[NativeFileSystem] must reject in sandboxed windows

Updates FileSystemDirectoryHandle.getSystemDirectory() and chooseFileSystemEntries() to reject with a SecurityError when called by a sandboxed window. This change also adds a WPT test that accesses the NativeFileSystem from opaque origins. The test includes a data URI iframe, sandboxed iframe and a sandboxed opened window. Unlike sandboxed iframes, for data URI iframes, the NativeFileSystem API is undefined because data URI iframes do not provide a secure context. This change gives the NativeFileSystem the same behavior as other web platform storage with write operations. LocalStorage, indexedDB, and cacheStorage all fail with SecurityErrors when accessed from a sandbox. However, sandboxes can read files using <input type=file> and drag&drop. In the future, if a read-only sandbox scenario emerges, we can consider loosening this policy for the NativeFileSystem. Bug: 1014248 Change-Id: Ibeafcdbf102275f2cd45f3cd7dbd8ed592c850c6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1907278Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: Olivier Yiptong <oyiptong@chromium.org> Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Steve Becker <stevebe@microsoft.com> Cr-Commit-Position: refs/heads/master@{#715119}

[NativeFileSystem] must reject in sandboxed windows
Updates FileSystemDirectoryHandle.getSystemDirectory() and chooseFileSystemEntries() to reject with a SecurityError when called by a sandboxed window. This change also adds a WPT test that accesses the NativeFileSystem from opaque origins. The test includes a data URI iframe, sandboxed iframe and a sandboxed opened window. Unlike sandboxed iframes, for data URI iframes, the NativeFileSystem API is undefined because data URI iframes do not provide a secure context. This change gives the NativeFileSystem the same behavior as other web platform storage with write operations. LocalStorage, indexedDB, and cacheStorage all fail with SecurityErrors when accessed from a sandbox. However, sandboxes can read files using <input type=file> and drag&drop. In the future, if a read-only sandbox scenario emerges, we can consider loosening this policy for the NativeFileSystem. Bug: 1014248 Change-Id: Ibeafcdbf102275f2cd45f3cd7dbd8ed592c850c6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1907278Reviewed-by: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: Olivier Yiptong <oyiptong@chromium.org> Reviewed-by: Dave Tapuska <dtapuska@chromium.org> Commit-Queue: Steve Becker <stevebe@microsoft.com> Cr-Commit-Position: refs/heads/master@{#715119}
471e5833 · Steve Becker · Commit Bot · 13b4a4ad · 471e5833 · 471e5833
Commit 471e5833 authored Nov 14, 2019 by Steve Becker Committed by Commit Bot Nov 14, 2019
6 changed files
--- a/third_party/blink/renderer/modules/native_file_system/native_file_system_directory_handle.cc
+++ b/third_party/blink/renderer/modules/native_file_system/native_file_system_directory_handle.cc
@@ -12,6 +12,7 @@
 #include "third_party/blink/public/platform/task_type.h"
 #include "third_party/blink/renderer/bindings/core/v8/script_promise_resolver.h"
 #include "third_party/blink/renderer/core/dom/dom_exception.h"
+#include "third_party/blink/renderer/core/execution_context/security_context.h"
 #include "third_party/blink/renderer/core/fileapi/file_error.h"
 #include "third_party/blink/renderer/modules/native_file_system/file_system_get_directory_options.h"
 #include "third_party/blink/renderer/modules/native_file_system/file_system_get_file_options.h"
@@ -19,6 +20,7 @@
 #include "third_party/blink/renderer/modules/native_file_system/native_file_system_directory_iterator.h"
 #include "third_party/blink/renderer/modules/native_file_system/native_file_system_error.h"
 #include "third_party/blink/renderer/modules/native_file_system/native_file_system_file_handle.h"
+#include "third_party/blink/renderer/platform/weborigin/security_origin.h"
 #include "third_party/blink/renderer/platform/wtf/functional.h"
 namespace blink {
@@ -158,6 +160,23 @@ ScriptPromise NativeFileSystemDirectoryHandle::removeEntry(
 ScriptPromise NativeFileSystemDirectoryHandle::getSystemDirectory(
    ScriptState* script_state,
    const GetSystemDirectoryOptions* options) {
+  ExecutionContext* context = ExecutionContext::From(script_state);
+  if (!context->GetSecurityOrigin()->CanAccessNativeFileSystem()) {
+    if (context->GetSecurityContext().IsSandboxed(WebSandboxFlags::kOrigin)) {
+      return ScriptPromise::RejectWithDOMException(
+          script_state,
+          MakeGarbageCollected<DOMException>(
+              DOMExceptionCode::kSecurityError,
+              "System directory access is denied because the context is "
+              "sandboxed and lacks the 'allow-same-origin' flag."));
+    } else {
+      return ScriptPromise::RejectWithDOMException(
+          script_state, MakeGarbageCollected<DOMException>(
+                            DOMExceptionCode::kSecurityError,
+                            "System directory access is denied."));
+    }
+  }
  auto* resolver = MakeGarbageCollected<ScriptPromiseResolver>(script_state);
  ScriptPromise result = resolver->Promise();
@@ -166,7 +185,7 @@ ScriptPromise NativeFileSystemDirectoryHandle::getSystemDirectory(
  // for each operation, and can avoid code duplication between here and other
  // uses.
  mojo::Remote<mojom::blink::NativeFileSystemManager> manager;
-  auto* provider = ExecutionContext::From(script_state)->GetInterfaceProvider();
+  auto* provider = context->GetInterfaceProvider();
  if (!provider) {
    resolver->Reject(file_error::CreateDOMException(
        base::File::FILE_ERROR_INVALID_OPERATION));

--- a/third_party/blink/renderer/modules/native_file_system/window_native_file_system.cc
+++ b/third_party/blink/renderer/modules/native_file_system/window_native_file_system.cc
@@ -77,6 +77,22 @@ ScriptPromise WindowNativeFileSystem::chooseFileSystemEntries(
        MakeGarbageCollected<DOMException>(DOMExceptionCode::kAbortError));
  }
+  if (!document->GetSecurityOrigin()->CanAccessNativeFileSystem()) {
+    if (document->IsSandboxed(WebSandboxFlags::kOrigin)) {
+      return ScriptPromise::RejectWithDOMException(
+          script_state,
+          MakeGarbageCollected<DOMException>(
+              DOMExceptionCode::kSecurityError,
+              "Sandboxed documents aren't allowed to show a file picker."));
+    } else {
+      return ScriptPromise::RejectWithDOMException(
+          script_state,
+          MakeGarbageCollected<DOMException>(
+              DOMExceptionCode::kSecurityError,
+              "This document isn't allowed to show a file picker."));
+    }
+  }
  LocalFrame* local_frame = window.GetFrame();
  if (!local_frame || local_frame->IsCrossOriginSubframe()) {
    return ScriptPromise::RejectWithDOMException(

--- a/third_party/blink/renderer/platform/weborigin/security_origin.h
+++ b/third_party/blink/renderer/platform/weborigin/security_origin.h
@@ -222,6 +222,7 @@ class PLATFORM_EXPORT SecurityOrigin : public RefCounted<SecurityOrigin> {
  bool CanAccessCookies() const { return !IsOpaque(); }
  bool CanAccessPasswordManager() const { return !IsOpaque(); }
  bool CanAccessFileSystem() const { return !IsOpaque(); }
+  bool CanAccessNativeFileSystem() const { return !IsOpaque(); }
  bool CanAccessCacheStorage() const { return !IsOpaque(); }
  bool CanAccessLocks() const { return !IsOpaque(); }

--- a/third_party/blink/web_tests/external/wpt/native-file-system/opaque-origin.https.window.js
+++ b/third_party/blink/web_tests/external/wpt/native-file-system/opaque-origin.https.window.js
+'use strict';
+const kSandboxWindowUrl = 'resources/opaque-origin-sandbox.html';
+function add_iframe(test, src, sandbox) {
+  const iframe = document.createElement('iframe');
+  iframe.src = src;
+  if (sandbox !== undefined) {
+    iframe.sandbox = sandbox;
+  }
+  document.body.appendChild(iframe);
+  test.add_cleanup(() => {
+    iframe.remove();
+  });
+}
+// Creates a data URI iframe that uses postMessage() to provide its parent
+// with the test result. The iframe checks for the existence of
+// |property_name| on the window.
+async function verify_does_not_exist_in_data_uri_iframe(
+  test, property_name) {
+  const iframe_content =
+    '<script>' +
+    '  const is_property_name_defined = ' +
+    `    (self.${property_name} !== undefined);` +
+    '  parent.postMessage({is_property_name_defined}, "*")' +
+    '</script>';
+  const data_uri = `data:text/html,${encodeURIComponent(iframe_content)}`;
+  add_iframe(test, data_uri);
+  const event_watcher = new EventWatcher(test, self, 'message');
+  const message_event = await event_watcher.wait_for('message')
+  assert_false(message_event.data.is_property_name_defined,
+    `Data URI iframes must not define '${property_name}'.`);
+}
+// |kSandboxWindowUrl| sends two messages to this window. The first is the
+// result of chooseFileSystemEntries(). The second is the result of
+// getSystemDirectory(). For windows using sandbox='allow-scripts',
+// both results must produce rejected promises.
+async function verify_results_from_sandboxed_child_window(test) {
+  const event_watcher = new EventWatcher(test, self, 'message');
+  const first_message_event = await event_watcher.wait_for('message');
+  assert_equals(first_message_event.data,
+    'chooseFileSystemEntries(): REJECTED: SecurityError');
+  const second_message_event = await event_watcher.wait_for('message');
+  assert_equals(second_message_event.data,
+    'getSystemDirectory(): REJECTED: SecurityError');
+}
+promise_test(async test => {
+  await verify_does_not_exist_in_data_uri_iframe(
+    test, 'chooseFileSystemEntries');
+}, 'chooseFileSystemEntries() must be undefined for data URI iframes.');
+promise_test(async test => {
+  await verify_does_not_exist_in_data_uri_iframe(
+    test, 'FileSystemDirectoryHandle');
+}, 'FileSystemDirectoryHandle must be undefined for data URI iframes.');
+promise_test(async test => {
+  add_iframe(test, kSandboxWindowUrl, /*sandbox=*/'allow-scripts');
+  await verify_results_from_sandboxed_child_window(test);
+}, 'FileSystemDirectoryHandle.getSystemDirectory() and ' +
+'chooseFileSystemEntries() must reject in a sandboxed iframe.');
+promise_test(async test => {
+  const child_window_url = kSandboxWindowUrl +
+    '?pipe=header(Content-Security-Policy, sandbox allow-scripts)';
+  const child_window = window.open(child_window_url);
+  test.add_cleanup(() => {
+    child_window.close();
+  });
+  await verify_results_from_sandboxed_child_window(test);
+}, 'FileSystemDirectoryHandle.getSystemDirectory() and '
+ 'chooseFileSystemEntries() must reject in a sandboxed opened window.');
--- a/third_party/blink/web_tests/external/wpt/native-file-system/resources/opaque-origin-sandbox.html
+++ b/third_party/blink/web_tests/external/wpt/native-file-system/resources/opaque-origin-sandbox.html
+<!DOCTYPE html>
+<script>
+  'use strict'
+  // Sends two messages to its creator:
+  // (1) The result of chooseFileSystemEntries().
+  // (2) The result of FileSystemDirectoryHandle.getSystemDirectory().
+  function post_message(data) {
+    if (window.parent !== null) {
+      window.parent.postMessage(data, { targetOrigin: '*' });
+    }
+    if (window.opener !== null) {
+      window.opener.postMessage(data, { targetOrigin: '*' });
+    }
+  }
+  try {
+    window.chooseFileSystemEntries({ type: 'openDirectory' })
+      .then(() => {
+        post_message('chooseFileSystemEntries(): FULFILLED');
+      }).catch(error => {
+        post_message(`chooseFileSystemEntries(): REJECTED: ${error.name}`);
+      });
+  } catch (error) {
+    post_message(`chooseFileSystemEntries(): EXCEPTION: ${error.name}`);
+  }
+  try {
+    window.FileSystemDirectoryHandle.getSystemDirectory({ type: 'sandbox' })
+      .then(() => {
+        post_message('getSystemDirectory(): FULFILLED');
+      }).catch(error => {
+        post_message(`getSystemDirectory(): REJECTED: ${error.name}`);
+      });
+  } catch (error) {
+    post_message(`getSystemDirectory(): EXCEPTION: ${error.name}`);
+  }
+</script>
--- a/third_party/blink/web_tests/external/wpt/native-file-system/script-tests/FileSystemBaseHandle-postMessage-Error.js
+++ b/third_party/blink/web_tests/external/wpt/native-file-system/script-tests/FileSystemBaseHandle-postMessage-Error.js
@@ -182,28 +182,14 @@ directory_test(async (t, root_dir) => {
    t, root_dir, /*receiver=*/self, /*target=*/iframe.contentWindow,
    /*target_origin=*/'*', /*expected_has_source*/true,
    /*expected_origin=*/location.origin);
+}, 'Fail to send to a sandboxed iframe.');
-  // https://crbug.com/1014248 Should sandboxed iframes expose the
-  // NativeFileSystem?
-  //
-  // await do_receive_message_error_test(
-  //   t, /*receiver=*/self, /*target=*/iframe.contentWindow,
-  //   /*target_origin=*/'*', /*expected_has_source=*/true,
-  //   /*expected_origin=*/kRemoteOrigin);
-}, 'Fail to send and receive messages using a sandboxed iframe.');
 directory_test(async (t, root_dir) => {
  const iframe = await add_iframe(
    t, { src: kDocumentMessageTarget, sandbox: 'allow-scripts' });
  await do_send_message_port_error_test(
    t, root_dir, /*target=*/iframe.contentWindow, /*target_origin=*/'*');
+}, 'Fail to send messages using a message port to a sandboxed ' +
-  // https://crbug.com/1014248 Should sandboxed iframes expose the
-  // NativeFileSystem?
-  //
-  // await do_receive_message_port_error_test(
-  //   t, /*target=*/iframe.contentWindow, /*target_origin=*/'*');
-}, 'Fail to send and receive messages using a message port in a sandboxed ' +
 'iframe.');
 directory_test(async (t, root_dir) => {
@@ -246,15 +232,7 @@ directory_test(async (t, root_dir) => {
    t, root_dir, /*receiver=*/self, /*target=*/child_window,
    /*target_origin=*/'*', /*expected_has_source*/true,
    /*expected_origin=*/location.origin);
+}, 'Fail to send messages to  a sandboxed window.');
-  // https://crbug.com/1014248 Should sandboxed windows expose the
-  // NativeFileSystem?
-  //
-  // await do_receive_message_error_test(
-  //   t, /*receiver=*/self, /*target=*/child_window,
-  //   /*target_origin=*/'*', /*expected_has_source=*/true,
-  //   /*expected_origin=*/kRemoteOrigin);
-}, 'Fail to send and receive messages using a sandboxed window.');
 directory_test(async (t, root_dir) => {
  const url = `${kDocumentMessageTarget}?pipe=header(Content-Security-Policy` +
@@ -262,11 +240,5 @@ directory_test(async (t, root_dir) => {
  const child_window = await open_window(t, url);
  await do_send_message_port_error_test(
    t, root_dir, /*target=*/child_window, /*target_origin=*/'*');
+}, 'Fail to send messages using a message port to a sandboxed ' +
-  // https://crbug.com/1014248 Should sandboxed windows expose the
-  // NativeFileSystem?
-  //
-  // await do_receive_message_port_error_test(
-  //   t, /*target=*/child_window, /*target_origin=*/'*');
-}, 'Fail to send and receive messages using a message port in a sandboxed ' +
 'window.');