1// Copyright 2013 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "extensions/common/csp_validator.h"
6
7#include <vector>
8
9#include "base/strings/string_split.h"
10#include "base/strings/string_tokenizer.h"
11#include "base/strings/string_util.h"
12#include "content/public/common/url_constants.h"
13#include "extensions/common/constants.h"
14#include "net/base/registry_controlled_domains/registry_controlled_domain.h"
15
16namespace extensions {
17
18namespace csp_validator {
19
20namespace {
21
22const char kDefaultSrc[] = "default-src";
23const char kScriptSrc[] = "script-src";
24const char kObjectSrc[] = "object-src";
25
26const char kSandboxDirectiveName[] = "sandbox";
27const char kAllowSameOriginToken[] = "allow-same-origin";
28const char kAllowTopNavigation[] = "allow-top-navigation";
29
30struct DirectiveStatus {
31  explicit DirectiveStatus(const char* name)
32    : directive_name(name)
33    , seen_in_policy(false)
34    , is_secure(false) {
35  }
36
37  const char* directive_name;
38  bool seen_in_policy;
39  bool is_secure;
40};
41
42// Returns whether |url| starts with |scheme_and_separator| and does not have a
43// too permissive wildcard host name. If |should_check_rcd| is true, then the
44// Public suffix list is used to exclude wildcard TLDs such as "https://*.org".
45bool isNonWildcardTLD(const std::string& url,
46                      const std::string& scheme_and_separator,
47                      bool should_check_rcd) {
48  if (!StartsWithASCII(url, scheme_and_separator, true))
49    return false;
50
51  size_t start_of_host = scheme_and_separator.length();
52
53  size_t end_of_host = url.find("/", start_of_host);
54  if (end_of_host == std::string::npos)
55    end_of_host = url.size();
56
57  // Note: It is sufficient to only compare the first character against '*'
58  // because the CSP only allows wildcards at the start of a directive, see
59  // host-source and host-part at http://www.w3.org/TR/CSP2/#source-list-syntax
60  bool is_wildcard_subdomain = end_of_host > start_of_host + 2 &&
61      url[start_of_host] == '*' && url[start_of_host + 1] == '.';
62  if (is_wildcard_subdomain)
63    start_of_host += 2;
64
65  size_t start_of_port = url.rfind(":", end_of_host);
66  // The ":" check at the end of the following condition is used to avoid
67  // treating the last part of an IPv6 address as a port.
68  if (start_of_port > start_of_host && url[start_of_port - 1] != ':') {
69    bool is_valid_port = false;
70    // Do a quick sanity check. The following check could mistakenly flag
71    // ":123456" or ":****" as valid, but that does not matter because the
72    // relaxing CSP directive will just be ignored by Blink.
73    for (size_t i = start_of_port + 1; i < end_of_host; ++i) {
74      is_valid_port = IsAsciiDigit(url[i]) || url[i] == '*';
75      if (!is_valid_port)
76        break;
77    }
78    if (is_valid_port)
79      end_of_host = start_of_port;
80  }
81
82  std::string host(url, start_of_host, end_of_host - start_of_host);
83  // Global wildcards are not allowed.
84  if (host.empty() || host.find("*") != std::string::npos)
85    return false;
86
87  if (!is_wildcard_subdomain || !should_check_rcd)
88    return true;
89
90  // Allow *.googleapis.com to be whitelisted for backwards-compatibility.
91  // (crbug.com/409952)
92  if (host == "googleapis.com")
93    return true;
94
95  // Wildcards on subdomains of a TLD are not allowed.
96  size_t registry_length = net::registry_controlled_domains::GetRegistryLength(
97      host,
98      net::registry_controlled_domains::INCLUDE_UNKNOWN_REGISTRIES,
99      net::registry_controlled_domains::INCLUDE_PRIVATE_REGISTRIES);
100  return registry_length != 0;
101}
102
103bool HasOnlySecureTokens(base::StringTokenizer& tokenizer,
104                         Manifest::Type type) {
105  while (tokenizer.GetNext()) {
106    std::string source = tokenizer.token();
107    base::StringToLowerASCII(&source);
108
109    // We might need to relax this whitelist over time.
110    if (source == "'self'" ||
111        source == "'none'" ||
112        source == "http://127.0.0.1" ||
113        LowerCaseEqualsASCII(source, "blob:") ||
114        LowerCaseEqualsASCII(source, "filesystem:") ||
115        LowerCaseEqualsASCII(source, "http://localhost") ||
116        StartsWithASCII(source, "http://127.0.0.1:", true) ||
117        StartsWithASCII(source, "http://localhost:", true) ||
118        isNonWildcardTLD(source, "https://", true) ||
119        isNonWildcardTLD(source, "chrome://", false) ||
120        isNonWildcardTLD(source,
121                         std::string(extensions::kExtensionScheme) +
122                         url::kStandardSchemeSeparator,
123                         false) ||
124        StartsWithASCII(source, "chrome-extension-resource:", true)) {
125      continue;
126    }
127
128    // crbug.com/146487
129    if (type == Manifest::TYPE_EXTENSION ||
130        type == Manifest::TYPE_LEGACY_PACKAGED_APP) {
131      if (source == "'unsafe-eval'")
132        continue;
133    }
134
135    return false;
136  }
137
138  return true;  // Empty values default to 'none', which is secure.
139}
140
141// Returns true if |directive_name| matches |status.directive_name|.
142bool UpdateStatus(const std::string& directive_name,
143                  base::StringTokenizer& tokenizer,
144                  DirectiveStatus* status,
145                  Manifest::Type type) {
146  if (status->seen_in_policy)
147    return false;
148  if (directive_name != status->directive_name)
149    return false;
150  status->seen_in_policy = true;
151  status->is_secure = HasOnlySecureTokens(tokenizer, type);
152  return true;
153}
154
155}  //  namespace
156
157bool ContentSecurityPolicyIsLegal(const std::string& policy) {
158  // We block these characters to prevent HTTP header injection when
159  // representing the content security policy as an HTTP header.
160  const char kBadChars[] = {',', '\r', '\n', '\0'};
161
162  return policy.find_first_of(kBadChars, 0, arraysize(kBadChars)) ==
163      std::string::npos;
164}
165
166bool ContentSecurityPolicyIsSecure(const std::string& policy,
167                                   Manifest::Type type) {
168  // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
169  std::vector<std::string> directives;
170  base::SplitString(policy, ';', &directives);
171
172  DirectiveStatus default_src_status(kDefaultSrc);
173  DirectiveStatus script_src_status(kScriptSrc);
174  DirectiveStatus object_src_status(kObjectSrc);
175
176  for (size_t i = 0; i < directives.size(); ++i) {
177    std::string& input = directives[i];
178    base::StringTokenizer tokenizer(input, " \t\r\n");
179    if (!tokenizer.GetNext())
180      continue;
181
182    std::string directive_name = tokenizer.token();
183    base::StringToLowerASCII(&directive_name);
184
185    if (UpdateStatus(directive_name, tokenizer, &default_src_status, type))
186      continue;
187    if (UpdateStatus(directive_name, tokenizer, &script_src_status, type))
188      continue;
189    if (UpdateStatus(directive_name, tokenizer, &object_src_status, type))
190      continue;
191  }
192
193  if (script_src_status.seen_in_policy && !script_src_status.is_secure)
194    return false;
195
196  if (object_src_status.seen_in_policy && !object_src_status.is_secure)
197    return false;
198
199  if (default_src_status.seen_in_policy && !default_src_status.is_secure) {
200    return script_src_status.seen_in_policy &&
201           object_src_status.seen_in_policy;
202  }
203
204  return default_src_status.seen_in_policy ||
205      (script_src_status.seen_in_policy && object_src_status.seen_in_policy);
206}
207
208bool ContentSecurityPolicyIsSandboxed(
209    const std::string& policy, Manifest::Type type) {
210  // See http://www.w3.org/TR/CSP/#parse-a-csp-policy for parsing algorithm.
211  std::vector<std::string> directives;
212  base::SplitString(policy, ';', &directives);
213
214  bool seen_sandbox = false;
215
216  for (size_t i = 0; i < directives.size(); ++i) {
217    std::string& input = directives[i];
218    base::StringTokenizer tokenizer(input, " \t\r\n");
219    if (!tokenizer.GetNext())
220      continue;
221
222    std::string directive_name = tokenizer.token();
223    base::StringToLowerASCII(&directive_name);
224
225    if (directive_name != kSandboxDirectiveName)
226      continue;
227
228    seen_sandbox = true;
229
230    while (tokenizer.GetNext()) {
231      std::string token = tokenizer.token();
232      base::StringToLowerASCII(&token);
233
234      // The same origin token negates the sandboxing.
235      if (token == kAllowSameOriginToken)
236        return false;
237
238      // Platform apps don't allow navigation.
239      if (type == Manifest::TYPE_PLATFORM_APP) {
240        if (token == kAllowTopNavigation)
241          return false;
242      }
243    }
244  }
245
246  return seen_sandbox;
247}
248
249}  // namespace csp_validator
250
251}  // namespace extensions
252