Reporting: Limit JSON size and depth.

is makes it less likely that origins will be able to exploit base::JSONReader using Report-To headers. Bug: 810142 Change-Id: Ie27d98efe2afbfbeec2e4767e2a64b546e4483d9 Reviewed-on: https://chromium-review.googlesource.com/942231Reviewed-by: Julia Tuttle <juliatuttle@chromium.org> Commit-Queue: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#540395}

Reporting: Limit JSON size and depth.
is makes it less likely that origins will be able to exploit base::JSONReader using Report-To headers. Bug: 810142 Change-Id: Ie27d98efe2afbfbeec2e4767e2a64b546e4483d9 Reviewed-on: https://chromium-review.googlesource.com/942231Reviewed-by: Julia Tuttle <juliatuttle@chromium.org> Commit-Queue: John Abd-El-Malek <jam@chromium.org> Cr-Commit-Position: refs/heads/master@{#540395}
7d87494c · Julia Tuttle · Commit Bot · cbd2ab58 · 7d87494c · 7d87494c
Commit 7d87494c authored Mar 02, 2018 by Julia Tuttle Committed by Commit Bot Mar 02, 2018
4 changed files
--- a/net/reporting/reporting_delegate.cc
+++ b/net/reporting/reporting_delegate.cc
@@ -12,6 +12,9 @@ namespace net {
 namespace {
+const int kMaxJsonSize = 16 * 1024;
+const int kMaxJsonDepth = 5;
 class ReportingDelegateImpl : public ReportingDelegate {
 public:
  ReportingDelegateImpl(URLRequestContext* request_context)
@@ -53,7 +56,13 @@ class ReportingDelegateImpl : public ReportingDelegate {
  void ParseJson(const std::string& unsafe_json,
                 const JsonSuccessCallback& success_callback,
                 const JsonFailureCallback& failure_callback) const override {
-    std::unique_ptr<base::Value> value = base::JSONReader::Read(unsafe_json);
+    if (unsafe_json.size() > kMaxJsonSize) {
+      failure_callback.Run();
+      return;
+    }
+    std::unique_ptr<base::Value> value = base::JSONReader::Read(
+        unsafe_json, base::JSON_PARSE_RFC, kMaxJsonDepth);
    if (value)
      success_callback.Run(std::move(value));
    else

--- a/net/reporting/reporting_service_unittest.cc
+++ b/net/reporting/reporting_service_unittest.cc
@@ -78,5 +78,37 @@ TEST_F(ReportingServiceTest, ProcessHeader) {
            client->expires);
 }
+TEST_F(ReportingServiceTest, ProcessHeader_TooLong) {
+  const std::string header_too_long =
+      "{\"endpoints\":[{\"url\":\"" + kEndpoint_.spec() +
+      "\"}],"
+      "\"group\":\"" +
+      kGroup_ +
+      "\","
+      "\"max-age\":86400," +
+      "\"junk\":\"" + std::string(32 * 1024, 'a') + "\"}";
+  service()->ProcessHeader(kUrl_, header_too_long);
+  const ReportingClient* client =
+      FindClientInCache(context()->cache(), kOrigin_, kEndpoint_);
+  EXPECT_FALSE(client);
+}
+TEST_F(ReportingServiceTest, ProcessHeader_TooDeep) {
+  const std::string header_too_deep = "{\"endpoints\":[{\"url\":\"" +
+                                      kEndpoint_.spec() +
+                                      "\"}],"
+                                      "\"group\":\"" +
+                                      kGroup_ +
+                                      "\","
+                                      "\"max-age\":86400," +
+                                      "\"junk\":[[[[[[[[[[]]]]]]]]]]}";
+  service()->ProcessHeader(kUrl_, header_too_deep);
+  const ReportingClient* client =
+      FindClientInCache(context()->cache(), kOrigin_, kEndpoint_);
+  EXPECT_FALSE(client);
+}
 }  // namespace
 }  // namespace net
--- a/net/reporting/reporting_test_util.cc
+++ b/net/reporting/reporting_test_util.cc
@@ -24,6 +24,7 @@
 #include "net/reporting/reporting_garbage_collector.h"
 #include "net/reporting/reporting_policy.h"
 #include "net/reporting/reporting_uploader.h"
+#include "net/url_request/url_request_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 #include "url/origin.h"
@@ -110,7 +111,9 @@ bool TestReportingUploader::RequestIsUpload(const URLRequest& request) {
  return true;
 }
-TestReportingDelegate::TestReportingDelegate() = default;
+TestReportingDelegate::TestReportingDelegate()
+    : test_request_context_(std::make_unique<TestURLRequestContext>()),
+      real_delegate_(ReportingDelegate::Create(test_request_context_.get())) {}
 TestReportingDelegate::~TestReportingDelegate() = default;
@@ -140,11 +143,7 @@ void TestReportingDelegate::ParseJson(
    const std::string& unsafe_json,
    const JsonSuccessCallback& success_callback,
    const JsonFailureCallback& failure_callback) const {
-  std::unique_ptr<base::Value> value = base::JSONReader::Read(unsafe_json);
+  real_delegate_->ParseJson(unsafe_json, success_callback, failure_callback);
-  if (value)
-    success_callback.Run(std::move(value));
-  else
-    failure_callback.Run();
 }
 TestReportingContext::TestReportingContext(base::Clock* clock,

--- a/net/reporting/reporting_test_util.h
+++ b/net/reporting/reporting_test_util.h
@@ -36,6 +36,7 @@ namespace net {
 class ReportingCache;
 struct ReportingClient;
 class ReportingGarbageCollector;
+class TestURLRequestContext;
 // Finds a particular client (by origin and endpoint) in the cache and returns
 // it (or nullptr if not found).
@@ -82,6 +83,9 @@ class TestReportingUploader : public ReportingUploader {
  DISALLOW_COPY_AND_ASSIGN(TestReportingUploader);
 };
+// Allows all permissions unless set_disallow_report_uploads is called; uses
+// the real ReportingDelegate for JSON parsing to exercise depth and size
+// limits.
 class TestReportingDelegate : public ReportingDelegate {
 public:
  TestReportingDelegate();
@@ -111,6 +115,8 @@ class TestReportingDelegate : public ReportingDelegate {
                 const JsonFailureCallback& failure_callback) const override;
 private:
+  std::unique_ptr<TestURLRequestContext> test_request_context_;
+  std::unique_ptr<ReportingDelegate> real_delegate_;
  bool disallow_report_uploads_ = false;
  DISALLOW_COPY_AND_ASSIGN(TestReportingDelegate);