Use the BinaryUploadService to check downloads

This CL adds the code to manage BinaryUploadService instances
per-profile, and upload files to them. This is currently behind an
off-by-default Feature, since the enterprise policy isn't landed yet.

Bug: 980784
Change-Id: Ie3454cd653311bbdc2d009aa5237c32046d38f1d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1742776
Commit-Queue: Daniel Rubery <drubery@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#689596}

chrome/browser/safe_browsing/BUILD.gn

@@ -99,6 +99,12 @@ jumbo_static_library("safe_browsing") {
       "//chrome/common/safe_browsing:proto",
       "//components/safe_browsing:csd_proto",
       "//components/safe_browsing:safe_browsing",
+
+      # TODO(crbug/996380): This is needed because the DownloadProtectionService
+      # is being built on Android. Since we don't actually use any
+      # DownloadProtectionService features on Android, we should fix that
+      # dependency and move this to the 'safe_browsing_mode == 1' section.
+      "//components/safe_browsing:webprotect_proto",
       "//components/safe_browsing/browser",
       "//components/safe_browsing/common",
       "//components/safe_browsing/common:safe_browsing_prefs",
@@ -140,6 +146,8 @@ jumbo_static_library("safe_browsing") {
         "download_protection/download_feedback.h",
         "download_protection/download_feedback_service.cc",
         "download_protection/download_feedback_service.h",
+        "download_protection/download_item_request.cc",
+        "download_protection/download_item_request.h",
         "download_protection/download_protection_service.cc",
         "download_protection/download_protection_service.h",
         "download_protection/download_protection_util.cc",
@@ -218,7 +226,6 @@ jumbo_static_library("safe_browsing") {
         "//components/content_settings/core/browser",
         "//components/language/core/common",
         "//components/prefs",
-        "//components/safe_browsing:webprotect_proto",
         "//components/safe_browsing/db",
         "//components/security_interstitials/content:security_interstitial_page",
         "//content/public/browser",

chrome/browser/safe_browsing/android/services_delegate_android.cc

@@ -155,6 +155,14 @@ VerdictCacheManager* ServicesDelegateAndroid::GetVerdictCacheManager(
   return nullptr;
 }
 
+void ServicesDelegateAndroid::CreateBinaryUploadService(Profile* profile) {}
+void ServicesDelegateAndroid::RemoveBinaryUploadService(Profile* profile) {}
+BinaryUploadService* ServicesDelegateAndroid::GetBinaryUploadService(
+    Profile* profile) const {
+  NOTIMPLEMENTED();
+  return nullptr;
+}
+
 std::string ServicesDelegateAndroid::GetSafetyNetId() const {
   return database_manager_->GetSafetyNetId();
 }

chrome/browser/safe_browsing/android/services_delegate_android.h

@@ -58,6 +58,10 @@ class ServicesDelegateAndroid : public ServicesDelegate {
   void RemoveVerdictCacheManager(Profile* profile) override;
   VerdictCacheManager* GetVerdictCacheManager(Profile* profile) const override;
 
+  void CreateBinaryUploadService(Profile* profile) override;
+  void RemoveBinaryUploadService(Profile* profile) override;
+  BinaryUploadService* GetBinaryUploadService(Profile* profile) const override;
+
   std::string GetSafetyNetId() const override;
 
   // Reports the current extended reporting level. Note that this is an

chrome/browser/safe_browsing/download_protection/binary_fcm_service.cc

@@ -12,6 +12,7 @@
 #include "chrome/browser/profiles/profile.h"
 #include "components/gcm_driver/gcm_driver.h"
 #include "components/gcm_driver/gcm_profile_service.h"
+#include "components/gcm_driver/instance_id/instance_id.h"
 #include "components/gcm_driver/instance_id/instance_id_driver.h"
 #include "components/gcm_driver/instance_id/instance_id_profile_service.h"
 #include "components/safe_browsing/proto/webprotect.pb.h"
@@ -57,18 +58,16 @@ std::unique_ptr<BinaryFCMService> BinaryFCMService::Create(Profile* profile) {
 BinaryFCMService::BinaryFCMService(
     gcm::GCMDriver* gcm_driver,
     instance_id::InstanceIDDriver* instance_id_driver)
-    : gcm_driver_(gcm_driver), instance_id_(kInvalidId) {
+    : gcm_driver_(gcm_driver),
+      instance_id_driver_(instance_id_driver),
+      weakptr_factory_(this) {
   gcm_driver->AddAppHandler(kBinaryFCMServiceAppId, this);
-  instance_id_driver->GetInstanceID(kBinaryFCMServiceAppId)
-      ->GetToken(kBinaryFCMServiceSenderId, instance_id::kGCMScope,
-                 /*options=*/{},
-                 /*flags=*/{},
-                 base::BindOnce(&BinaryFCMService::OnGetInstanceID,
-                                weakptr_factory_.GetWeakPtr()));
 }
 
 BinaryFCMService::BinaryFCMService()
-    : gcm_driver_(nullptr), instance_id_(kInvalidId), weakptr_factory_(this) {}
+    : gcm_driver_(nullptr),
+      instance_id_driver_(nullptr),
+      weakptr_factory_(this) {}
 
 BinaryFCMService::~BinaryFCMService() {
   if (gcm_driver_ != nullptr)
@@ -76,7 +75,13 @@ BinaryFCMService::~BinaryFCMService() {
 }
 
 void BinaryFCMService::GetInstanceID(GetInstanceIDCallback callback) {
-  std::move(callback).Run(instance_id_);
+  instance_id_driver_->GetInstanceID(kBinaryFCMServiceAppId)
+      ->GetToken(
+          kBinaryFCMServiceSenderId, instance_id::kGCMScope,
+          /*options=*/{},
+          /*flags=*/{},
+          base::BindOnce(&BinaryFCMService::OnGetInstanceID,
+                         weakptr_factory_.GetWeakPtr(), std::move(callback)));
 }
 
 void BinaryFCMService::SetCallbackForToken(
@@ -89,15 +94,15 @@ void BinaryFCMService::ClearCallbackForToken(const std::string& token) {
   message_token_map_.erase(token);
 }
 
-void BinaryFCMService::OnGetInstanceID(const std::string& instance_id,
+void BinaryFCMService::OnGetInstanceID(GetInstanceIDCallback callback,
+                                       const std::string& instance_id,
                                        instance_id::InstanceID::Result result) {
-  if (result == instance_id::InstanceID::Result::SUCCESS) {
-    instance_id_ = instance_id;
-  }
+  std::move(callback).Run(
+      result == instance_id::InstanceID::SUCCESS ? instance_id : kInvalidId);
 }
 
 void BinaryFCMService::ShutdownHandler() {
-  NOTIMPLEMENTED();
+  gcm_driver_ = nullptr;
 }
 
 void BinaryFCMService::OnStoreReset() {

chrome/browser/safe_browsing/download_protection/binary_fcm_service.h

@@ -69,11 +69,15 @@ class BinaryFCMService : public gcm::GCMAppHandler {
   BinaryFCMService();
 
  private:
-  void OnGetInstanceID(const std::string& instance_id,
+  void OnGetInstanceID(GetInstanceIDCallback callback,
+                       const std::string& instance_id,
                        instance_id::InstanceID::Result result);
 
+  // References to the profile's GCMDriver and InstanceIDDriver. Both are
+  // unowned.
   gcm::GCMDriver* gcm_driver_;
-  std::string instance_id_;
+  instance_id::InstanceIDDriver* instance_id_driver_;
+
   std::unordered_map<std::string, OnMessageCallback> message_token_map_;
 
   base::WeakPtrFactory<BinaryFCMService> weakptr_factory_{this};

chrome/browser/safe_browsing/download_protection/binary_upload_service.cc

@@ -66,7 +66,8 @@ void BinaryUploadService::UploadForDeepScanning(
   binary_fcm_service_->GetInstanceID(
       base::BindOnce(&BinaryUploadService::OnGetInstanceID,
                      weakptr_factory_.GetWeakPtr(), raw_request));
-  active_timers_[raw_request].Start(
+  active_timers_[raw_request] = std::make_unique<base::OneShotTimer>();
+  active_timers_[raw_request]->Start(
       FROM_HERE, base::TimeDelta::FromSeconds(kScanningTimeoutSeconds),
       base::BindOnce(&BinaryUploadService::OnTimeout,
                      weakptr_factory_.GetWeakPtr(), raw_request));
@@ -83,9 +84,16 @@ void BinaryUploadService::OnGetInstanceID(Request* request,
     return;
   }
 
-  std::string metadata;
-  request->set_download_token(instance_id);
-  request->deep_scanning_request().SerializeToString(&metadata);
+  request->set_fcm_token(instance_id);
+  request->GetFileContents(
+      base::BindOnce(&BinaryUploadService::OnGetFileContents,
+                     weakptr_factory_.GetWeakPtr(), request));
+}
+
+void BinaryUploadService::OnGetFileContents(Request* request,
+                                            const std::string& file_contents) {
+  if (!IsActive(request))
+    return;
 
   net::NetworkTrafficAnnotationTag traffic_annotation =
       net::DefineNetworkTrafficAnnotation("safe_browsing_binary_upload", R"(
@@ -122,9 +130,12 @@ void BinaryUploadService::OnGetInstanceID(Request* request,
           }
         })");
 
+  std::string metadata;
+  request->deep_scanning_request().SerializeToString(&metadata);
+
   auto upload_request = MultipartUploadRequest::Create(
-      url_loader_factory_, GURL(kSbBinaryUploadUrl), metadata,
-      request->GetFileContents(), traffic_annotation,
+      url_loader_factory_, GURL(kSbBinaryUploadUrl), metadata, file_contents,
+      traffic_annotation,
       base::BindOnce(&BinaryUploadService::OnUploadComplete,
                      weakptr_factory_.GetWeakPtr(), request));
   upload_request->Start();
@@ -246,8 +257,7 @@ void BinaryUploadService::Request::set_request_malware_scan(
       std::move(malware_request);
 }
 
-void BinaryUploadService::Request::set_download_token(
-    const std::string& token) {
+void BinaryUploadService::Request::set_fcm_token(const std::string& token) {
   deep_scanning_request_.set_fcm_notification_token(token);
 }
 

chrome/browser/safe_browsing/download_protection/binary_upload_service.h

@@ -26,6 +26,9 @@ class BinaryUploadService {
   BinaryUploadService(
       scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
       Profile* profile);
+
+  // This constructor is useful in tests, if you want to keep a reference to the
+  // service's |binary_fcm_service_|.
   BinaryUploadService(
       scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
       std::unique_ptr<BinaryFCMService> binary_fcm_service);
@@ -66,13 +69,16 @@ class BinaryUploadService {
     virtual ~Request();
     Request(const Request&) = delete;
     Request& operator=(const Request&) = delete;
+    Request(Request&&) = delete;
+    Request& operator=(Request&&) = delete;
 
-    // Returns the file contents to upload.
+    // Asynchronously returns the file contents to upload.
     // TODO(drubery): This could allocate up to 50MB of memory for a large file
     // upload. We should see how often that causes errors, and possibly
     // implement some sort of streaming interface so we don't use so much
     // memory.
-    virtual std::string GetFileContents() = 0;
+    virtual void GetFileContents(
+        base::OnceCallback<void(const std::string&)> callback) = 0;
 
     // Returns the content size.
     virtual size_t GetFileSize() = 0;
@@ -86,7 +92,7 @@ class BinaryUploadService {
     void set_request_dlp_scan(DlpDeepScanningClientRequest dlp_request);
     void set_request_malware_scan(
         MalwareDeepScanningClientRequest malware_request);
-    void set_download_token(const std::string& token);
+    void set_fcm_token(const std::string& token);
 
     // Finish the request, with the given |result| and |response| from the
     // server.
@@ -107,6 +113,8 @@ class BinaryUploadService {
 
   void OnGetInstanceID(Request* request, const std::string& token);
 
+  void OnGetFileContents(Request* request, const std::string& file_contents);
+
   void OnUploadComplete(Request* request,
                         bool success,
                         const std::string& response_data);
@@ -127,14 +135,14 @@ class BinaryUploadService {
   std::unique_ptr<BinaryFCMService> binary_fcm_service_;
 
   // Resources associated with an in-progress request.
-  std::unordered_map<Request*, std::unique_ptr<Request>> active_requests_;
-  std::unordered_map<Request*, base::OneShotTimer> active_timers_;
-  std::unordered_map<Request*, std::unique_ptr<MultipartUploadRequest>>
+  base::flat_map<Request*, std::unique_ptr<Request>> active_requests_;
+  base::flat_map<Request*, std::unique_ptr<base::OneShotTimer>> active_timers_;
+  base::flat_map<Request*, std::unique_ptr<MultipartUploadRequest>>
       active_uploads_;
-  std::unordered_map<Request*, std::string> active_tokens_;
-  std::unordered_map<Request*, std::unique_ptr<MalwareDeepScanningVerdict>>
+  base::flat_map<Request*, std::string> active_tokens_;
+  base::flat_map<Request*, std::unique_ptr<MalwareDeepScanningVerdict>>
       received_malware_verdicts_;
-  std::unordered_map<Request*, std::unique_ptr<DlpDeepScanningVerdict>>
+  base::flat_map<Request*, std::unique_ptr<DlpDeepScanningVerdict>>
       received_dlp_verdicts_;
 
   base::WeakPtrFactory<BinaryUploadService> weakptr_factory_;

chrome/browser/safe_browsing/download_protection/binary_upload_service_unittest.cc

@@ -7,6 +7,7 @@
 #include <memory>
 
 #include "base/bind.h"
+#include "base/callback_forward.h"
 #include "chrome/browser/safe_browsing/download_protection/binary_fcm_service.h"
 #include "chrome/browser/safe_browsing/download_protection/multipart_uploader.h"
 #include "components/safe_browsing/proto/webprotect.pb.h"
@@ -27,7 +28,8 @@ class MockRequest : public BinaryUploadService::Request {
  public:
   explicit MockRequest(BinaryUploadService::Callback callback)
       : BinaryUploadService::Request(std::move(callback)) {}
-  MOCK_METHOD0(GetFileContents, std::string());
+  MOCK_METHOD1(GetFileContents,
+               void(base::OnceCallback<void(const std::string&)>));
   MOCK_METHOD0(GetFileSize, size_t());
 };
 
@@ -133,7 +135,7 @@ class BinaryUploadServiceTest : public testing::Test {
   std::unique_ptr<MockRequest> MakeRequest(
       BinaryUploadService::Result* scanning_result,
       DeepScanningClientResponse* scanning_response) {
-    return std::make_unique<MockRequest>(base::BindOnce(
+    auto request = std::make_unique<MockRequest>(base::BindOnce(
         [](BinaryUploadService::Result* target_result,
            DeepScanningClientResponse* target_response,
            BinaryUploadService::Result result,
@@ -142,6 +144,13 @@ class BinaryUploadServiceTest : public testing::Test {
           *target_response = response;
         },
         scanning_result, scanning_response));
+    ON_CALL(*request, GetFileSize()).WillByDefault(Return(strlen("contents")));
+    ON_CALL(*request, GetFileContents(_))
+        .WillByDefault(
+            Invoke([](base::OnceCallback<void(const std::string&)> callback) {
+              std::move(callback).Run("contents");
+            }));
+    return request;
   }
 
  protected:

chrome/browser/safe_browsing/download_protection/check_client_download_request.cc

@@ -20,6 +20,7 @@
 #include "chrome/browser/safe_browsing/advanced_protection_status_manager.h"
 #include "chrome/browser/safe_browsing/advanced_protection_status_manager_factory.h"
 #include "chrome/browser/safe_browsing/download_protection/download_feedback_service.h"
+#include "chrome/browser/safe_browsing/download_protection/download_item_request.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_service.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
 #include "chrome/browser/safe_browsing/download_protection/ppapi_download_request.h"
@@ -30,6 +31,7 @@
 #include "components/safe_browsing/common/utils.h"
 #include "components/safe_browsing/features.h"
 #include "components/safe_browsing/proto/csd.pb.h"
+#include "components/safe_browsing/proto/webprotect.pb.h"
 #include "components/safe_browsing/web_ui/safe_browsing_ui.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_task_traits.h"
@@ -312,6 +314,28 @@ void CheckClientDownloadRequest::OnURLLoaderComplete(
         result, upload_requested, item_, client_download_request_data_,
         *response_body.get());
   }
+
+  if (ShouldUploadBinary(result)) {
+    auto request =
+        std::make_unique<DownloadItemRequest>(item_, base::DoNothing());
+
+    DlpDeepScanningClientRequest dlp_request;
+    request->set_request_dlp_scan(std::move(dlp_request));
+
+    MalwareDeepScanningClientRequest malware_request;
+    malware_request.set_population(
+        MalwareDeepScanningClientRequest::POPULATION_ENTERPRISE);
+    malware_request.set_download_token(token);
+    request->set_request_malware_scan(std::move(malware_request));
+
+    content::BrowserContext* browser_context =
+        content::DownloadItemUtils::GetBrowserContext(item_);
+    if (browser_context) {
+      Profile* profile = Profile::FromBrowserContext(browser_context);
+      service_->UploadForDeepScanning(profile, std::move(request));
+    }
+  }
+
   // We don't need the loader anymore.
   loader_.reset();
   UMA_HISTOGRAM_TIMES("SBClientDownload.DownloadRequestDuration",
@@ -818,4 +842,20 @@ void CheckClientDownloadRequest::FinishRequest(
   // DownloadProtectionService::RequestFinished may delete us.
 }
 
+bool CheckClientDownloadRequest::ShouldUploadBinary(
+    DownloadCheckResult result) {
+  if (!base::FeatureList::IsEnabled(kUploadForMalwareCheck))
+    return false;
+
+  if (result != DownloadCheckResult::SAFE &&
+      result != DownloadCheckResult::UNCOMMON &&
+      result != DownloadCheckResult::UNKNOWN)
+    return false;
+
+  // TODO(drubery): Add the appropriate checks against the enterprise policy
+  // here.
+
+  return true;
+}
+
 }  // namespace safe_browsing

chrome/browser/safe_browsing/download_protection/check_client_download_request.h

@@ -88,6 +88,7 @@ class CheckClientDownloadRequest : public download::DownloadItem::Observer {
                      DownloadCheckResultReason reason);
   bool CertificateChainIsWhitelisted(
       const ClientDownloadRequest_CertificateChain& chain);
+  bool ShouldUploadBinary(DownloadCheckResult result);
 
   // The DownloadItem we are checking. Will be NULL if the request has been
   // canceled. Must be accessed only on UI thread.

chrome/browser/safe_browsing/download_protection/download_item_request.cc

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/safe_browsing/download_protection/download_item_request.h"
+
+#include "base/task/post_task.h"
+#include "base/task/task_traits.h"
+#include "chrome/browser/safe_browsing/download_protection/binary_upload_service.h"
+#include "components/download/public/common/download_item.h"
+#include "content/public/browser/browser_task_traits.h"
+#include "content/public/browser/browser_thread.h"
+
+namespace safe_browsing {
+
+namespace {
+
+std::string GetFileContentsBlocking(base::FilePath path) {
+  base::File file(path, base::File::FLAG_OPEN | base::File::FLAG_READ);
+  int64_t file_size = file.GetLength();
+  std::string contents;
+  contents.resize(file_size);
+
+  int64_t bytes_read = 0;
+  while (bytes_read < file_size) {
+    int64_t bytes_currently_read =
+        file.ReadAtCurrentPos(&contents[bytes_read], file_size - bytes_read);
+    if (bytes_currently_read == -1)
+      return "";
+
+    bytes_read += bytes_currently_read;
+  }
+
+  return contents;
+}
+
+}  // namespace
+
+DownloadItemRequest::DownloadItemRequest(download::DownloadItem* item,
+                                         BinaryUploadService::Callback callback)
+    : Request(std::move(callback)), item_(item), weakptr_factory_(this) {
+  item_->AddObserver(this);
+}
+
+DownloadItemRequest::~DownloadItemRequest() {
+  if (item_ != nullptr)
+    item_->RemoveObserver(this);
+}
+
+void DownloadItemRequest::GetFileContents(
+    base::OnceCallback<void(const std::string&)> callback) {
+  if (item_ == nullptr) {
+    std::move(callback).Run("");
+    return;
+  }
+
+  base::PostTaskAndReplyWithResult(
+      FROM_HERE,
+      {base::ThreadPool(), base::TaskPriority::USER_VISIBLE, base::MayBlock()},
+      base::BindOnce(&GetFileContentsBlocking, item_->GetFullPath()),
+      base::BindOnce(&DownloadItemRequest::OnGotFileContents,
+                     weakptr_factory_.GetWeakPtr(), std::move(callback)));
+}
+
+size_t DownloadItemRequest::GetFileSize() {
+  return item_ == nullptr ? 0 : item_->GetTotalBytes();
+}
+
+void DownloadItemRequest::OnDownloadDestroyed(
+    download::DownloadItem* download) {
+  if (download == item_)
+    item_ = nullptr;
+}
+
+void DownloadItemRequest::OnGotFileContents(
+    base::OnceCallback<void(const std::string&)> callback,
+    const std::string& contents) {
+  std::move(callback).Run(contents);
+}
+
+}  // namespace safe_browsing

chrome/browser/safe_browsing/download_protection/download_item_request.h

+// Copyright 2019 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_DOWNLOAD_ITEM_REQUEST_H_
+#define CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_DOWNLOAD_ITEM_REQUEST_H_
+
+#include "base/callback.h"
+#include "base/memory/weak_ptr.h"
+#include "chrome/browser/safe_browsing/download_protection/binary_upload_service.h"
+#include "components/download/public/common/download_item.h"
+
+namespace safe_browsing {
+
+// This class implements the BinaryUploadService::Request interface for a
+// particular DownloadItem. It is neither moveable nor copyable.
+class DownloadItemRequest : public BinaryUploadService::Request,
+                            download::DownloadItem::Observer {
+ public:
+  DownloadItemRequest(download::DownloadItem* item,
+                      BinaryUploadService::Callback callback);
+  ~DownloadItemRequest() override;
+
+  DownloadItemRequest(const DownloadItemRequest&) = delete;
+  DownloadItemRequest& operator=(const DownloadItemRequest&) = delete;
+  DownloadItemRequest(DownloadItemRequest&&) = delete;
+  DownloadItemRequest& operator=(DownloadItemRequest&&) = delete;
+
+  // BinaryUploadService::Request implementation.
+  void GetFileContents(
+      base::OnceCallback<void(const std::string&)> callback) override;
+  size_t GetFileSize() override;
+
+  // download::DownloadItem::Observer implementation.
+  void OnDownloadDestroyed(download::DownloadItem* download) override;
+
+ private:
+  void OnGotFileContents(base::OnceCallback<void(const std::string&)> callback,
+                         const std::string& contents);
+
+  // Pointer the download item for upload. This must be accessed only the UI
+  // thread.
+  download::DownloadItem* item_;
+
+  base::WeakPtrFactory<DownloadItemRequest> weakptr_factory_;
+};
+}  // namespace safe_browsing
+
+#endif  // CHROME_BROWSER_SAFE_BROWSING_DOWNLOAD_PROTECTION_DOWNLOAD_ITEM_REQUEST_H_

chrome/browser/safe_browsing/download_protection/download_protection_service.cc

@@ -19,6 +19,7 @@
 #include "chrome/browser/safe_browsing/download_protection/download_feedback_service.h"
 #include "chrome/browser/safe_browsing/download_protection/download_url_sb_client.h"
 #include "chrome/browser/safe_browsing/download_protection/ppapi_download_request.h"
+#include "chrome/browser/safe_browsing/services_delegate.h"
 #include "chrome/browser/sessions/session_tab_helper.h"
 #include "chrome/common/safe_browsing/binary_feature_extractor.h"
 #include "chrome/common/url_constants.h"
@@ -465,4 +466,12 @@ bool DownloadProtectionService::MaybeBeginFeedbackForDownload(
   return false;
 }
 
+void DownloadProtectionService::UploadForDeepScanning(
+    Profile* profile,
+    std::unique_ptr<BinaryUploadService::Request> request) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+  sb_service_->GetBinaryUploadService(profile)->UploadForDeepScanning(
+      std::move(request));
+}
+
 }  // namespace safe_browsing

chrome/browser/safe_browsing/download_protection/download_protection_service.h

@@ -24,8 +24,10 @@
 #include "base/memory/ref_counted.h"
 #include "base/supports_user_data.h"
 #include "chrome/browser/download/download_commands.h"
+#include "chrome/browser/safe_browsing/download_protection/binary_upload_service.h"
 #include "chrome/browser/safe_browsing/download_protection/download_protection_util.h"
 #include "chrome/browser/safe_browsing/safe_browsing_navigation_observer_manager.h"
+#include "chrome/browser/safe_browsing/services_delegate.h"
 #include "chrome/browser/safe_browsing/ui_manager.h"
 #include "components/safe_browsing/db/database_manager.h"
 #include "components/sessions/core/session_id.h"
@@ -156,6 +158,14 @@ class DownloadProtectionService {
       const download::DownloadItem* item,
       bool show_download_in_folder);
 
+  // Uploads |request| to Safe Browsing for deep scanning, using the upload
+  // service attached to the given |profile|. This is non-blocking, and the
+  // result we be provided through the callback in |request|. This must be
+  // called on the UI thread.
+  void UploadForDeepScanning(
+      Profile* profile,
+      std::unique_ptr<BinaryUploadService::Request> request);
+
  private:
   friend class PPAPIDownloadRequest;
   friend class DownloadUrlSBClient;

chrome/browser/safe_browsing/safe_browsing_service.cc

@@ -30,6 +30,7 @@
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/safe_browsing/safe_browsing_navigation_observer_manager.h"
+#include "chrome/browser/safe_browsing/services_delegate.h"
 #include "chrome/browser/safe_browsing/ui_manager.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
@@ -246,6 +247,13 @@ VerdictCacheManager* SafeBrowsingService::GetVerdictCacheManager(
   return nullptr;
 }
 
+BinaryUploadService* SafeBrowsingService::GetBinaryUploadService(
+    Profile* profile) const {
+  if (profile->GetPrefs()->GetBoolean(prefs::kSafeBrowsingEnabled))
+    return services_delegate_->GetBinaryUploadService(profile);
+  return nullptr;
+}
+
 std::string SafeBrowsingService::GetProtocolConfigClientName() const {
   std::string client_name;
   // On Windows, get the safe browsing client name from the browser
@@ -335,6 +343,7 @@ void SafeBrowsingService::Observe(int type,
       services_delegate_->CreateTelemetryService(profile);
       if (!profile->IsOffTheRecord())
         AddPrefService(profile->GetPrefs());
+      services_delegate_->CreateBinaryUploadService(profile);
       break;
     }
     case chrome::NOTIFICATION_PROFILE_DESTROYED: {
@@ -345,6 +354,7 @@ void SafeBrowsingService::Observe(int type,
       services_delegate_->RemoveTelemetryService();
       if (!profile->IsOffTheRecord())
         RemovePrefService(profile->GetPrefs());
+      services_delegate_->RemoveBinaryUploadService(profile);
       break;
     }
     default:

chrome/browser/safe_browsing/safe_browsing_service.h

@@ -180,6 +180,9 @@ class SafeBrowsingService : public SafeBrowsingServiceInterface,
   // Get the cache manager by profile.
   VerdictCacheManager* GetVerdictCacheManager(Profile* profile) const;
 
+  // Get the binary upload service by profile.
+  BinaryUploadService* GetBinaryUploadService(Profile* profile) const;
+
  protected:
   // Creates the safe browsing service.  Need to initialize before using.
   SafeBrowsingService();

chrome/browser/safe_browsing/services_delegate.h

@@ -29,7 +29,7 @@ class TrackedPreferenceValidationDelegate;
 
 namespace safe_browsing {
 
-class VerdictCacheManager;
+class BinaryUploadService;
 class ClientSideDetectionService;
 class DownloadProtectionService;
 class IncidentReportingService;
@@ -40,6 +40,7 @@ class SafeBrowsingService;
 class SafeBrowsingDatabaseManager;
 class TelemetryService;
 struct V4ProtocolConfig;
+class VerdictCacheManager;
 
 // Abstraction to help organize code for mobile vs full safe browsing modes.
 // This helper class should be owned by a SafeBrowsingService, and it handles
@@ -130,6 +131,11 @@ class ServicesDelegate {
   virtual VerdictCacheManager* GetVerdictCacheManager(
       Profile* profile) const = 0;
 
+  virtual void CreateBinaryUploadService(Profile* profile) = 0;
+  virtual void RemoveBinaryUploadService(Profile* profile) = 0;
+  virtual BinaryUploadService* GetBinaryUploadService(
+      Profile* profile) const = 0;
+
   virtual std::string GetSafetyNetId() const = 0;
 };
 

chrome/browser/safe_browsing/services_delegate_desktop.cc

@@ -12,6 +12,7 @@
 #include "base/strings/string_util.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/history/history_service_factory.h"
+#include "chrome/browser/safe_browsing/download_protection/binary_upload_service.h"
 #include "chrome/browser/safe_browsing/safe_browsing_service.h"
 #include "chrome/browser/safe_browsing/telemetry/telemetry_service.h"
 #include "chrome/common/chrome_switches.h"
@@ -273,6 +274,32 @@ VerdictCacheManager* ServicesDelegateDesktop::GetVerdictCacheManager(
   return it->second.get();
 }
 
+void ServicesDelegateDesktop::CreateBinaryUploadService(Profile* profile) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  DCHECK(profile);
+  auto it = binary_upload_service_map_.find(profile);
+  DCHECK(it == binary_upload_service_map_.end());
+  auto service = std::make_unique<BinaryUploadService>(
+      safe_browsing_service_->GetURLLoaderFactory(), profile);
+  binary_upload_service_map_[profile] = std::move(service);
+}
+
+void ServicesDelegateDesktop::RemoveBinaryUploadService(Profile* profile) {
+  DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
+  DCHECK(profile);
+  auto it = binary_upload_service_map_.find(profile);
+  if (it != binary_upload_service_map_.end())
+    binary_upload_service_map_.erase(it);
+}
+
+BinaryUploadService* ServicesDelegateDesktop::GetBinaryUploadService(
+    Profile* profile) const {
+  DCHECK(profile);
+  auto it = binary_upload_service_map_.find(profile);
+  DCHECK(it != binary_upload_service_map_.end());
+  return it->second.get();
+}
+
 std::string ServicesDelegateDesktop::GetSafetyNetId() const {
   NOTREACHED() << "Only implemented on Android";
   return "";

chrome/browser/safe_browsing/services_delegate_desktop.h

@@ -80,6 +80,10 @@ class ServicesDelegateDesktop : public ServicesDelegate {
   void RemoveVerdictCacheManager(Profile* profile) override;
   VerdictCacheManager* GetVerdictCacheManager(Profile* profile) const override;
 
+  void CreateBinaryUploadService(Profile* profile) override;
+  void RemoveBinaryUploadService(Profile* profile) override;
+  BinaryUploadService* GetBinaryUploadService(Profile* profile) const override;
+
   std::string GetSafetyNetId() const override;
 
   std::unique_ptr<ClientSideDetectionService> csd_service_;
@@ -107,6 +111,11 @@ class ServicesDelegateDesktop : public ServicesDelegate {
   // instances. Accessed on UI thread.
   std::map<Profile*, std::unique_ptr<VerdictCacheManager>> cache_manager_map_;
 
+  // Tracks existing Profiles, and their corresponding BinaryUploadService
+  // instances. Accessed on UI thread.
+  std::map<Profile*, std::unique_ptr<BinaryUploadService>>
+      binary_upload_service_map_;
+
   DISALLOW_COPY_AND_ASSIGN(ServicesDelegateDesktop);
 };
 

components/safe_browsing/features.cc

@@ -67,6 +67,9 @@ const base::Feature kUseAPDownloadProtection{"UseAPDownloadProtection",
 const base::Feature kUseLocalBlacklistsV2{"SafeBrowsingUseLocalBlacklistsV2",
                                           base::FEATURE_DISABLED_BY_DEFAULT};
 
+const base::Feature kUploadForMalwareCheck{"SafeBrowsingUploadForMalwareCheck",
+                                           base::FEATURE_DISABLED_BY_DEFAULT};
+
 constexpr base::FeatureParam<bool> kShouldFillOldPhishGuardProto{
     &kPasswordProtectionForSignedInUsers, "DeprecateOldProto", false};
 

components/safe_browsing/features.h

@@ -85,6 +85,10 @@ extern const base::Feature kUseAPDownloadProtection;
 // Controls whether Chrome on Android uses locally cached blacklists.
 extern const base::Feature kUseLocalBlacklistsV2;
 
+// Controls whether we are uploading files to Safe Browsing for malware
+// scanning.
+extern const base::Feature kUploadForMalwareCheck;
+
 base::ListValue GetFeatureStatusList();
 
 // Returns whether or not to stop filling in the SyncAccountType and