PPAPI may be abused to bypass Site Isolation enforcement for FileSystem storage |
||||
Issue descriptionFrom mek@: Because of PPAPI's usage in https://cs.chromium.org/chromium/src/content/renderer/pepper/pepper_file_system_host.cc?sq=package:chromium&g=0&l=110 compromised renders can still access filesystem storage of any origin afaik. Missing is figuring out some way to avoid having to pass (and trust) the origin from renderer to browser in that code path. Note - since Site Isolation enforcements are is still mostly work-in-progress, we are treating new Site Isolation enforcements as *new* security features (rather than as security bugs in existing code). Therefore, no Restrict-View-SecurityTeam or similar labels have been applied to this bug.
,
Jan 10
The storage team doesn't currently have anyone who understands the Pepper codebase. I don't think we're the best people to tackle this bug, sorry. Removing the FileSystem component so the bug goes away from our queues & dashboard.
,
Jan 10
+adithyas@ who has been working on issue 873661 which is one way to address this vulnerability I think that to reach out M73 goals, it might be safest to just add a CanAccessDataForOrigin check to FileSystemManagerImpl::Open - I've put together a WIP CLs at: - https://crrev.com/c/1406171 - s/GURL origin_url/url::Origin origin/ - https://crrev.com/c/1406173 - CanAccessDataForOrigin (no tests - no idea how to inject a test implementation of the mojo interface here; I hope this is okay: - CanAccessDataForOrigin is valuable for M73 where we target Site Isolation enforcements - the test would become obsolete once we make progress on issue 873661 Feedback is welcomed [here or on the CL itself])
,
Jan 10
+adithyas@ for real this time...
,
Jan 10
Isn't this actually what is blocking issue 873661 from being fully implemented? I.e. that bug is pretty much done, FileSystemManagerImpl mostly has a separate instance for each frame, and could be using that fact to not have to trust the origin it gets from the renderer. Except for the issue this bug describes, namely that for PPAPI there isn't a frame afaict, and it is unclear to at least me what the similar solution (if any) is for PPAPI specifically.
,
Jan 11
RE: #c5: mek@: Right - I meant CanAccessDataForOrigin as a stop-gap workaround for the fact that it isn't obvious how the PepperFileSystemHost::OnHostMsgOpen method should get a frame-bound mojo interface to the filesystem. OTOH, I am not sure now if the CanAccessDataForOrigin is the right thing to do - is it possible to have the following scenario: - foo.com/page.html in renderer A has an <embed src=https://bar.com/...> tag - plugin from bar.com is hosted in plugin process B - process B sends PpapiHostMsg_FileSystem_Open to process A and process A forwards the request to FileSystemManagerImpl::Open with origin_url=https://bar.com/ If so, then such origin_url would be clearly incompatible with the process lock of process A (https://foo.com) and cause CanAccessDataForOrigin to incorrectly terminate a renderer :-(
,
Jan 12
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45 commit 43be2d668342e8b1dd83cb1a2b9ebfa86474ba45 Author: Lukasz Anforowicz <lukasza@chromium.org> Date: Sat Jan 12 00:37:27 2019 s/GURL origin_url/url::Origin origin/ in FileSystemManagerImpl::Open. This CL makes small improvements in type safety: - url::Origin should be used instead of GURL for representing an origin. - url::Origin::Create(gurl) should be used instead of GURL::GetOrigin() (the latter will return "physical/syntactical" origin which would be incorrect in case of blob: and filesystem: URLs) Bug: 917457 Change-Id: I97a0fe063461ea340476914502f31581ff676688 Reviewed-on: https://chromium-review.googlesource.com/c/1406171 Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Commit-Queue: Ćukasz Anforowicz <lukasza@chromium.org> Cr-Commit-Position: refs/heads/master@{#622236} [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/content/browser/fileapi/file_system_manager_impl.cc [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/content/browser/fileapi/file_system_manager_impl.h [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/content/renderer/pepper/pepper_file_system_host.cc [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/third_party/blink/public/mojom/filesystem/file_system.mojom [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.cc [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/third_party/blink/renderer/modules/filesystem/file_system_dispatcher.h [modify] https://crrev.com/43be2d668342e8b1dd83cb1a2b9ebfa86474ba45/third_party/blink/renderer/modules/filesystem/local_file_system.cc |
||||
►
Sign in to add a comment |
||||
Comment 1 by lukasza@chromium.org
, Dec 21