DevTools: only allow inspectWorker if client can attach to browser

Bug: 1059577, 1064852 Change-Id: I2994be49f53aa8fc52fbd7cee543fa65521670f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2121434 Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Commit-Position: refs/heads/master@{#754408}

DevTools: only allow inspectWorker if client can attach to browser
Bug: 1059577, 1064852 Change-Id: I2994be49f53aa8fc52fbd7cee543fa65521670f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2121434 Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Devlin <rdevlin.cronin@chromium.org> Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Cr-Commit-Position: refs/heads/master@{#754408}
4d33ef97 · Andrey Kosyakov · Commit Bot · 328e69bc · 4d33ef97 · 4d33ef97
Commit 4d33ef97 authored Mar 30, 2020 by Andrey Kosyakov Committed by Commit Bot Mar 30, 2020
8 changed files
--- a/chrome/browser/extensions/api/debugger/debugger_apitest.cc
+++ b/chrome/browser/extensions/api/debugger/debugger_apitest.cc
@@ -338,6 +338,19 @@ IN_PROC_BROWSER_TEST_F(DebuggerExtensionApiTest, Debugger) {
  ASSERT_TRUE(RunExtensionTest("debugger")) << message_;
 }

+// Tests that an extension is not allowed to inspect a worker through the
+// inspectWorker debugger command.
+// Regression test for https://crbug.com/1059577.
+IN_PROC_BROWSER_TEST_F(DebuggerExtensionApiTest,
+                       DebuggerNotAllowedToInvokeInspectWorker) {
+  GURL url(embedded_test_server()->GetURL(
+      "/extensions/api_test/debugger_inspect_worker/inspected_page.html"));
+
+  EXPECT_TRUE(
+      RunExtensionTestWithArg("debugger_inspect_worker", url.spec().c_str()))
+      << message_;
+}
+
 class SitePerProcessDebuggerExtensionApiTest : public DebuggerExtensionApiTest {
 public:
  void SetUpCommandLine(base::CommandLine* command_line) override {

--- a/chrome/test/data/extensions/api_test/debugger_inspect_worker/background.js
+++ b/chrome/test/data/extensions/api_test/debugger_inspect_worker/background.js
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const protocolVersion = '1.3';
+
+chrome.test.getConfig(config => chrome.test.runTests([
+  async function testInspectWorkerForbidden() {
+    const tab = await new Promise(resolve =>
+        chrome.tabs.create({url: config.customArg}, resolve));
+    const debuggee = {tabId: tab.id};
+    await new Promise(resolve =>
+        chrome.debugger.attach(debuggee, protocolVersion, resolve));
+    chrome.debugger.sendCommand(debuggee, 'ServiceWorker.enable', null);
+    let workerReadyCallback;
+    chrome.debugger.onEvent.addListener((source, method, params) => {
+      if (method !== 'ServiceWorker.workerVersionUpdated')
+        return;
+      const versions = params.versions;
+      if (!versions.length || versions[0].runningStatus !== 'running')
+        return;
+      workerReadyCallback(versions[0].versionId);
+    });
+    const versionId = await new Promise(resolve =>
+        workerReadyCallback = resolve);
+    await new Promise(resolve =>
+        chrome.debugger.sendCommand(debuggee, 'ServiceWorker.inspectWorker',
+            {versionId}, resolve))
+    chrome.test.assertTrue(!!chrome.runtime.lastError,
+                           'Expected ServiceWorker.inspectWorker to fail');
+    chrome.test.assertEq('Permission denied',
+                         JSON.parse(chrome.runtime.lastError.message).message);
+    chrome.test.succeed();
+  }
+]));
--- a/chrome/test/data/extensions/api_test/debugger_inspect_worker/inspected_page.html
+++ b/chrome/test/data/extensions/api_test/debugger_inspect_worker/inspected_page.html
+<html>
+<script>
+navigator.serviceWorker.register("./service_worker.js");
+</script>
+</html>
\ No newline at end of file
--- a/chrome/test/data/extensions/api_test/debugger_inspect_worker/manifest.json
+++ b/chrome/test/data/extensions/api_test/debugger_inspect_worker/manifest.json
+{
+  "name": "Debugger API test for inpectWorker CDP command",
+  "version": "1.0",
+  "manifest_version": 2,
+  "background": {
+    "scripts": ["background.js"]
+  },
+  "permissions": [
+    "debugger"
+  ]
+}
--- a/chrome/test/data/extensions/api_test/debugger_inspect_worker/service_worker.js
+++ b/chrome/test/data/extensions/api_test/debugger_inspect_worker/service_worker.js
+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// It's empty, yes.
--- a/content/browser/devtools/protocol/service_worker_handler.cc
+++ b/content/browser/devtools/protocol/service_worker_handler.cc
@@ -179,8 +179,9 @@ void DispatchPeriodicSyncEventOnCoreThread(

 }  // namespace

-ServiceWorkerHandler::ServiceWorkerHandler()
+ServiceWorkerHandler::ServiceWorkerHandler(bool allow_inspect_worker)
    : DevToolsDomainHandler(ServiceWorker::Metainfo::domainName),
+      allow_inspect_worker_(allow_inspect_worker),
      enabled_(false),
      browser_context_(nullptr),
      storage_partition_(nullptr) {}
@@ -313,7 +314,8 @@ Response ServiceWorkerHandler::InspectWorker(const std::string& version_id) {
    return CreateDomainNotEnabledErrorResponse();
  if (!context_)
    return CreateContextErrorResponse();
-
+  if (!allow_inspect_worker_)
+    return Response::ServerError("Permission denied");
  int64_t id = blink::mojom::kInvalidServiceWorkerVersionId;
  if (!base::StringToInt64(version_id, &id))
    return CreateInvalidVersionIdErrorResponse();

--- a/content/browser/devtools/protocol/service_worker_handler.h
+++ b/content/browser/devtools/protocol/service_worker_handler.h
@@ -31,7 +31,7 @@ namespace protocol {
 class ServiceWorkerHandler : public DevToolsDomainHandler,
                             public ServiceWorker::Backend {
 public:
-  ServiceWorkerHandler();
+  explicit ServiceWorkerHandler(bool allow_inspect_worker);
  ~ServiceWorkerHandler() override;

  void Wire(UberDispatcher* dispatcher) override;
@@ -72,6 +72,7 @@ class ServiceWorkerHandler : public DevToolsDomainHandler,
  void OpenNewDevToolsWindow(int process_id, int devtools_agent_route_id);
  void ClearForceUpdate();

+  const bool allow_inspect_worker_;
  scoped_refptr<ServiceWorkerContextWrapper> context_;
  std::unique_ptr<ServiceWorker::Frontend> frontend_;
  bool enabled_;

--- a/content/browser/devtools/render_frame_devtools_agent_host.cc
+++ b/content/browser/devtools/render_frame_devtools_agent_host.cc
@@ -318,10 +318,12 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session) {
                          },
                          base::Unretained(this))));
  session->AddHandler(std::make_unique<protocol::SchemaHandler>());
-  session->AddHandler(std::make_unique<protocol::ServiceWorkerHandler>());
+  const bool may_attach_to_brower = session->GetClient()->MayAttachToBrowser();
+  session->AddHandler(std::make_unique<protocol::ServiceWorkerHandler>(
+      /* allow_inspect_worker= */ may_attach_to_brower));
  session->AddHandler(std::make_unique<protocol::StorageHandler>());
  session->AddHandler(std::make_unique<protocol::TargetHandler>(
-      session->GetClient()->MayAttachToBrowser()
+      may_attach_to_brower
          ? protocol::TargetHandler::AccessMode::kRegular
          : protocol::TargetHandler::AccessMode::kAutoAttachOnly,
      GetId(), GetRendererChannel(), session->GetRootSession()));