Add extra check for CRX validity.

We now check the input file for CRX and signature validity before copying to the secure location. This is to prevent us from copying unintended files, including files that may be private to a particular user or group.

Bug: 991125
Change-Id: I9f3092c9fa32b822c4d7249598b0753b4c4a1fd0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1742302
Commit-Queue: S. Ganesh <ganesh@chromium.org>
Reviewed-by: Sorin Jianu <sorin@chromium.org>
Reviewed-by: Will Harris <wfh@chromium.org>
Cr-Commit-Position: refs/heads/master@{#685051}

chrome/elevation_service/elevated_recovery_impl.cc

@@ -95,6 +95,14 @@ HRESULT ValidateAndUnpackCRX(const base::FilePath& from_crx_path,
   const base::FilePath to_crx_path =
       to_dir.GetPath().Append(from_crx_path.BaseName());
 
+  // We check the input file for CRX and signature validity before copying to
+  // the secure location. This is to prevent us from copying unintended files,
+  // including files that may be private to a particular user or group.
+  if (crx_file::Verify(from_crx_path, crx_format, {crx_hash}, {}, nullptr,
+                       nullptr) != crx_file::VerifierResult::OK_FULL) {
+    return CRYPT_E_NO_MATCH;
+  }
+
   if (!base::CopyFile(from_crx_path, to_crx_path))
     return HRESULTFromLastError();
 

chrome/elevation_service/elevated_recovery_unittest.cc

@@ -113,7 +113,7 @@ TEST(ElevatedRecoveryTest, Do_RunCRX_InvalidArgs) {
                 base::FilePath(kManifestJSONFileName), 0, &proc_handle));
 
   // Non-existent CRX file.
-  EXPECT_EQ(HRESULT_FROM_WIN32(ERROR_FILE_NOT_FOUND),
+  EXPECT_EQ(CRYPT_E_NO_MATCH,
             elevation_service::RunCRX(
                 TestFile("nonexistent.crx3"),
                 base::CommandLine(base::CommandLine::NO_PROGRAM),