Skip to content

Latest commit

 

History

History
96 lines (73 loc) · 5.73 KB

permissions.md

File metadata and controls

96 lines (73 loc) · 5.73 KB

Permissions

This page analyzes the Chromium permissions component and potential security vulnerabilities.

Component Focus:

The focus of this page is on the Chromium permissions component, specifically how permissions are granted, stored, and enforced. The primary file of interest is content/browser/permissions/permission_controller_impl.cc.

Potential Logic Flaws:

  • Inconsistent Permission Checks: Potential inconsistencies in how permissions are checked across different parts of the codebase could lead to bypasses.
  • Incorrect Permission Scope: Incorrectly scoped permissions could allow a component to access resources it should not have access to.
  • Race Conditions: Race conditions in permission handling could lead to unexpected behavior and potential vulnerabilities.
  • Permission Downgrade: A vulnerability could allow a malicious actor to downgrade permissions.
  • Bypassing Permissions Policy: Incorrectly implemented permissions policy checks could allow a malicious actor to bypass the intended restrictions.
  • Incorrect Context Checks: Incorrectly implemented context checks could allow a malicious actor to gain access to resources they should not have access to.

Further Analysis and Potential Issues:

The permission model in Chromium is complex, involving multiple layers of checks and balances. It is important to analyze how permissions are granted, stored, and enforced. The permission_controller_impl.cc file is a key area to investigate. This file manages the core logic for permission requests and status checks.

  • File: content/browser/permissions/permission_controller_impl.cc
    • This file manages the core logic for permission requests and status checks.
    • Key functions to analyze include: RequestPermissions, GetPermissionStatusForCurrentDocumentInternal, SetPermissionOverride, GetPermissionResultForCurrentDocument, GetPermissionStatusForWorker, SubscribeToPermissionStatusChange, UnsubscribeFromPermissionStatusChange.
    • The VerifyContextOfCurrentDocument function is used to check if the current document is allowed to request a permission.
    • The OverridePermissions function is used to apply DevTools overrides to permissions.
    • The NotifySchedulerAboutPermissionRequest function is used to notify the scheduler about permission requests.

Code Analysis:

// Example code snippet from permission_controller_impl.cc
void PermissionControllerImpl::RequestPermissions(
    RenderFrameHost* render_frame_host,
    PermissionRequestDescription request_description,
    base::OnceCallback<void(const std::vector<PermissionStatus>&)> callback) {
  // ... permission request logic ...
  if (!IsRequestAllowed(request_description.permissions, render_frame_host,
                        callback)) {
    return;
  }

  for (PermissionType permission : request_description.permissions) {
    NotifySchedulerAboutPermissionRequest(render_frame_host, permission);
  }

  std::vector<std::optional<blink::mojom::PermissionStatus>> override_results =
      OverridePermissions(request_description, render_frame_host,
                          permission_overrides_);

  auto wrapper = base::BindOnce(&MergeOverriddenAndDelegatedResults,
                                std::move(callback), override_results);
  if (request_description.permissions.empty()) {
    std::move(wrapper).Run({});
    return;
  }

  // Use delegate to find statuses of other permissions that have been requested
  // but do not have overrides.
  PermissionControllerDelegate* delegate =
      browser_context_->GetPermissionControllerDelegate();
  if (!delegate) {
    std::move(wrapper).Run(std::vector<PermissionStatus>(
        request_description.permissions.size(), PermissionStatus::DENIED));
    return;
  }

  delegate->RequestPermissions(render_frame_host, request_description,
                               std::move(wrapper));
}

Areas Requiring Further Investigation:

  • How are permissions stored and retrieved by the PermissionControllerDelegate?
  • How are permissions revoked?
  • How are permissions handled in different contexts (e.g., incognito mode, extensions)?
  • How are permissions handled across different processes?
  • How are permissions handled for cross-origin requests?
  • How does the PermissionOverrides class work and how are overrides stored?
  • How does the NotifySchedulerAboutPermissionRequest function interact with the scheduler?
  • How does the VerifyContextOfCurrentDocument function interact with the permissions policy?

Secure Contexts and Permissions:

Secure contexts play a crucial role in mitigating vulnerabilities related to permissions. Permissions granted in a secure context should not be transferable to an insecure context. The VerifyContextOfCurrentDocument function enforces some of these checks, but further analysis is needed to ensure that all secure context requirements are met.

Privacy Implications:

The permissions system has significant privacy implications. Incorrectly handled permissions could allow websites to access sensitive user data without proper consent. It is important to ensure that the permission system is implemented in a way that protects user privacy.

Additional Notes:

  • The permission system is constantly evolving, so it is important to stay up-to-date with the latest changes.
  • The permission system is closely tied to the security model of Chromium, so it is important to understand the overall security architecture.
  • The PermissionControllerImpl relies on a PermissionControllerDelegate to perform the actual permission checks and storage. The implementation of this delegate is important to understand.