Add pyo and pyd as tracked file types

Extensions can download and execute a pyo or pyd with no user gestures, allowing for remote code execution. By marking pyo and pyd as ALLOW_ON_USER_GESTURE and DANGEROUS, respectively, we prevent this behavior. Bug: 902234 Change-Id: I295cdd2906ebe779670afb55196cea7715dc88f4 Reviewed-on: https://chromium-review.googlesource.com/c/1324419 Commit-Queue: Daniel Rubery <drubery@chromium.org> Reviewed-by: Nathan Parker <nparker@chromium.org> Cr-Commit-Position: refs/heads/master@{#606309}

Add pyo and pyd as tracked file types
Extensions can download and execute a pyo or pyd with no user gestures, allowing for remote code execution. By marking pyo and pyd as ALLOW_ON_USER_GESTURE and DANGEROUS, respectively, we prevent this behavior. Bug: 902234 Change-Id: I295cdd2906ebe779670afb55196cea7715dc88f4 Reviewed-on: https://chromium-review.googlesource.com/c/1324419 Commit-Queue: Daniel Rubery <drubery@chromium.org> Reviewed-by: Nathan Parker <nparker@chromium.org> Cr-Commit-Position: refs/heads/master@{#606309}
c162a12d · Daniel Rubery · Commit Bot · c9720564 · c162a12d · c162a12d
Commit c162a12d authored Nov 08, 2018 by Daniel Rubery Committed by Commit Bot Nov 08, 2018
3 changed files
--- a/chrome/browser/resources/safe_browsing/download_file_types.asciipb
+++ b/chrome/browser/resources/safe_browsing/download_file_types.asciipb
@@ -8,7 +8,7 @@
 ##
 ## Top level settings
 ##
-version_id: 21
+version_id: 22
 sampled_ping_probability: 0.01
 max_archived_binaries_to_report: 10
 default_file_type {
@@ -719,6 +719,50 @@ file_types {
    auto_open_hint: DISALLOW_AUTO_OPEN
  }
 }
+file_types {
+  # Equivalent of a DLL, for python libraries
+  # Added with crbug.com/902234
+  extension: "pyd"
+  uma_value: 318
+  ping_setting: FULL_PING
+  platform_settings {
+    platform: PLATFORM_LINUX
+    danger_level: DANGEROUS
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+  platform_settings {
+    platform: PLATFORM_MAC
+    danger_level: DANGEROUS
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+  platform_settings {
+    platform: PLATFORM_WINDOWS
+    danger_level: DANGEROUS
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+}
+file_types {
+  # Compiled python code
+  # Added with crbug.com/902234
+  extension: "pyo"
+  uma_value: 319
+  ping_setting: FULL_PING
+  platform_settings {
+    platform: PLATFORM_LINUX
+    danger_level: ALLOW_ON_USER_GESTURE
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+  platform_settings {
+    platform: PLATFORM_MAC
+    danger_level: ALLOW_ON_USER_GESTURE
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+  platform_settings {
+    platform: PLATFORM_WINDOWS
+    danger_level: ALLOW_ON_USER_GESTURE
+    auto_open_hint: DISALLOW_AUTO_OPEN
+  }
+}
 file_types {
  extension: "pyw"
  uma_value: 132

--- a/components/download/internal/common/download_stats.cc
+++ b/components/download/internal/common/download_stats.cc
--- a/tools/metrics/histograms/enums.xml
+++ b/tools/metrics/histograms/enums.xml
@@ -12266,6 +12266,8 @@ Called by update_net_error_codes.py.-->
  <int value="315" label="osax"/>
  <int value="316" label="settingcontent-ms"/>
  <int value="317" label="oxt"/>
+  <int value="318" label="pyd"/>
+  <int value="319" label="pyo"/>
 </enum>

 <enum name="DownloadItem.DangerType">
@@ -44538,6 +44540,8 @@ Called by update_net_trust_anchors.py.-->
  <int value="315" label="OSAX"/>
  <int value="316" label="SETTINGCONTENT-MS"/>
  <int value="317" label="OXT"/>
+  <int value="318" label="PYD"/>
+  <int value="319" label="PYO"/>
 </enum>

 <enum name="SBClientDownloadIsSignedBinary">