sandboxed_extension_unpacker.cc revision 3345a6884c488ff3a535c2c9acdd33d74b37e311 
1// Copyright (c) 2010 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/extensions/sandboxed_extension_unpacker.h"
6
7#include <set>
8
9#include "base/base64.h"
10#include "base/crypto/signature_verifier.h"
11#include "base/file_util.h"
12#include "base/message_loop.h"
13#include "base/scoped_handle.h"
14#include "base/task.h"
15#include "base/utf_string_conversions.h"  // TODO(viettrungluu): delete me.
16#include "chrome/browser/chrome_thread.h"
17#include "chrome/browser/extensions/extensions_service.h"
18#include "chrome/browser/renderer_host/resource_dispatcher_host.h"
19#include "chrome/common/chrome_switches.h"
20#include "chrome/common/extensions/extension.h"
21#include "chrome/common/extensions/extension_constants.h"
22#include "chrome/common/extensions/extension_file_util.h"
23#include "chrome/common/extensions/extension_l10n_util.h"
24#include "chrome/common/extensions/extension_unpacker.h"
25#include "chrome/common/json_value_serializer.h"
26#include "gfx/codec/png_codec.h"
27#include "third_party/skia/include/core/SkBitmap.h"
28
29const char SandboxedExtensionUnpacker::kExtensionHeaderMagic[] = "Cr24";
30
31SandboxedExtensionUnpacker::SandboxedExtensionUnpacker(
32    const FilePath& crx_path,
33    const FilePath& temp_path,
34    ResourceDispatcherHost* rdh,
35    SandboxedExtensionUnpackerClient* client)
36    : crx_path_(crx_path), temp_path_(temp_path),
37      thread_identifier_(ChromeThread::ID_COUNT),
38      rdh_(rdh), client_(client), got_response_(false) {
39}
40
41void SandboxedExtensionUnpacker::Start() {
42  // We assume that we are started on the thread that the client wants us to do
43  // file IO on.
44  CHECK(ChromeThread::GetCurrentThreadIdentifier(&thread_identifier_));
45
46  // Create a temporary directory to work in.
47  if (!temp_dir_.CreateUniqueTempDirUnderPath(temp_path_)) {
48    ReportFailure("Could not create temporary directory.");
49    return;
50  }
51
52  // Initialize the path that will eventually contain the unpacked extension.
53  extension_root_ = temp_dir_.path().AppendASCII(
54      extension_filenames::kTempExtensionName);
55
56  // Extract the public key and validate the package.
57  if (!ValidateSignature())
58    return;  // ValidateSignature() already reported the error.
59
60  // Copy the crx file into our working directory.
61  FilePath temp_crx_path = temp_dir_.path().Append(crx_path_.BaseName());
62  if (!file_util::CopyFile(crx_path_, temp_crx_path)) {
63    ReportFailure("Failed to copy extension file to temporary directory.");
64    return;
65  }
66
67  // If we are supposed to use a subprocess, kick off the subprocess.
68  //
69  // TODO(asargent) we shouldn't need to do this branch here - instead
70  // UtilityProcessHost should handle it for us. (http://crbug.com/19192)
71  bool use_utility_process = rdh_ &&
72      !CommandLine::ForCurrentProcess()->HasSwitch(switches::kSingleProcess);
73  if (use_utility_process) {
74    // The utility process will have access to the directory passed to
75    // SandboxedExtensionUnpacker.  That directory should not contain a
76    // symlink or NTFS reparse point.  When the path is used, following
77    // the link/reparse point will cause file system access outside the
78    // sandbox path, and the sandbox will deny the operation.
79    FilePath link_free_crx_path;
80    if (!file_util::NormalizeFilePath(temp_crx_path, &link_free_crx_path)) {
81      LOG(ERROR) << "Could not get the normalized path of "
82                 << temp_crx_path.value();
83#if defined (OS_WIN)
84      // On windows, it is possible to mount a disk without the root of that
85      // disk having a drive letter.  The sandbox does not support this.
86      // See crbug/49530 .
87      ReportFailure(
88          "Can not unpack extension.  To safely unpack an extension, "
89          "there must be a path to your profile directory that starts "
90          "with a drive letter and does not contain a junction, mount "
91          "point, or symlink.  No such path exists for your profile.");
92#else
93      ReportFailure(
94          "Can not unpack extension.  To safely unpack an extension, "
95          "there must be a path to your profile directory that does "
96          "not contain a symlink.  No such path exists for your profile.");
97#endif
98      return;
99    }
100
101    ChromeThread::PostTask(
102        ChromeThread::IO, FROM_HERE,
103        NewRunnableMethod(
104            this,
105            &SandboxedExtensionUnpacker::StartProcessOnIOThread,
106            link_free_crx_path));
107  } else {
108    // Otherwise, unpack the extension in this process.
109    ExtensionUnpacker unpacker(temp_crx_path);
110    if (unpacker.Run() && unpacker.DumpImagesToFile() &&
111        unpacker.DumpMessageCatalogsToFile()) {
112      OnUnpackExtensionSucceeded(*unpacker.parsed_manifest());
113    } else {
114      OnUnpackExtensionFailed(unpacker.error_message());
115    }
116  }
117}
118
119void SandboxedExtensionUnpacker::StartProcessOnIOThread(
120    const FilePath& temp_crx_path) {
121  UtilityProcessHost* host = new UtilityProcessHost(
122      rdh_, this, thread_identifier_);
123  host->StartExtensionUnpacker(temp_crx_path);
124}
125
126void SandboxedExtensionUnpacker::OnUnpackExtensionSucceeded(
127    const DictionaryValue& manifest) {
128  // Skip check for unittests.
129  if (thread_identifier_ != ChromeThread::ID_COUNT)
130    DCHECK(ChromeThread::CurrentlyOn(thread_identifier_));
131  got_response_ = true;
132
133  scoped_ptr<DictionaryValue> final_manifest(RewriteManifestFile(manifest));
134  if (!final_manifest.get())
135    return;
136
137  // Create an extension object that refers to the temporary location the
138  // extension was unpacked to. We use this until the extension is finally
139  // installed. For example, the install UI shows images from inside the
140  // extension.
141  extension_.reset(new Extension(extension_root_));
142
143  // Localize manifest now, so confirm UI gets correct extension name.
144  std::string error;
145  if (!extension_l10n_util::LocalizeExtension(extension_.get(),
146                                              final_manifest.get(),
147                                              &error)) {
148    ReportFailure(error);
149    return;
150  }
151
152  if (!extension_->InitFromValue(*final_manifest, true, &error)) {
153    ReportFailure(std::string("Manifest is invalid: ") + error);
154    return;
155  }
156
157  if (!RewriteImageFiles())
158    return;
159
160  if (!RewriteCatalogFiles())
161    return;
162
163  ReportSuccess();
164}
165
166void SandboxedExtensionUnpacker::OnUnpackExtensionFailed(
167    const std::string& error) {
168  DCHECK(ChromeThread::CurrentlyOn(thread_identifier_));
169  got_response_ = true;
170  ReportFailure(error);
171}
172
173void SandboxedExtensionUnpacker::OnProcessCrashed() {
174  // Don't report crashes if they happen after we got a response.
175  if (got_response_)
176    return;
177
178  ReportFailure("Utility process crashed while trying to install.");
179}
180
181bool SandboxedExtensionUnpacker::ValidateSignature() {
182  ScopedStdioHandle file(file_util::OpenFile(crx_path_, "rb"));
183  if (!file.get()) {
184    ReportFailure("Could not open crx file for reading");
185    return false;
186  }
187
188  // Read and verify the header.
189  ExtensionHeader header;
190  size_t len;
191
192  // TODO(erikkay): Yuck.  I'm not a big fan of this kind of code, but it
193  // appears that we don't have any endian/alignment aware serialization
194  // code in the code base.  So for now, this assumes that we're running
195  // on a little endian machine with 4 byte alignment.
196  len = fread(&header, 1, sizeof(ExtensionHeader),
197      file.get());
198  if (len < sizeof(ExtensionHeader)) {
199    ReportFailure("Invalid crx header");
200    return false;
201  }
202  if (strncmp(kExtensionHeaderMagic, header.magic,
203      sizeof(header.magic))) {
204    ReportFailure("Bad magic number");
205    return false;
206  }
207  if (header.version != kCurrentVersion) {
208    ReportFailure("Bad version number");
209    return false;
210  }
211  if (header.key_size > kMaxPublicKeySize ||
212      header.signature_size > kMaxSignatureSize) {
213    ReportFailure("Excessively large key or signature");
214    return false;
215  }
216  if (header.key_size == 0) {
217    ReportFailure("Key length is zero");
218    return false;
219  }
220
221  std::vector<uint8> key;
222  key.resize(header.key_size);
223  len = fread(&key.front(), sizeof(uint8), header.key_size, file.get());
224  if (len < header.key_size) {
225    ReportFailure("Invalid public key");
226    return false;
227  }
228
229  std::vector<uint8> signature;
230  signature.resize(header.signature_size);
231  len = fread(&signature.front(), sizeof(uint8), header.signature_size,
232      file.get());
233  if (len < header.signature_size) {
234    ReportFailure("Invalid signature");
235    return false;
236  }
237
238  base::SignatureVerifier verifier;
239  if (!verifier.VerifyInit(extension_misc::kSignatureAlgorithm,
240                           sizeof(extension_misc::kSignatureAlgorithm),
241                           &signature.front(),
242                           signature.size(),
243                           &key.front(),
244                           key.size())) {
245    ReportFailure("Signature verification initialization failed. "
246                  "This is most likely caused by a public key in "
247                  "the wrong format (should encode algorithm).");
248    return false;
249  }
250
251  unsigned char buf[1 << 12];
252  while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0)
253    verifier.VerifyUpdate(buf, len);
254
255  if (!verifier.VerifyFinal()) {
256    ReportFailure("Signature verification failed");
257    return false;
258  }
259
260  base::Base64Encode(std::string(reinterpret_cast<char*>(&key.front()),
261      key.size()), &public_key_);
262  return true;
263}
264
265void SandboxedExtensionUnpacker::ReportFailure(const std::string& error) {
266  client_->OnUnpackFailure(error);
267}
268
269void SandboxedExtensionUnpacker::ReportSuccess() {
270  // Client takes ownership of temporary directory and extension.
271  client_->OnUnpackSuccess(temp_dir_.Take(), extension_root_,
272                           extension_.release());
273}
274
275DictionaryValue* SandboxedExtensionUnpacker::RewriteManifestFile(
276    const DictionaryValue& manifest) {
277  // Add the public key extracted earlier to the parsed manifest and overwrite
278  // the original manifest. We do this to ensure the manifest doesn't contain an
279  // exploitable bug that could be used to compromise the browser.
280  scoped_ptr<DictionaryValue> final_manifest(
281      static_cast<DictionaryValue*>(manifest.DeepCopy()));
282  final_manifest->SetString(extension_manifest_keys::kPublicKey, public_key_);
283
284  std::string manifest_json;
285  JSONStringValueSerializer serializer(&manifest_json);
286  serializer.set_pretty_print(true);
287  if (!serializer.Serialize(*final_manifest)) {
288    ReportFailure("Error serializing manifest.json.");
289    return NULL;
290  }
291
292  FilePath manifest_path =
293      extension_root_.Append(Extension::kManifestFilename);
294  if (!file_util::WriteFile(manifest_path,
295                            manifest_json.data(), manifest_json.size())) {
296    ReportFailure("Error saving manifest.json.");
297    return NULL;
298  }
299
300  return final_manifest.release();
301}
302
303bool SandboxedExtensionUnpacker::RewriteImageFiles() {
304  ExtensionUnpacker::DecodedImages images;
305  if (!ExtensionUnpacker::ReadImagesFromFile(temp_dir_.path(), &images)) {
306    ReportFailure("Couldn't read image data from disk.");
307    return false;
308  }
309
310  // Delete any images that may be used by the browser.  We're going to write
311  // out our own versions of the parsed images, and we want to make sure the
312  // originals are gone for good.
313  std::set<FilePath> image_paths = extension_->GetBrowserImages();
314  if (image_paths.size() != images.size()) {
315    ReportFailure("Decoded images don't match what's in the manifest.");
316    return false;
317  }
318
319  for (std::set<FilePath>::iterator it = image_paths.begin();
320       it != image_paths.end(); ++it) {
321    FilePath path = *it;
322    if (path.IsAbsolute() || path.ReferencesParent()) {
323      ReportFailure("Invalid path for browser image.");
324      return false;
325    }
326    if (!file_util::Delete(extension_root_.Append(path), false)) {
327      ReportFailure("Error removing old image file.");
328      return false;
329    }
330  }
331
332  // Write our parsed images back to disk as well.
333  for (size_t i = 0; i < images.size(); ++i) {
334    const SkBitmap& image = images[i].a;
335    FilePath path_suffix = images[i].b;
336    if (path_suffix.IsAbsolute() || path_suffix.ReferencesParent()) {
337      ReportFailure("Invalid path for bitmap image.");
338      return false;
339    }
340    FilePath path = extension_root_.Append(path_suffix);
341
342    std::vector<unsigned char> image_data;
343    // TODO(mpcomplete): It's lame that we're encoding all images as PNG, even
344    // though they may originally be .jpg, etc.  Figure something out.
345    // http://code.google.com/p/chromium/issues/detail?id=12459
346    if (!gfx::PNGCodec::EncodeBGRASkBitmap(image, false, &image_data)) {
347      ReportFailure("Error re-encoding theme image.");
348      return false;
349    }
350
351    // Note: we're overwriting existing files that the utility process wrote,
352    // so we can be sure the directory exists.
353    const char* image_data_ptr = reinterpret_cast<const char*>(&image_data[0]);
354    if (!file_util::WriteFile(path, image_data_ptr, image_data.size())) {
355      ReportFailure("Error saving theme image.");
356      return false;
357    }
358  }
359
360  return true;
361}
362
363bool SandboxedExtensionUnpacker::RewriteCatalogFiles() {
364  DictionaryValue catalogs;
365  if (!ExtensionUnpacker::ReadMessageCatalogsFromFile(temp_dir_.path(),
366                                                      &catalogs)) {
367    ReportFailure("Could not read catalog data from disk.");
368    return false;
369  }
370
371  // Write our parsed catalogs back to disk.
372  for (DictionaryValue::key_iterator key_it = catalogs.begin_keys();
373       key_it != catalogs.end_keys(); ++key_it) {
374    DictionaryValue* catalog;
375    if (!catalogs.GetDictionaryWithoutPathExpansion(*key_it, &catalog)) {
376      ReportFailure("Invalid catalog data.");
377      return false;
378    }
379
380    // TODO(viettrungluu): Fix the |FilePath::FromWStringHack(UTF8ToWide())|
381    // hack and remove the corresponding #include.
382    FilePath relative_path = FilePath::FromWStringHack(UTF8ToWide(*key_it));
383    relative_path = relative_path.Append(Extension::kMessagesFilename);
384    if (relative_path.IsAbsolute() || relative_path.ReferencesParent()) {
385      ReportFailure("Invalid path for catalog.");
386      return false;
387    }
388    FilePath path = extension_root_.Append(relative_path);
389
390    std::string catalog_json;
391    JSONStringValueSerializer serializer(&catalog_json);
392    serializer.set_pretty_print(true);
393    if (!serializer.Serialize(*catalog)) {
394      ReportFailure("Error serializing catalog.");
395      return false;
396    }
397
398    // Note: we're overwriting existing files that the utility process read,
399    // so we can be sure the directory exists.
400    if (!file_util::WriteFile(path,
401                              catalog_json.c_str(),
402                              catalog_json.size())) {
403      ReportFailure("Error saving catalog.");
404      return false;
405    }
406  }
407
408  return true;
409}
410