src/extensions/browser/extension_function_dispatcher.cc

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "extensions/browser/extension_function_dispatcher.h"
   6
   7 #include "base/bind.h"
   8 #include "base/json/json_string_value_serializer.h"
   9 #include "base/lazy_instance.h"
  10 #include "base/logging.h"
  11 #include "base/memory/ref_counted.h"
  12 #include "base/metrics/sparse_histogram.h"
  13 #include "base/process/process.h"
  14 #include "base/values.h"
  15 #include "build/build_config.h"
  16 #include "content/public/browser/browser_thread.h"
  17 #include "content/public/browser/render_frame_host.h"
  18 #include "content/public/browser/render_process_host.h"
  19 #include "content/public/browser/render_view_host.h"
  20 #include "content/public/browser/user_metrics.h"
  21 #include "content/public/browser/web_contents.h"
  22 #include "content/public/browser/web_contents_observer.h"
  23 #include "content/public/common/result_codes.h"
  24 #include "extensions/browser/api_activity_monitor.h"
  25 #include "extensions/browser/extension_function_registry.h"
  26 #include "extensions/browser/extension_message_filter.h"
  27 #include "extensions/browser/extension_registry.h"
  28 #include "extensions/browser/extension_system.h"
  29 #include "extensions/browser/extensions_browser_client.h"
  30 #include "extensions/browser/process_manager.h"
  31 #include "extensions/browser/process_map.h"
  32 #include "extensions/browser/quota_service.h"
  33 #include "extensions/common/extension_api.h"
  34 #include "extensions/common/extension_messages.h"
  35 #include "extensions/common/extension_set.h"
  36 #include "ipc/ipc_message.h"
  37 #include "ipc/ipc_message_macros.h"
  38
  39 using content::BrowserThread;
  40 using content::RenderViewHost;
  41
  42 namespace extensions {
  43 namespace {
  44
  45 // Notifies the ApiActivityMonitor that an extension API function has been
  46 // called. May be called from any thread.
  47 void NotifyApiFunctionCalled(const std::string& extension_id,
  48                              const std::string& api_name,
  49                              scoped_ptr<base::ListValue> args,
  50                              content::BrowserContext* browser_context) {
  51   // The ApiActivityMonitor can only be accessed from the main (UI) thread. If
  52   // we're running on the wrong thread, re-dispatch from the main thread.
  53   if (!BrowserThread::CurrentlyOn(BrowserThread::UI)) {
  54     BrowserThread::PostTask(BrowserThread::UI,
  55                             FROM_HERE,
  56                             base::Bind(&NotifyApiFunctionCalled,
  57                                        extension_id,
  58                                        api_name,
  59                                        base::Passed(&args),
  60                                        browser_context));
  61     return;
  62   }
  63   // The BrowserContext may become invalid after the task above is posted.
  64   if (!ExtensionsBrowserClient::Get()->IsValidContext(browser_context))
  65     return;
  66
  67   ApiActivityMonitor* monitor =
  68       ExtensionsBrowserClient::Get()->GetApiActivityMonitor(browser_context);
  69   if (monitor)
  70     monitor->OnApiFunctionCalled(extension_id, api_name, args.Pass());
  71 }
  72
  73 // Separate copy of ExtensionAPI used for IO thread extension functions. We need
  74 // this because ExtensionAPI has mutable data. It should be possible to remove
  75 // this once all the extension APIs are updated to the feature system.
  76 struct Static {
  77   Static() : api(ExtensionAPI::CreateWithDefaultConfiguration()) {}
  78   scoped_ptr<ExtensionAPI> api;
  79 };
  80 base::LazyInstance<Static> g_global_io_data = LAZY_INSTANCE_INITIALIZER;
  81
  82 // Kills the specified process because it sends us a malformed message.
  83 void KillBadMessageSender(base::ProcessHandle process) {
  84   NOTREACHED();
  85   content::RecordAction(base::UserMetricsAction("BadMessageTerminate_EFD"));
  86   if (process)
  87     base::KillProcess(process, content::RESULT_CODE_KILLED_BAD_MESSAGE, false);
  88 }
  89
  90 void CommonResponseCallback(IPC::Sender* ipc_sender,
  91                             int routing_id,
  92                             base::ProcessHandle peer_process,
  93                             int request_id,
  94                             ExtensionFunction::ResponseType type,
  95                             const base::ListValue& results,
  96                             const std::string& error) {
  97   DCHECK(ipc_sender);
  98
  99   if (type == ExtensionFunction::BAD_MESSAGE) {
 100     // The renderer has done validation before sending extension api requests.
 101     // Therefore, we should never receive a request that is invalid in a way
 102     // that JSON validation in the renderer should have caught. It could be an
 103     // attacker trying to exploit the browser, so we crash the renderer instead.
 104     LOG(ERROR) <<
 105         "Terminating renderer because of malformed extension message.";
 106     if (content::RenderProcessHost::run_renderer_in_process()) {
 107       // In single process mode it is better if we don't suicide but just crash.
 108       CHECK(false);
 109     } else {
 110       KillBadMessageSender(peer_process);
 111     }
 112
 113     return;
 114   }
 115
 116   ipc_sender->Send(new ExtensionMsg_Response(
 117       routing_id, request_id, type == ExtensionFunction::SUCCEEDED, results,
 118       error));
 119 }
 120
 121 void IOThreadResponseCallback(
 122     const base::WeakPtr<ExtensionMessageFilter>& ipc_sender,
 123     int routing_id,
 124     int request_id,
 125     ExtensionFunction::ResponseType type,
 126     const base::ListValue& results,
 127     const std::string& error) {
 128   if (!ipc_sender.get())
 129     return;
 130
 131   CommonResponseCallback(ipc_sender.get(),
 132                          routing_id,
 133                          ipc_sender->PeerHandle(),
 134                          request_id,
 135                          type,
 136                          results,
 137                          error);
 138 }
 139
 140 }  // namespace
 141
 142 class ExtensionFunctionDispatcher::UIThreadResponseCallbackWrapper
 143     : public content::WebContentsObserver {
 144  public:
 145   UIThreadResponseCallbackWrapper(
 146       const base::WeakPtr<ExtensionFunctionDispatcher>& dispatcher,
 147       RenderViewHost* render_view_host)
 148       : content::WebContentsObserver(
 149             content::WebContents::FromRenderViewHost(render_view_host)),
 150         dispatcher_(dispatcher),
 151         render_view_host_(render_view_host),
 152         weak_ptr_factory_(this) {
 153   }
 154
 155   virtual ~UIThreadResponseCallbackWrapper() {
 156   }
 157
 158   // content::WebContentsObserver overrides.
 159   virtual void RenderViewDeleted(
 160       RenderViewHost* render_view_host) OVERRIDE {
 161     DCHECK_CURRENTLY_ON(BrowserThread::UI);
 162     if (render_view_host != render_view_host_)
 163       return;
 164
 165     if (dispatcher_.get()) {
 166       dispatcher_->ui_thread_response_callback_wrappers_
 167           .erase(render_view_host);
 168     }
 169
 170     delete this;
 171   }
 172
 173   ExtensionFunction::ResponseCallback CreateCallback(int request_id) {
 174     return base::Bind(
 175         &UIThreadResponseCallbackWrapper::OnExtensionFunctionCompleted,
 176         weak_ptr_factory_.GetWeakPtr(),
 177         request_id);
 178   }
 179
 180  private:
 181   void OnExtensionFunctionCompleted(int request_id,
 182                                     ExtensionFunction::ResponseType type,
 183                                     const base::ListValue& results,
 184                                     const std::string& error) {
 185     CommonResponseCallback(
 186         render_view_host_, render_view_host_->GetRoutingID(),
 187         render_view_host_->GetProcess()->GetHandle(), request_id, type,
 188         results, error);
 189   }
 190
 191   base::WeakPtr<ExtensionFunctionDispatcher> dispatcher_;
 192   content::RenderViewHost* render_view_host_;
 193   base::WeakPtrFactory<UIThreadResponseCallbackWrapper> weak_ptr_factory_;
 194
 195   DISALLOW_COPY_AND_ASSIGN(UIThreadResponseCallbackWrapper);
 196 };
 197
 198 WindowController*
 199 ExtensionFunctionDispatcher::Delegate::GetExtensionWindowController() const {
 200   return NULL;
 201 }
 202
 203 content::WebContents*
 204 ExtensionFunctionDispatcher::Delegate::GetAssociatedWebContents() const {
 205   return NULL;
 206 }
 207
 208 content::WebContents*
 209 ExtensionFunctionDispatcher::Delegate::GetVisibleWebContents() const {
 210   return GetAssociatedWebContents();
 211 }
 212
 213 void ExtensionFunctionDispatcher::GetAllFunctionNames(
 214     std::vector<std::string>* names) {
 215   ExtensionFunctionRegistry::GetInstance()->GetAllNames(names);
 216 }
 217
 218 bool ExtensionFunctionDispatcher::OverrideFunction(
 219     const std::string& name, ExtensionFunctionFactory factory) {
 220   return ExtensionFunctionRegistry::GetInstance()->OverrideFunction(name,
 221                                                                     factory);
 222 }
 223
 224 // static
 225 void ExtensionFunctionDispatcher::DispatchOnIOThread(
 226     InfoMap* extension_info_map,
 227     void* profile_id,
 228     int render_process_id,
 229     base::WeakPtr<ExtensionMessageFilter> ipc_sender,
 230     int routing_id,
 231     const ExtensionHostMsg_Request_Params& params) {
 232   const Extension* extension =
 233       extension_info_map->extensions().GetByID(params.extension_id);
 234   if (!extension)
 235     return;
 236
 237   ExtensionFunction::ResponseCallback callback(
 238       base::Bind(&IOThreadResponseCallback, ipc_sender, routing_id,
 239                  params.request_id));
 240
 241   scoped_refptr<ExtensionFunction> function(
 242       CreateExtensionFunction(params,
 243                               extension,
 244                               render_process_id,
 245                               extension_info_map->process_map(),
 246                               g_global_io_data.Get().api.get(),
 247                               profile_id,
 248                               callback));
 249   if (!function.get())
 250     return;
 251
 252   IOThreadExtensionFunction* function_io =
 253       function->AsIOThreadExtensionFunction();
 254   if (!function_io) {
 255     NOTREACHED();
 256     return;
 257   }
 258   function_io->set_ipc_sender(ipc_sender, routing_id);
 259   function_io->set_extension_info_map(extension_info_map);
 260   function->set_include_incognito(
 261       extension_info_map->IsIncognitoEnabled(extension->id()));
 262
 263   if (!CheckPermissions(function.get(), params, callback))
 264     return;
 265
 266   QuotaService* quota = extension_info_map->GetQuotaService();
 267   std::string violation_error = quota->Assess(extension->id(),
 268                                               function.get(),
 269                                               &params.arguments,
 270                                               base::TimeTicks::Now());
 271   if (violation_error.empty()) {
 272     scoped_ptr<base::ListValue> args(params.arguments.DeepCopy());
 273     NotifyApiFunctionCalled(extension->id(),
 274                             params.name,
 275                             args.Pass(),
 276                             static_cast<content::BrowserContext*>(profile_id));
 277     UMA_HISTOGRAM_SPARSE_SLOWLY("Extensions.FunctionCalls",
 278                                 function->histogram_value());
 279     function->Run()->Execute();
 280   } else {
 281     function->OnQuotaExceeded(violation_error);
 282   }
 283 }
 284
 285 ExtensionFunctionDispatcher::ExtensionFunctionDispatcher(
 286     content::BrowserContext* browser_context,
 287     Delegate* delegate)
 288     : browser_context_(browser_context),
 289       delegate_(delegate) {
 290 }
 291
 292 ExtensionFunctionDispatcher::~ExtensionFunctionDispatcher() {
 293 }
 294
 295 void ExtensionFunctionDispatcher::Dispatch(
 296     const ExtensionHostMsg_Request_Params& params,
 297     RenderViewHost* render_view_host) {
 298   UIThreadResponseCallbackWrapperMap::const_iterator
 299       iter = ui_thread_response_callback_wrappers_.find(render_view_host);
 300   UIThreadResponseCallbackWrapper* callback_wrapper = NULL;
 301   if (iter == ui_thread_response_callback_wrappers_.end()) {
 302     callback_wrapper = new UIThreadResponseCallbackWrapper(AsWeakPtr(),
 303                                                            render_view_host);
 304     ui_thread_response_callback_wrappers_[render_view_host] = callback_wrapper;
 305   } else {
 306     callback_wrapper = iter->second;
 307   }
 308
 309   DispatchWithCallbackInternal(
 310       params, render_view_host, NULL,
 311       callback_wrapper->CreateCallback(params.request_id));
 312 }
 313
 314 void ExtensionFunctionDispatcher::DispatchWithCallbackInternal(
 315     const ExtensionHostMsg_Request_Params& params,
 316     RenderViewHost* render_view_host,
 317     content::RenderFrameHost* render_frame_host,
 318     const ExtensionFunction::ResponseCallback& callback) {
 319   DCHECK(render_view_host || render_frame_host);
 320   // TODO(yzshen): There is some shared logic between this method and
 321   // DispatchOnIOThread(). It is nice to deduplicate.
 322   ProcessMap* process_map = ProcessMap::Get(browser_context_);
 323   if (!process_map)
 324     return;
 325
 326   ExtensionRegistry* registry = ExtensionRegistry::Get(browser_context_);
 327   const Extension* extension =
 328       registry->enabled_extensions().GetByID(params.extension_id);
 329   if (!extension) {
 330     extension =
 331         registry->enabled_extensions().GetHostedAppByURL(params.source_url);
 332   }
 333
 334   int process_id = render_view_host ? render_view_host->GetProcess()->GetID() :
 335                                       render_frame_host->GetProcess()->GetID();
 336   scoped_refptr<ExtensionFunction> function(
 337       CreateExtensionFunction(params,
 338                               extension,
 339                               process_id,
 340                               *process_map,
 341                               ExtensionAPI::GetSharedInstance(),
 342                               browser_context_,
 343                               callback));
 344   if (!function.get())
 345     return;
 346
 347   UIThreadExtensionFunction* function_ui =
 348       function->AsUIThreadExtensionFunction();
 349   if (!function_ui) {
 350     NOTREACHED();
 351     return;
 352   }
 353   if (render_view_host) {
 354     function_ui->SetRenderViewHost(render_view_host);
 355   } else {
 356     function_ui->SetRenderFrameHost(render_frame_host);
 357   }
 358   function_ui->set_dispatcher(AsWeakPtr());
 359   function_ui->set_browser_context(browser_context_);
 360   if (extension &&
 361       ExtensionsBrowserClient::Get()->CanExtensionCrossIncognito(
 362           extension, browser_context_)) {
 363     function->set_include_incognito(true);
 364   }
 365
 366   if (!CheckPermissions(function.get(), params, callback))
 367     return;
 368
 369   if (!extension) {
 370     // Skip all of the UMA, quota, event page, activity logging stuff if there
 371     // isn't an extension, e.g. if the function call was from WebUI.
 372     function->Run()->Execute();
 373     return;
 374   }
 375
 376   ExtensionSystem* extension_system = ExtensionSystem::Get(browser_context_);
 377   QuotaService* quota = extension_system->quota_service();
 378   std::string violation_error = quota->Assess(extension->id(),
 379                                               function.get(),
 380                                               &params.arguments,
 381                                               base::TimeTicks::Now());
 382
 383   if (violation_error.empty()) {
 384     scoped_ptr<base::ListValue> args(params.arguments.DeepCopy());
 385
 386     // See crbug.com/39178.
 387     ExtensionsBrowserClient::Get()->PermitExternalProtocolHandler();
 388     NotifyApiFunctionCalled(
 389         extension->id(), params.name, args.Pass(), browser_context_);
 390     UMA_HISTOGRAM_SPARSE_SLOWLY("Extensions.FunctionCalls",
 391                                 function->histogram_value());
 392     function->Run()->Execute();
 393   } else {
 394     function->OnQuotaExceeded(violation_error);
 395   }
 396
 397   // Note: do not access |this| after this point. We may have been deleted
 398   // if function->Run() ended up closing the tab that owns us.
 399
 400   // Check if extension was uninstalled by management.uninstall.
 401   if (!registry->enabled_extensions().GetByID(params.extension_id))
 402     return;
 403
 404   // We only adjust the keepalive count for UIThreadExtensionFunction for
 405   // now, largely for simplicity's sake. This is OK because currently, only
 406   // the webRequest API uses IOThreadExtensionFunction, and that API is not
 407   // compatible with lazy background pages.
 408   extension_system->process_manager()->IncrementLazyKeepaliveCount(extension);
 409 }
 410
 411 void ExtensionFunctionDispatcher::OnExtensionFunctionCompleted(
 412     const Extension* extension) {
 413   if (extension) {
 414     ExtensionSystem::Get(browser_context_)
 415         ->process_manager()
 416         ->DecrementLazyKeepaliveCount(extension);
 417   }
 418 }
 419
 420 // static
 421 bool ExtensionFunctionDispatcher::CheckPermissions(
 422     ExtensionFunction* function,
 423     const ExtensionHostMsg_Request_Params& params,
 424     const ExtensionFunction::ResponseCallback& callback) {
 425   if (!function->HasPermission()) {
 426     LOG(ERROR) << "Permission denied for " << params.name;
 427     SendAccessDenied(callback);
 428     return false;
 429   }
 430   return true;
 431 }
 432
 433 // static
 434 ExtensionFunction* ExtensionFunctionDispatcher::CreateExtensionFunction(
 435     const ExtensionHostMsg_Request_Params& params,
 436     const Extension* extension,
 437     int requesting_process_id,
 438     const ProcessMap& process_map,
 439     ExtensionAPI* api,
 440     void* profile_id,
 441     const ExtensionFunction::ResponseCallback& callback) {
 442   ExtensionFunction* function =
 443       ExtensionFunctionRegistry::GetInstance()->NewFunction(params.name);
 444   if (!function) {
 445     LOG(ERROR) << "Unknown Extension API - " << params.name;
 446     SendAccessDenied(callback);
 447     return NULL;
 448   }
 449
 450   function->SetArgs(&params.arguments);
 451   function->set_source_url(params.source_url);
 452   function->set_request_id(params.request_id);
 453   function->set_has_callback(params.has_callback);
 454   function->set_user_gesture(params.user_gesture);
 455   function->set_extension(extension);
 456   function->set_profile_id(profile_id);
 457   function->set_response_callback(callback);
 458   function->set_source_tab_id(params.source_tab_id);
 459   function->set_source_context_type(
 460       process_map.GetMostLikelyContextType(extension, requesting_process_id));
 461
 462   return function;
 463 }
 464
 465 // static
 466 void ExtensionFunctionDispatcher::SendAccessDenied(
 467     const ExtensionFunction::ResponseCallback& callback) {
 468   base::ListValue empty_list;
 469   callback.Run(ExtensionFunction::FAILED, empty_list,
 470                "Access to extension API denied.");
 471 }
 472
 473 }  // namespace extensions