { 317 ReportFailure("Couldn't read image data from disk."); 318 return false; 319 } 320 321 // Delete any images that may be used by the browser. We're going to write 322 // out our own versions of the parsed images, and we want to make sure the 323 // originals are gone for good. 324 std::set<FilePath> image_paths = extension_->GetBrowserImages(); 325 if (image_paths.size() != images.size()) { 326 ReportFailure("Decoded images don't match what's in the manifest."); 327 return false; 328 } 329 330 for (std::set<FilePath>::iterator it = image_paths.begin(); 331 it != image_paths.end(); ++it) { 332 FilePath path = *it; 333 if (path.IsAbsolute() || path.ReferencesParent()) { 334 ReportFailure("Invalid path for browser image."); 335 return false; 336 } 337 if (!file_util::Delete(extension_root_.Append(path), false)) { 338 ReportFailure("Error removing old image file."); 339 return false; 340 } 341 } 342 343 // Write our parsed images back to disk as well. 344 for (size_t i = 0; i < images.size(); ++i) { 345 const SkBitmap& image = images[i].a; 346 FilePath path_suffix = images[i].b; 347 if (path_suffix.IsAbsolute() || path_suffix.ReferencesParent()) { 348 ReportFailure("Invalid path for bitmap image."); 349 return false; 350 } 351 FilePath path = extension_root_.Append(path_suffix); 352 353 std::vector<unsigned char> image_data; 354 // TODO(mpcomplete): It's lame that we're encoding all images as PNG, even 355 // though they may originally be .jpg, etc. Figure something out. 356 // http://code.google.com/p/chromium/issues/detail?id=12459 357 if (!gfx::PNGCodec::EncodeBGRASkBitmap(image, false, &image_data)) { 358 ReportFailure("Error re-encoding theme image."); 359 return false; 360 } 361 362 // Note: we're overwriting existing files that the utility process wrote, 363 // so we can be sure the directory exists. 364 const char* image_data_ptr = reinterpret_cast<const char*>(&image_data[0]); 365 if (!file_util::WriteFile(path, image_data_ptr, image_data.size())) { 366 ReportFailure("Error saving theme image."); 367 return false; 368 } 369 } 370 371 return true; 372} 373 374bool SandboxedExtensionUnpacker::RewriteCatalogFiles() { 375 DictionaryValue catalogs; 376 if (!ExtensionUnpacker::ReadMessageCatalogsFromFile(temp_dir_.path(), 377 &catalogs)) { 378 ReportFailure("Could not read catalog data from disk."); 379 return false; 380 } 381 382 // Write our parsed catalogs back to disk. 383 for (DictionaryValue::key_iterator key_it = catalogs.begin_keys(); 384 key_it != catalogs.end_keys(); ++key_it) { 385 DictionaryValue* catalog; 386 if (!catalogs.GetDictionaryWithoutPathExpansion(*key_it, &catalog)) { 387 ReportFailure("Invalid catalog data."); 388 return false; 389 } 390 391 // TODO(viettrungluu): Fix the |FilePath::FromWStringHack(UTF8ToWide())| 392 // hack and remove the corresponding #include. 393 FilePath relative_path = FilePath::FromWStringHack(UTF8ToWide(*key_it)); 394 relative_path = relative_path.Append(Extension::kMessagesFilename); 395 if (relative_path.IsAbsolute() || relative_path.ReferencesParent()) { 396 ReportFailure("Invalid path for catalog."); 397 return false; 398 } 399 FilePath path = extension_root_.Append(relative_path); 400 401 std::string catalog_json; 402 JSONStringValueSerializer serializer(&catalog_json); 403 serializer.set_pretty_print(true); 404 if (!serializer.Serialize(*catalog)) { 405 ReportFailure("Error serializing catalog."); 406 return false; 407 } 408 409 // Note: we're overwriting existing files that the utility process read, 410 // so we can be sure the directory exists. 411 if (!file_util::WriteFile(path, 412 catalog_json.c_str(), 413 catalog_json.size())) { 414 ReportFailure("Error saving catalog."); 415 return false; 416 } 417 } 418 419 return true; 420} 421