[Backport] CVE-2023-0704: Insufficient policy enforcement in DevTools

Manual cherry-pick of patch originaly reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4106102: DevTools: reject debugging web socket connections with a defined Origin header Unless the browser is started with a new flag `--remote-allow-origins=<origin>[,<origin>, ...]`. The star origin `*` allows all origins. This CL should not affect non-browser clients such as Puppeteer and WebDriver. It affects DevTools e2e tests in the hosted mode which is fixed in [1]. It should not affect features like remote debugging that don't use web sockets. [1]: https://crrev.com/c/4112007 Bug: chromium:1385982 Change-Id: I721f7db3167ebab63416c8a1f48281735f063e48 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4106102 Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Alex Rudenko <alexrudenko@chromium.org> Reviewed-by: Andrey Kosyakov <caseq@chromium.org> Reviewed-by: Danil Somsikov <dsv@chromium.org> Cr-Commit-Position: refs/heads/main@{#1085812} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/461071 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Alex Rudenko <alexrudenko@chromium.org> 2022-12-21 07:54:07 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-04-04 10:07:00 +0000
commit: 0717211ca9d7ee2dcc17a7964170d633aafcfb98 (patch)
tree: 9e1fc4c58a58d313143b307341f86ce7839e4180
parent: a2a695e382ec345f1f5da6380b262f04a6e7d295 (diff)
download: qtwebengine-chromium-0717211ca9d7ee2dcc17a7964170d633aafcfb98.tar.gz
4 files changed, 37 insertions, 0 deletions
diff --git a/chromium/content/browser/devtools/devtools_http_handler.cc b/chromium/content/browser/devtools/devtools_http_handler.cc
index 78e4d0a6b13..6da55042282 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.cc
+++ b/chromium/content/browser/devtools/devtools_http_handler.cc
@@ -10,6 +10,7 @@
 #include <utility>
 
 #include "base/bind.h"
+#include "base/command_line.h"
 #include "base/compiler_specific.h"
 #include "base/files/file_util.h"
 #include "base/guid.h"
@@ -38,6 +39,7 @@
 #include "content/public/browser/devtools_manager_delegate.h"
 #include "content/public/browser/devtools_socket_factory.h"
 #include "content/public/common/content_client.h"
+#include "content/public/common/content_switches.h"
 #include "content/public/common/url_constants.h"
 #include "content/public/common/user_agent.h"
 #include "net/base/io_buffer.h"
@@ -752,6 +754,13 @@ void DevToolsHttpHandler::OnWebSocketRequest(
   if (!thread_)
     return;
 
+  if (request.headers.count("origin") &&
+      !remote_allow_origins_.count(request.headers.at("origin")) &&
+      !remote_allow_origins_.count("*")) {
+    Send403(connection_id);
+    return;
+  }
+
   if (base::StartsWith(request.path, browser_guid_,
                        base::CompareCase::SENSITIVE)) {
     scoped_refptr<DevToolsAgentHost> browser_agent =
@@ -823,6 +832,14 @@ DevToolsHttpHandler::DevToolsHttpHandler(
                        output_directory, debug_frontend_dir, browser_guid_,
                        delegate_->HasBundledFrontendResources()));
   }
+  std::string remote_allow_origins = base::ToLowerASCII(
+      base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kRemoteAllowOrigins));
+
+  auto origins =
+      base::SplitString(remote_allow_origins, ",", base::TRIM_WHITESPACE,
+                        base::SPLIT_WANT_NONEMPTY);
+  remote_allow_origins_.insert(origins.begin(), origins.end());
 }
 
 void DevToolsHttpHandler::ServerStarted(
@@ -882,6 +899,18 @@ void DevToolsHttpHandler::Send404(int connection_id) {
                      base::Unretained(server_wrapper_.get()), connection_id));
 }
 
+void DevToolsHttpHandler::Send403(int connection_id) {
+  if (!thread_) {
+    return;
+  }
+  net::HttpServerResponseInfo response(net::HTTP_FORBIDDEN);
+  response.SetBody(std::string(), "text/html");
+  thread_->task_runner()->PostTask(
+      FROM_HERE, base::BindOnce(&ServerWrapper::SendResponse,
+                                base::Unretained(server_wrapper_.get()),
+                                connection_id, response));
+}
+
 void DevToolsHttpHandler::Send500(int connection_id,
                                   const std::string& message) {
   if (!thread_)
diff --git a/chromium/content/browser/devtools/devtools_http_handler.h b/chromium/content/browser/devtools/devtools_http_handler.h
index 04a4905eb43..088e6c6c065 100644
--- a/chromium/content/browser/devtools/devtools_http_handler.h
+++ b/chromium/content/browser/devtools/devtools_http_handler.h
@@ -7,6 +7,7 @@
 
 #include <map>
 #include <memory>
+#include <set>
 #include <string>
 
 #include "base/files/file_path.h"
@@ -90,6 +91,7 @@ class DevToolsHttpHandler {
                const std::string& data,
                const std::string& mime_type);
   void Send404(int connection_id);
+  void Send403(int connection_id);
   void Send500(int connection_id,
                const std::string& message);
   void AcceptWebSocket(int connection_id,
@@ -106,6 +108,7 @@ class DevToolsHttpHandler {
   base::Value SerializeDescriptor(scoped_refptr<DevToolsAgentHost> agent_host,
                                   const std::string& host);
 
+  std::set<std::string> remote_allow_origins_;
   // The thread used by the devtools handler to run server socket.
   std::unique_ptr<base::Thread> thread_;
   std::string browser_guid_;
diff --git a/chromium/content/public/common/content_switches.cc b/chromium/content/public/common/content_switches.cc
index 663327f0bae..9ed247ee1f4 100644
--- a/chromium/content/public/common/content_switches.cc
+++ b/chromium/content/public/common/content_switches.cc
@@ -673,6 +673,10 @@ const char kRemoteDebuggingPipe[] = "remote-debugging-pipe";
 // Enables remote debug over HTTP on the specified port.
 const char kRemoteDebuggingPort[]           = "remote-debugging-port";
 
+// Enables web socket connections from the specified origins only. '*' allows
+// any origin.
+const char kRemoteAllowOrigins[] = "remote-allow-origins";
+
 const char kRendererClientId[] = "renderer-client-id";
 
 // The contents of this flag are prepended to the renderer command line.
diff --git a/chromium/content/public/common/content_switches.h b/chromium/content/public/common/content_switches.h
index f520e6f25de..f28b45ab83f 100644
--- a/chromium/content/public/common/content_switches.h
+++ b/chromium/content/public/common/content_switches.h
@@ -195,6 +195,7 @@ CONTENT_EXPORT extern const char kReduceUserAgentPlatformOsCpu[];
 CONTENT_EXPORT extern const char kRegisterPepperPlugins[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPipe[];
 CONTENT_EXPORT extern const char kRemoteDebuggingPort[];
+CONTENT_EXPORT extern const char kRemoteAllowOrigins[];
 CONTENT_EXPORT extern const char kRendererClientId[];
 extern const char kRendererCmdPrefix[];
 CONTENT_EXPORT extern const char kRendererProcess[];
author	Alex Rudenko <alexrudenko@chromium.org>	2022-12-21 07:54:07 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-04-04 10:07:00 +0000
commit	0717211ca9d7ee2dcc17a7964170d633aafcfb98 (patch)
tree	9e1fc4c58a58d313143b307341f86ce7839e4180
parent	a2a695e382ec345f1f5da6380b262f04a6e7d295 (diff)
download	qtwebengine-chromium-0717211ca9d7ee2dcc17a7964170d633aafcfb98.tar.gz