Network Error Logging: Limit JSON size and depth.

This makes it less likely that origins will be able to exploit base::JSONReader using NEL headers. Bug: 810142 Change-Id: I26967667cb1cb644549e48ac8d3bff3a2d6a5ace Reviewed-on: https://chromium-review.googlesource.com/944021Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Cr-Commit-Position: refs/heads/master@{#540392}

Network Error Logging: Limit JSON size and depth.
This makes it less likely that origins will be able to exploit base::JSONReader using NEL headers. Bug: 810142 Change-Id: I26967667cb1cb644549e48ac8d3bff3a2d6a5ace Reviewed-on: https://chromium-review.googlesource.com/944021Reviewed-by: John Abd-El-Malek <jam@chromium.org> Commit-Queue: Julia Tuttle <juliatuttle@chromium.org> Cr-Commit-Position: refs/heads/master@{#540392}
7f713569 · Julia Tuttle · Commit Bot · d68a05a9 · 7f713569 · 7f713569
Commit 7f713569 authored Mar 02, 2018 by Julia Tuttle Committed by Commit Bot Mar 02, 2018
2 changed files
--- a/net/network_error_logging/network_error_logging_service.cc
+++ b/net/network_error_logging/network_error_logging_service.cc
@@ -28,6 +28,9 @@ namespace net {
 namespace {
+const int kMaxJsonSize = 16 * 1024;
+const int kMaxJsonDepth = 4;
 const char kReportToKey[] = "report-to";
 const char kMaxAgeKey[] = "max-age";
 const char kIncludeSubdomainsKey[] = "includeSubdomains";
@@ -257,7 +260,11 @@ class NetworkErrorLoggingServiceImpl : public NetworkErrorLoggingService {
                   OriginPolicy* policy_out) const {
    DCHECK(policy_out);
-    std::unique_ptr<base::Value> value = base::JSONReader::Read(json_value);
+    if (json_value.size() > kMaxJsonSize)
+      return false;
+    std::unique_ptr<base::Value> value =
+        base::JSONReader::Read(json_value, base::JSON_PARSE_RFC, kMaxJsonDepth);
    if (!value)
      return false;

--- a/net/network_error_logging/network_error_logging_service_unittest.cc
+++ b/net/network_error_logging/network_error_logging_service_unittest.cc
@@ -156,6 +156,12 @@ class NetworkErrorLoggingServiceTest : public ::testing::Test {
  const std::string kHeaderIncludeSubdomains_ =
      "{\"report-to\":\"group\",\"max-age\":86400,\"includeSubdomains\":true}";
  const std::string kHeaderMaxAge0_ = "{\"max-age\":0}";
+  const std::string kHeaderTooLong_ =
+      "{\"report-to\":\"group\",\"max-age\":86400,\"junk\":\"" +
+      std::string(32 * 1024, 'a') + "\"}";
+  const std::string kHeaderTooDeep_ =
+      "{\"report-to\":\"group\",\"max-age\":86400,\"junk\":[[[[[[[[[[]]]]]]]]]]"
+      "}";
  const std::string kGroup_ = "group";
@@ -207,6 +213,22 @@ TEST_F(NetworkErrorLoggingServiceTest, NoPolicyForOrigin) {
  EXPECT_TRUE(reports().empty());
 }
+TEST_F(NetworkErrorLoggingServiceTest, JsonTooLong) {
+  service()->OnHeader(kOrigin_, kHeaderTooLong_);
+  service()->OnRequest(MakeRequestDetails(kUrl_, ERR_CONNECTION_REFUSED));
+  EXPECT_TRUE(reports().empty());
+}
+TEST_F(NetworkErrorLoggingServiceTest, JsonTooDeep) {
+  service()->OnHeader(kOrigin_, kHeaderTooDeep_);
+  service()->OnRequest(MakeRequestDetails(kUrl_, ERR_CONNECTION_REFUSED));
+  EXPECT_TRUE(reports().empty());
+}
 TEST_F(NetworkErrorLoggingServiceTest, SuccessReportQueued) {
  static const std::string kHeaderSuccessFraction1 =
      "{\"report-to\":\"group\",\"max-age\":86400,\"success-fraction\":1.0}";