Add real time check as a new threat source.

Server-side CL: http://cl/337577068.

Bug: 1138689
Change-Id: Id73358981c6f70afc4977ee86805d2e2a2a3fc57
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2482046Reviewed-by: Weilun Shi <sweilun@chromium.org>
Reviewed-by: Ilya Sherman <isherman@chromium.org>
Reviewed-by: Varun Khaneja <vakh@chromium.org>
Commit-Queue: Xinghui Lu <xinghuilu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#819948}

components/safe_browsing/content/base_blocking_page.cc

@@ -195,6 +195,8 @@ std::string BaseBlockingPage::GetExtraMetricsSuffix(
       return "from_client_side_detection";
     case safe_browsing::ThreatSource::PASSWORD_PROTECTION_SERVICE:
       return "from_password_protection_service";
+    case safe_browsing::ThreatSource::REAL_TIME_CHECK:
+      return "from_real_time_check";
     case safe_browsing::ThreatSource::UNKNOWN:
       break;
   }

components/safe_browsing/content/browser/threat_details.cc

@@ -189,6 +189,8 @@ CSBRR::SafeBrowsingUrlApiType GetUrlApiTypeForThreatSource(
       return CSBRR::PVER4_NATIVE;
     case safe_browsing::ThreatSource::REMOTE:
       return CSBRR::ANDROID_SAFETYNET;
+    case safe_browsing::ThreatSource::REAL_TIME_CHECK:
+      return CSBRR::REAL_TIME;
     case safe_browsing::ThreatSource::UNKNOWN:
     case safe_browsing::ThreatSource::CLIENT_SIDE_DETECTION:
     case safe_browsing::ThreatSource::PASSWORD_PROTECTION_SERVICE:

components/safe_browsing/core/browser/safe_browsing_url_checker_impl.cc

@@ -170,7 +170,8 @@ void SafeBrowsingUrlCheckerImpl::CheckUrl(const GURL& url,
 security_interstitials::UnsafeResource
 SafeBrowsingUrlCheckerImpl::MakeUnsafeResource(const GURL& url,
                                                SBThreatType threat_type,
-                                               const ThreatMetadata& metadata) {
+                                               const ThreatMetadata& metadata,
+                                               bool is_from_real_time_check) {
   security_interstitials::UnsafeResource resource;
   resource.url = url;
   resource.original_url = urls_[0].url;
@@ -191,7 +192,9 @@ SafeBrowsingUrlCheckerImpl::MakeUnsafeResource(const GURL& url,
       base::CreateSingleThreadTaskRunner(CreateTaskTraits(ThreadID::IO));
   resource.web_contents_getter = web_contents_getter_;
   resource.web_state_getter = web_state_getter_;
-  resource.threat_source = database_manager_->GetThreatSource();
+  resource.threat_source = is_from_real_time_check
+                               ? ThreatSource::REAL_TIME_CHECK
+                               : database_manager_->GetThreatSource();
   return resource;
 }
 
@@ -199,12 +202,13 @@ void SafeBrowsingUrlCheckerImpl::OnCheckBrowseUrlResult(
     const GURL& url,
     SBThreatType threat_type,
     const ThreatMetadata& metadata) {
-  OnUrlResult(url, threat_type, metadata);
+  OnUrlResult(url, threat_type, metadata, /*is_from_real_time_check=*/false);
 }
 
 void SafeBrowsingUrlCheckerImpl::OnUrlResult(const GURL& url,
                                              SBThreatType threat_type,
-                                             const ThreatMetadata& metadata) {
+                                             const ThreatMetadata& metadata,
+                                             bool is_from_real_time_check) {
   DCHECK_EQ(STATE_CHECKING_URL, state_);
   DCHECK_LT(next_index_, urls_.size());
   DCHECK_EQ(urls_[next_index_].url, url);
@@ -225,7 +229,8 @@ void SafeBrowsingUrlCheckerImpl::OnUrlResult(const GURL& url,
       // happens. Create an interaction observer and continue like there wasn't
       // a warning. The observer will create the interstitial when necessary.
       security_interstitials::UnsafeResource unsafe_resource =
-          MakeUnsafeResource(url, threat_type, metadata);
+          MakeUnsafeResource(url, threat_type, metadata,
+                             is_from_real_time_check);
       unsafe_resource.is_delayed_warning = true;
       url_checker_delegate_
           ->StartObservingInteractionsForDelayedBlockingPageHelper(
@@ -271,7 +276,7 @@ void SafeBrowsingUrlCheckerImpl::OnUrlResult(const GURL& url,
   UMA_HISTOGRAM_ENUMERATION("SB2.ResourceTypes2.Unsafe", resource_type_);
 
   security_interstitials::UnsafeResource resource =
-      MakeUnsafeResource(url, threat_type, metadata);
+      MakeUnsafeResource(url, threat_type, metadata, is_from_real_time_check);
 
   state_ = STATE_DISPLAYING_BLOCKING_PAGE;
   url_checker_delegate_->StartDisplayingBlockingPageHelper(
@@ -290,7 +295,7 @@ void SafeBrowsingUrlCheckerImpl::OnTimeout() {
   weak_factory_.InvalidateWeakPtrs();
 
   OnUrlResult(urls_[next_index_].url, safe_browsing::SB_THREAT_TYPE_SAFE,
-              ThreatMetadata());
+              ThreatMetadata(), /*is_from_real_time_check=*/false);
 }
 
 void SafeBrowsingUrlCheckerImpl::CheckUrlImpl(const GURL& url,
@@ -567,7 +572,8 @@ void SafeBrowsingUrlCheckerImpl::PerformHashBasedCheck(const GURL& url) {
           url, url_checker_delegate_->GetThreatTypes(), this)) {
     // No match found in the local database. Safe to call |OnUrlResult| here
     // directly.
-    OnUrlResult(url, SB_THREAT_TYPE_SAFE, ThreatMetadata());
+    OnUrlResult(url, SB_THREAT_TYPE_SAFE, ThreatMetadata(),
+                /*is_from_real_time_check=*/false);
   }
 }
 
@@ -618,10 +624,10 @@ void SafeBrowsingUrlCheckerImpl::OnRTLookupResponse(
             response->threat_info(0).threat_type());
   }
   if (is_cached_response && sb_threat_type == SB_THREAT_TYPE_SAFE) {
-    // TODO(vakh): Add a UMA metric.
     PerformHashBasedCheck(url);
   } else {
-    OnUrlResult(url, sb_threat_type, ThreatMetadata());
+    OnUrlResult(url, sb_threat_type, ThreatMetadata(),
+                /*is_from_real_time_check=*/true);
   }
 }
 

components/safe_browsing/core/browser/safe_browsing_url_checker_impl.h

@@ -149,7 +149,8 @@ class SafeBrowsingUrlCheckerImpl : public mojom::SafeBrowsingUrlChecker,
 
   void OnUrlResult(const GURL& url,
                    SBThreatType threat_type,
-                   const ThreatMetadata& metadata);
+                   const ThreatMetadata& metadata,
+                   bool is_from_real_time_check);
 
   void CheckUrlImpl(const GURL& url,
                     const std::string& method,
@@ -211,7 +212,8 @@ class SafeBrowsingUrlCheckerImpl : public mojom::SafeBrowsingUrlChecker,
   security_interstitials::UnsafeResource MakeUnsafeResource(
       const GURL& url,
       SBThreatType threat_type,
-      const ThreatMetadata& metadata);
+      const ThreatMetadata& metadata,
+      bool is_from_real_time_check);
 
   enum State {
     // Haven't started checking or checking is complete.

components/safe_browsing/core/browser/safe_browsing_url_checker_impl_unittest.cc

@@ -24,6 +24,15 @@ using ::testing::_;
 
 namespace safe_browsing {
 
+namespace {
+
+// A matcher for threat source in UnsafeResource.
+MATCHER_P(IsSameThreatSource, threatSource, "") {
+  return arg.threat_source == threatSource;
+}
+
+}  // namespace
+
 class MockSafeBrowsingDatabaseManager : public TestSafeBrowsingDatabaseManager {
  public:
   MockSafeBrowsingDatabaseManager() = default;
@@ -274,7 +283,8 @@ TEST_F(SafeBrowsingUrlCheckerTest, CheckUrl_DangerousUrl) {
   EXPECT_CALL(callback,
               Run(_, /*proceed=*/false, /*showed_interstitial=*/false));
   EXPECT_CALL(*url_checker_delegate_,
-              StartDisplayingBlockingPageHelper(_, _, _, _, _))
+              StartDisplayingBlockingPageHelper(
+                  IsSameThreatSource(ThreatSource::UNKNOWN), _, _, _, _))
       .Times(1);
   safe_browsing_url_checker->CheckUrl(url, "GET", callback.Get());
   task_environment_->RunUntilIdle();
@@ -365,7 +375,8 @@ TEST_F(SafeBrowsingUrlCheckerTest, CheckUrl_RealTimeEnabledAllowlistMatch) {
   // while we perform a real time URL check.
   EXPECT_CALL(callback, Run(_, _, _)).Times(0);
   EXPECT_CALL(*url_checker_delegate_,
-              StartDisplayingBlockingPageHelper(_, _, _, _, _))
+              StartDisplayingBlockingPageHelper(
+                  IsSameThreatSource(ThreatSource::UNKNOWN), _, _, _, _))
       .Times(1);
   safe_browsing_url_checker->CheckUrl(url, "GET", callback.Get());
 
@@ -403,8 +414,10 @@ TEST_F(SafeBrowsingUrlCheckerTest,
   base::MockCallback<SafeBrowsingUrlCheckerImpl::NativeCheckUrlCallback>
       callback;
   // Should still show blocking page because real time lookup is enabled.
-  EXPECT_CALL(*url_checker_delegate_,
-              StartDisplayingBlockingPageHelper(_, _, _, _, _))
+  EXPECT_CALL(
+      *url_checker_delegate_,
+      StartDisplayingBlockingPageHelper(
+          IsSameThreatSource(ThreatSource::REAL_TIME_CHECK), _, _, _, _))
       .Times(1);
   safe_browsing_url_checker->CheckUrl(url, "GET", callback.Get());
 

components/safe_browsing/core/db/hit_report.h

@@ -22,6 +22,7 @@ enum class ThreatSource {
   REMOTE,                 // From RemoteSafeBrowsingDatabaseManager
   CLIENT_SIDE_DETECTION,  // From ClientSideDetectionHost
   PASSWORD_PROTECTION_SERVICE,  // From PasswordProtectionService
+  REAL_TIME_CHECK,              // From RealTimeUrlLookupService
 };
 
 // Data to report about the contents of a particular threat (malware, phishing,

components/safe_browsing/core/ping_manager.cc

@@ -186,6 +186,9 @@ GURL PingManager::SafeBrowsingHitUrl(
     case safe_browsing::ThreatSource::PASSWORD_PROTECTION_SERVICE:
       threat_source = "pps";
       break;
+    case safe_browsing::ThreatSource::REAL_TIME_CHECK:
+      threat_source = "rt";
+      break;
     case safe_browsing::ThreatSource::UNKNOWN:
       NOTREACHED();
   }

components/safe_browsing/core/ping_manager_unittest.cc

@@ -183,6 +183,26 @@ TEST_F(PingManagerTest, TestSafeBrowsingHitUrl) {
             "url.com%2F&evtb=1&src=l4&m=0&up=foo+bar",
         ping_manager()->SafeBrowsingHitUrl(hp).spec());
   }
+
+  // Threat source is real time check.
+  {
+    HitReport hp(base_hp);
+    hp.threat_type = SB_THREAT_TYPE_URL_PHISHING;
+    hp.threat_source = ThreatSource::REAL_TIME_CHECK;
+    hp.is_subresource = false;
+    hp.extended_reporting_level = SBER_LEVEL_SCOUT;
+    hp.is_metrics_reporting_active = true;
+    hp.is_enhanced_protection = true;
+    EXPECT_EQ(
+        "https://safebrowsing.google.com/safebrowsing/report?client=unittest&"
+        "appver=1.0&pver=4.0" +
+            key_param_ +
+            "&ext=2&enh=1&evts=phishblhit&"
+            "evtd=http%3A%2F%2Fmalicious.url.com%2F&"
+            "evtr=http%3A%2F%2Fpage.url.com%2F&evhr=http%3A%2F%2Freferrer."
+            "url.com%2F&evtb=0&src=rt&m=1",
+        ping_manager()->SafeBrowsingHitUrl(hp).spec());
+  }
 }
 
 TEST_F(PingManagerTest, TestThreatDetailsUrl) {

components/safe_browsing/core/proto/csd.proto

@@ -1312,6 +1312,8 @@ message ClientSafeBrowsingReportRequest {
     ANDROID_SAFETYNET = 3;
     // Flywheel (data compression service).
     FLYWHEEL = 4;
+    // Safe Browsing real time API.
+    REAL_TIME = 5;
   }
 
   // The information propagated from the client about various environment

tools/metrics/histograms/histograms_xml/histogram_suffixes_list.xml

@@ -16322,6 +16322,9 @@ reviews. Googlers can read more about this at go/gwsq-gerrit.
       label="Interstitial for a resource classified as unsafe by the Safe
              Browsing database version 4 via either
              {Local,Remote}SafeBrowsingDatabaseManager."/>
+  <suffix name="from_real_time_check"
+      label="Interstitial for a resource classified as unsafe by the Safe
+             Browsing real time API."/>
   <affected-histogram name="interstitial.harmful.decision"/>
   <affected-histogram name="interstitial.harmful.decision.repeat_visit"/>
   <affected-histogram name="interstitial.harmful.interaction"/>