1 // Copyright 2012 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_FILE_SELECT_HELPER_H_
6 #define CHROME_BROWSER_FILE_SELECT_HELPER_H_
12 #include "base/gtest_prod_util.h"
13 #include "base/memory/raw_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "build/build_config.h"
16 #include "components/enterprise/buildflags/buildflags.h"
17 #include "components/enterprise/common/files_scan_data.h"
18 #include "components/safe_browsing/buildflags.h"
19 #include "content/public/browser/browser_thread.h"
20 #include "content/public/browser/web_contents_observer.h"
21 #include "net/base/directory_lister.h"
22 #include "third_party/blink/public/mojom/choosers/file_chooser.mojom.h"
23 #include "ui/shell_dialogs/select_file_dialog.h"
25 #if BUILDFLAG(ENTERPRISE_CLOUD_CONTENT_ANALYSIS)
26 #include "chrome/browser/enterprise/connectors/analysis/content_analysis_delegate.h"
32 class FileSelectListener;
37 struct SelectedFileInfo;
41 FORWARD_DECLARE_TEST(DlpFilesControllerAshBrowserTest, FilesUploadCallerPassed);
44 // This class handles file-selection requests coming from renderer processes.
45 // It implements both the initialisation and listener functions for
46 // file-selection dialogs.
48 // Since FileSelectHelper listens to WebContentsObserver, it needs to live on
49 // and be destroyed on the UI thread. References to FileSelectHelper may be
50 // passed on to other threads.
51 class FileSelectHelper : public base::RefCountedThreadSafe<
53 content::BrowserThread::DeleteOnUIThread>,
54 public ui::SelectFileDialog::Listener,
55 public content::WebContentsObserver,
56 private net::DirectoryLister::DirectoryListerDelegate {
58 FileSelectHelper(const FileSelectHelper&) = delete;
59 FileSelectHelper& operator=(const FileSelectHelper&) = delete;
61 // Show the file chooser dialog.
62 static void RunFileChooser(
63 content::RenderFrameHost* render_frame_host,
64 scoped_refptr<content::FileSelectListener> listener,
65 const blink::mojom::FileChooserParams& params);
67 // Enumerates all the files in directory.
68 static void EnumerateDirectory(
69 content::WebContents* tab,
70 scoped_refptr<content::FileSelectListener> listener,
71 const base::FilePath& path);
74 friend class base::RefCountedThreadSafe<FileSelectHelper>;
75 friend class base::DeleteHelper<FileSelectHelper>;
76 friend class FileSelectHelperContactsAndroid;
77 friend struct content::BrowserThread::DeleteOnThread<
78 content::BrowserThread::UI>;
80 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, IsAcceptTypeValid);
81 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, ZipPackage);
82 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, GetSanitizedFileName);
83 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, LastSelectedDirectory);
84 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
85 ContentAnalysisCompletionCallback_NoFiles);
86 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
87 ContentAnalysisCompletionCallback_OneOKFile);
88 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
89 ContentAnalysisCompletionCallback_TwoOKFiles);
90 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
91 ContentAnalysisCompletionCallback_TwoBadFiles);
92 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
93 ContentAnalysisCompletionCallback_OKBadFiles);
94 FRIEND_TEST_ALL_PREFIXES(
96 ContentAnalysisCompletionCallback_SystemFilesSkipped);
97 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
98 ContentAnalysisCompletionCallback_SystemOKBadFiles);
99 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
100 ContentAnalysisCompletionCallback_FolderUpload_OK);
101 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest,
102 ContentAnalysisCompletionCallback_FolderUpload_Bad);
103 FRIEND_TEST_ALL_PREFIXES(
104 FileSelectHelperTest,
105 ContentAnalysisCompletionCallback_FolderUploadBlockedThenAllowed);
106 FRIEND_TEST_ALL_PREFIXES(
107 FileSelectHelperTest,
108 ContentAnalysisCompletionCallback_FolderUpload_OKBad);
109 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, GetFileTypesFromAcceptType);
110 FRIEND_TEST_ALL_PREFIXES(FileSelectHelperTest, MultipleFileExtensionsForMime);
111 FRIEND_TEST_ALL_PREFIXES(policy::DlpFilesControllerAshBrowserTest,
112 FilesUploadCallerPassed);
114 explicit FileSelectHelper(Profile* profile);
115 ~FileSelectHelper() override;
117 void RunFileChooser(content::RenderFrameHost* render_frame_host,
118 scoped_refptr<content::FileSelectListener> listener,
119 blink::mojom::FileChooserParamsPtr params);
120 void GetFileTypesInThreadPool(blink::mojom::FileChooserParamsPtr params);
121 void GetSanitizedFilenameOnUIThread(
122 blink::mojom::FileChooserParamsPtr params);
123 #if BUILDFLAG(FULL_SAFE_BROWSING)
124 void CheckDownloadRequestWithSafeBrowsing(
125 const base::FilePath& default_path,
126 blink::mojom::FileChooserParamsPtr params);
127 void ProceedWithSafeBrowsingVerdict(const base::FilePath& default_path,
128 blink::mojom::FileChooserParamsPtr params,
129 bool allowed_by_safe_browsing);
131 void RunFileChooserOnUIThread(const base::FilePath& default_path,
132 blink::mojom::FileChooserParamsPtr params);
134 // Cleans up and releases this instance. This must be called after the last
135 // callback is received from the file chooser dialog.
136 void RunFileChooserEnd();
138 // SelectFileDialog::Listener overrides.
139 void FileSelected(const base::FilePath& path,
141 void* params) override;
142 void FileSelectedWithExtraInfo(const ui::SelectedFileInfo& file,
144 void* params) override;
145 void MultiFilesSelected(const std::vector<base::FilePath>& files,
146 void* params) override;
147 void MultiFilesSelectedWithExtraInfo(
148 const std::vector<ui::SelectedFileInfo>& files,
149 void* params) override;
150 void FileSelectionCanceled(void* params) override;
152 // content::WebContentsObserver overrides.
153 void RenderFrameHostChanged(content::RenderFrameHost* old_host,
154 content::RenderFrameHost* new_host) override;
155 void RenderFrameDeleted(content::RenderFrameHost* render_frame_host) override;
156 void WebContentsDestroyed() override;
158 void EnumerateDirectoryImpl(
159 content::WebContents* tab,
160 scoped_refptr<content::FileSelectListener> listener,
161 const base::FilePath& path);
163 // Kicks off a new directory enumeration.
164 void StartNewEnumeration(const base::FilePath& path);
166 // net::DirectoryLister::DirectoryListerDelegate overrides.
168 const net::DirectoryLister::DirectoryListerData& data) override;
169 void OnListDone(int error) override;
171 void LaunchConfirmationDialog(
172 const base::FilePath& path,
173 std::vector<ui::SelectedFileInfo> selected_files);
175 // Cleans up and releases this instance. This must be called after the last
176 // callback is received from the enumeration code.
177 void EnumerateDirectoryEnd();
179 #if BUILDFLAG(IS_MAC)
180 // Must be called from a MayBlock() task. Each selected file that is a package
181 // will be zipped, and the zip will be passed to the render view host in place
183 void ProcessSelectedFilesMac(const std::vector<ui::SelectedFileInfo>& files);
185 // Saves the paths of |zipped_files| for later deletion. Passes |files| to the
187 void ProcessSelectedFilesMacOnUIThread(
188 const std::vector<ui::SelectedFileInfo>& files,
189 const std::vector<base::FilePath>& zipped_files);
191 // Zips the package at |path| into a temporary destination. Returns the
192 // temporary destination, if the zip was successful. Otherwise returns an
194 static base::FilePath ZipPackage(const base::FilePath& path);
195 #endif // BUILDFLAG(IS_MAC)
197 // This function is the start of a call chain that may or may not be async
198 // depending on the platform and features enabled. The call to this method
199 // is made after the user has chosen the file(s) in the UI in order to
200 // process and filter the list before returning the final result to the
201 // caller. The call chain is as follows:
203 // ConvertToFileChooserFileInfoList: converts a vector of SelectedFileInfo
204 // into a vector of FileChooserFileInfoPtr and then calls
205 // PerformContentAnalysisIfNeeded(). On chromeos, the conversion is
206 // performed asynchronously.
208 // PerformContentAnalysisIfNeeded: if the deep scanning feature is
209 // enabled and it is determined by enterprise policy that scans are required,
210 // starts the scans and sets ContentAnalysisCompletionCallback() as the async
211 // callback. If deep scanning is not enabled or is not supported on the
212 // platform, this function calls NotifyListenerAndEnd() directly.
214 // ContentAnalysisCompletionCallback: processes the results of the deep scan.
215 // For folder upload, any files not passing the scan result in the entire
216 // folder being blocked (the list cleared). For multiple-file upload, any
217 // files that did not pass the scan are removed from the list. Ends by calling
218 // NotifyListenerAndEnd().
220 // NotifyListenerAndEnd: Informs the listener of the final list of files to
221 // use and performs any required cleanup.
223 // Because the state of the web contents may change at each asynchronous
224 // step, calls are make to AbortIfWebContentsDestroyed() to check if, for
225 // example, the tab has been closed or the contents navigated. In these
226 // cases the file selection is aborted and the state cleaned up.
227 void ConvertToFileChooserFileInfoList(
228 const std::vector<ui::SelectedFileInfo>& files);
230 // Checks to see if scans are required for the specified files.
231 void PerformContentAnalysisIfNeeded(
232 std::vector<blink::mojom::FileChooserFileInfoPtr> list);
234 #if BUILDFLAG(ENTERPRISE_CLOUD_CONTENT_ANALYSIS)
235 // Callback used to receive the results of a content analysis scan.
236 void ContentAnalysisCompletionCallback(
237 std::vector<blink::mojom::FileChooserFileInfoPtr> list,
238 const enterprise_connectors::ContentAnalysisDelegate::Data& data,
239 enterprise_connectors::ContentAnalysisDelegate::Result& result);
242 // Finish the PerformContentAnalysisIfNeeded() handling after the
243 // deep scanning checks have been performed. Deep scanning may change the
244 // list of files chosen by the user, so the list of files passed here may be
245 // a subset of of the files passed to PerformContentAnalysisIfNeeded().
246 void NotifyListenerAndEnd(
247 std::vector<blink::mojom::FileChooserFileInfoPtr> list);
249 // Schedules the deletion of the files in |temporary_files_| and clears the
251 void DeleteTemporaryFiles();
253 // Cleans up when the initiator of the file chooser is no longer valid.
256 // Calls RunFileChooserEnd() if the webcontents was destroyed. Returns true
257 // if the file chooser operation shouldn't proceed.
258 bool AbortIfWebContentsDestroyed();
260 void SetFileSelectListenerForTesting(
261 scoped_refptr<content::FileSelectListener> listener);
263 void DontAbortOnMissingWebContentsForTesting();
265 // Helper method to get allowed extensions for select file dialog from
266 // the specified accept types as defined in the spec:
267 // http://whatwg.org/html/number-state.html#attr-input-accept
268 // |accept_types| contains only valid lowercased MIME types or file extensions
269 // beginning with a period (.).
270 static std::unique_ptr<ui::SelectFileDialog::FileTypeInfo>
271 GetFileTypesFromAcceptType(const std::vector<std::u16string>& accept_types);
273 // Check the accept type is valid. It is expected to be all lower case with
275 static bool IsAcceptTypeValid(const std::string& accept_type);
277 // Get a sanitized filename suitable for use as a default filename. The
278 // suggested filename coming over the IPC may contain invalid characters or
279 // may result in a filename that's reserved on the current platform.
281 // If |suggested_path| is empty, the return value is also empty.
283 // If |suggested_path| is non-empty, but can't be safely converted to UTF-8,
284 // or is entirely lost during the sanitization process (e.g. because it
285 // consists entirely of invalid characters), it's replaced with a default
288 // Otherwise, returns |suggested_path| with any invalid characters will be
289 // replaced with a suitable replacement character.
290 static base::FilePath GetSanitizedFileName(
291 const base::FilePath& suggested_path);
293 // Profile used to set/retrieve the last used directory.
294 raw_ptr<Profile> profile_;
296 // The RenderFrameHost and WebContents for the page showing a file dialog
297 // (may only be one such dialog).
298 raw_ptr<content::RenderFrameHost> render_frame_host_;
299 raw_ptr<content::WebContents> web_contents_;
301 // |listener_| receives the result of the FileSelectHelper.
302 scoped_refptr<content::FileSelectListener> listener_;
304 // Dialog box used for choosing files to upload from file form fields.
305 scoped_refptr<ui::SelectFileDialog> select_file_dialog_;
306 std::unique_ptr<ui::SelectFileDialog::FileTypeInfo> select_file_types_;
308 // The type of file dialog last shown. This is SELECT_NONE if an
309 // instance is created through the public EnumerateDirectory().
310 ui::SelectFileDialog::Type dialog_type_;
312 // The mode of file dialog last shown.
313 blink::mojom::FileChooserParams::Mode dialog_mode_;
315 // The enumeration root directory for EnumerateDirectory() and
316 // RunFileChooser with kUploadFolder.
317 base::FilePath base_dir_;
319 // Maintain an active directory enumeration. These could come from the file
320 // select dialog or from drag-and-drop of directories. There could not be
321 // more than one going on at a time.
322 struct ActiveDirectoryEnumeration;
323 std::unique_ptr<ActiveDirectoryEnumeration> directory_enumeration_;
325 // Temporary files only used on OSX. This class is responsible for deleting
326 // these files when they are no longer needed.
327 std::vector<base::FilePath> temporary_files_;
329 // Set to false in unit tests since there is no WebContents.
330 bool abort_on_missing_web_contents_in_tests_ = true;
332 #if BUILDFLAG(IS_CHROMEOS_ASH)
333 base::WeakPtrFactory<FileSelectHelper> weak_ptr_factory_{this};
334 #endif // BUILDFLAG(IS_CHROMEOS_ASH)
337 #endif // CHROME_BROWSER_FILE_SELECT_HELPER_H_