Status Update
Comments
am...@gmail.com <am...@gmail.com> #2
[Deleted User] <[Deleted User]> #3
da...@chromium.org <da...@chromium.org> #4
=> UX folks, do you have thoughts? Please assign to dtrainor/qinmin after.
[Monorail components: UI>Browser>Downloads]
am...@gmail.com <am...@gmail.com> #5
am...@gmail.com <am...@gmail.com> #6
am...@gmail.com <am...@gmail.com> #7
am...@gmail.com <am...@gmail.com> #8
es...@chromium.org <es...@chromium.org> #9
[Monorail components: Blink>Storage>FileSystem]
es...@chromium.org <es...@chromium.org> #10
The keyboard-jacking (holding down Enter to accept all the dialogs) also needs some clarification, in the video it looks like Cancel is the default action so holding down Enter wouldn't result in the user accepting the dialogs.
as...@chromium.org <as...@chromium.org> #11
Correct - the permission dialogs default to "Cancel" so holding down Enter will abort the flow
If the site were to show a file picker and attempt to save a file (with showSaveFilePicker()), we would show a dialog asking the user if they're sure they want to save a file with a potentially dangerous extension (and we limit the extension length to 16 characters (
In this case, the directory picker is shown instead. Once the user grants write access to a directory, there's not as many restrictions in place (see
What could be useful, perhaps, would be to show a dialog when a site tries to edit/save a file with a dangerous extension. However, once the site gets write access to a directory, no user interaction is required to make these writes. So the prompt could feel like it's coming out of nowhere from the user's perspective... but probably better than having an unexpected executable in a local directory
That being said, every saved/edited file is subject to Safe Browsing checks (and has the Mark-of-the Web added), so if Safe Browsing thinks it's okay... ¯\_(ツ)_/¯
THAT being said, the showSaveFilePicker() dialog for dangerous files will become bypassable for bad actors by our upcoming (M111) launch of the move() method for local files. For example:
```js
// No "dangerous file extension" dialog shown
let handle = await window.showSaveFilePicker({ suggestedName: 'innocuous.txt' });
// Safe Browsing checks will be run on this rename, but, as this bug report shows, that likely won't prevent the file from being renamed
await handle.move('bad.exe');
```
So... I'm not sure where that leaves us. Happy to hear thoughts from security / SB folks about whether we should supplement SB checks with another dialog
as...@chromium.org <as...@chromium.org> #12
aj...@google.com <aj...@google.com> #13
is...@google.com <is...@google.com> #14
[Multiple monorail components: Blink>Storage>FileSystem, UI>Browser>Downloads]
[Monorail components added to Component Tags custom field.]
ch...@chromium.org <ch...@chromium.org> #15
es...@chromium.org <es...@chromium.org> #16
Otherwise, I think drubery or chlily might be able to comment on whether we should be concerned about being able to bypass the "potentially dangerous extension" dialog -- any thoughts?
dr...@chromium.org <dr...@chromium.org> #17
The "potentially dangerous extension" prompt is determined by
If so, I do feel like being able to bypass it for DANGEROUS file types is pretty dangerous. We currently only have three file types in that category: dll, scf, and ini. They're classified as DANGEROUS because they can negatively impact the user without the user ever opening the file (e.g. DLL hijacking attacks). I would definitely support restrictions on this very small set of file types, even if the UX is a little surprising.
I'm not convinced it's much of a security bug to be able to bypass it for ALLOW_ON_USER_GESTURE file types. That's a much broader category of file types, and in practice, users tend to bypass these warnings fairly often for regular downloads. I don't know that the value of a warning outweighs the cost of this prompt coming out of nowhere.
ch...@chromium.org <ch...@chromium.org> #18
Current restrictions on extensions of files selected from the file picker:
I'm planning on add on exe and bat (and ini due to being DANGEROUS even if not directly called out in the original report) file extensions after I do some digging to figure out if there's a reason that these extension types aren't restricted from being shown in the picker currently.
If anyone on CC has objections / thinks that there's some context that I'm missing please let me know!
ch...@chromium.org <ch...@chromium.org> #19
Going to put this on hold temporarily until further offline / security-related discussions are completed and will followup afterwards.
am...@gmail.com <am...@gmail.com> #20
ch...@chromium.org <ch...@chromium.org> #21
dslee@ and I discussed this offline, and agree that completely blocking *writes* of .exe files would be unexpected behavior (e.g. the user is writing a .exe file on the web in a text editor or something like VSCode - they should be able to download that file without being blocked entirely).
Re-raising this question for estark@ / drubery@: since it seems like blocking is not a viable solution here, should there be a warning prompt shown upon write operations of .exe / .bat files? It feels like the two options are either warning the user, or marking this as expected behavior if (as previously mentioned) this prompt would not add value and be readily dismissed by the user + increase prompt fatigue. Please let me know if there's something that I'm missing here, or if there's a third path forward that I'm not aware of!
dr...@chromium.org <dr...@chromium.org> #22
estark@ and I chatted and I'm talking this through with my team.
My general feeling is still well represented by
The only remaining thing is that I'm a little torn on things like DLL/INI. The considerations are:
- DLL hijacking means the user could be harmed without every opening the file.
- INI (if I recall correctly) can leak an NTLM hash just by being shown in Explorer.
- On regular downloads, we show a soft warning about these downloads so they aren't on disk without explicit user consent
- For FSA, we do have the directory permission prompt, but that's far less explicit about it being a DLL/INI written to disk
- FSA does protect against directory write permission to a "sensitive" directory, which mitigates DLL a lot.
If anyone has thoughts on the balance of these, feel free to chime in. Otherwise my team's security UX folks can try to figure it out.
am...@gmail.com <am...@gmail.com> #23
pe...@google.com <pe...@google.com> #24
am...@gmail.com <am...@gmail.com> #25
ap...@google.com <ap...@google.com> #26
Branch: main
commit 153ab68741786276ee86ff25e07d020c3aee43e6
Author: Nathan Memmott <memmott@chromium.org>
Date: Fri Sep 20 21:31:34 2024
FSA: Move IsSafePathComponent to FSA Manager
Moves IsSafePathComponent to FSA Manager and makes it non-static.
This is a refactor in preparation to make IsSafePathComponent check the
Danger type. We will need access to the
ChromeFileSystemAccessPermissionContext which will mean this function
can no longer be static. And keeping it in
FileSystemAccessDirectoryHandleImpl would mean always needing to call
IsSafePathComponent on an instance of it. Which both doesn't make sense
and isn't always possible. So this moves it to the FSA Manager.
Bug: 40062534
Change-Id: I41bf3902bb6e05ab04343c8f5435e56e612dc772
Reviewed-on:
Commit-Queue: Nathan Memmott <memmott@chromium.org>
Reviewed-by: Christine Hollingsworth <christinesm@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1358389}
M content/browser/file_system_access/file_system_access_directory_handle_impl.cc
M content/browser/file_system_access/file_system_access_directory_handle_impl.h
M content/browser/file_system_access/file_system_access_directory_handle_impl_unittest.cc
M content/browser/file_system_access/file_system_access_handle_base.cc
M content/browser/file_system_access/file_system_access_manager_impl.cc
M content/browser/file_system_access/file_system_access_manager_impl.h
M content/browser/file_system_access/file_system_access_manager_impl_unittest.cc
ap...@google.com <ap...@google.com> #27
Project: chromium/src
Branch: main
Author: Nathan Memmott <
Link:
[FSA] Check for DANGEROUS extension types when creating a new file.
Expand for full commit details
[FSA] Check for DANGEROUS extension types when creating a new file.
FSA API already checks for safe_browsing::DownloadFileType::DangerLevel
on showSaveFilePicker(), but not on handle.getFileHandle().
This change aligns these two cases, with an exception of ".local" files,
per the existing comment on local files affecting its own directory,
and that the directory already has permission, hence okay to allow.
Bug: 40062534
Change-Id: I695dce1dfc68cf5f2518172d4e63aada074588fe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5875189
Commit-Queue: Nathan Memmott <memmott@chromium.org>
Reviewed-by: Nate Fischer <ntfschr@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1363763}
Files:
- M
android_webview/browser/file_system_access/aw_file_system_access_permission_context.cc
- M
android_webview/browser/file_system_access/aw_file_system_access_permission_context.h
- M
chrome/browser/file_system_access/chrome_file_system_access_permission_context.cc
- M
chrome/browser/file_system_access/chrome_file_system_access_permission_context.h
- M
content/browser/file_system_access/file_system_access_directory_handle_impl.cc
- M
content/browser/file_system_access/file_system_access_directory_handle_impl_unittest.cc
- M
content/browser/file_system_access/file_system_access_file_handle_impl_unittest.cc
- M
content/browser/file_system_access/file_system_access_handle_base.cc
- M
content/browser/file_system_access/file_system_access_manager_impl.cc
- M
content/browser/file_system_access/file_system_access_manager_impl.h
- M
content/browser/file_system_access/file_system_access_manager_impl_unittest.cc
- M
content/browser/file_system_access/mock_file_system_access_permission_context.cc
- M
content/browser/file_system_access/mock_file_system_access_permission_context.h
- M
content/public/browser/file_system_access_permission_context.h
- M
content/public/test/fake_file_system_access_permission_context.cc
- M
content/public/test/fake_file_system_access_permission_context.h
Hash: e401c21f259351d1eee212d6c04b306f018f1973
Date: Thu Oct 03 18:37:55 2024
am...@gmail.com <am...@gmail.com> #28
me...@chromium.org <me...@chromium.org>
pe...@google.com <pe...@google.com> #29
Dear owner, thanks for fixing this bug. We've reopened it because security bugs need the Severity (S0-S3) and the Found In set, which will enable the bots to request merges to the correct branches ( as well as helping out our vulnerability reward and CVE processes). Please consult with any Chrome security contact (
me...@chromium.org <me...@chromium.org>
am...@gmail.com <am...@gmail.com> #30
am...@chromium.org <am...@chromium.org> #31
Hello, as always, reward decisions will be updated on the bug after a VRP decision panel has been made. This is in the queue for a reward decision. As rewards are decided in order of severity, it may be a bit more time before we get to this one.
CVEs are issued when a fix for a security bug ships in a Stable channel update of Chrome. This fix landed in 131, so this fix should ship in the M131 Stable channel release of Chrome.
am...@gmail.com <am...@gmail.com> #32
am...@chromium.org <am...@chromium.org> #33
We did not meet last week due to many of us being out of office. Additionally, bugs are assessed in order of severity so it may be some more weeks until we get to this issue. As always bugs will be updated directly with the reward decision once that has occurred. Thank you for your patience.
sp...@google.com <sp...@google.com> #34
Hello,
Congratulations! The Chrome Vulnerability Rewards Program (VRP) Panel has decided to award you $1000.00 for this report.
Rationale for this decision:
report of lower impact web platform privilege escalation || exploitation mitigation bypass
Important: If you aren't already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon.
If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from.
Thank you for your efforts and helping us make Chrome more secure for all users!
Cheers,
Chrome VRP Panel Bot
P.S. One other thing we'd like to mention:
* Please do NOT publicly disclose details until a fix has been released to all our users. Early public disclosure may cancel the provisional reward. Also, please be considerate about disclosure when the bug affects a core library that may be used by other products. Please do NOT share this information with third parties who are not directly involved in fixing the bug. Doing so may cancel the provisional reward. Please be honest if you have already disclosed anything publicly or to third parties. Lastly, we understand that some of you are not interested in money. We offer the option to donate your reward to an eligible charity. If you prefer this option, let us know and we will also match your donation - subject to our discretion. Any rewards that are unclaimed after 12 months will be donated to a charity of our choosing.
Please contact security-vrp@chromium.org with any questions.
am...@chromium.org <am...@chromium.org> #35
Congratulations Ameen! Thank you for your efforts and reporting this issue to us.
am...@gmail.com <am...@gmail.com> #36
Can i get to know what are all the places my name is acknowledged.(kindly share the links too)
also is this included in google hall of fame too?
inaddition to this, should i have to wait for a mail from p2p-vrp(how long will it take) or I have to sent mail?
am...@chromium.org <am...@chromium.org> #37
Hello,
Can i get to know what are all the places my name is acknowledged.(kindly share the links too)
You are acknowledged in the Chrome Stable release notes in the release version the fix for the issue you reported ships.
In this case, it's:
also is this included in google hall of fame too?
The Google HoF no longer exists.
There is the Bughunters (
inaddition to this, should i have to wait for a mail from p2p-vrp(how long will it take) or I have to sent mail?
As explained above in c#34, p2p-vrp will process your payment or reach out to you, if needed. It will not be immediately however, and may a day or two.
am...@gmail.com <am...@gmail.com> #38
regarding the hall of fame, i have the bughunters profile but my name is not listed in any of the leaderboard. i tried with search also but my name is not listed, Kindly help on this
am...@chromium.org <am...@chromium.org> #39
Your profile must be public. Please check the status of your profile.
If this issue persists, please reach out to
pe...@google.com <pe...@google.com> #40
This bug has been closed for more than 14 weeks. Removing issue access restrictions.
Description
VULNERABILITY DETAILS
As stated in my another issue Reference added in next line when we download a extension say .exe/.bat it will show pop up for cross confirmation. but by using showDirectoryPicker() Method we can save the .bat file without any popup's
VERSION
Chrome Version: Version 108.0.5359.125 (Official Build) (64-bit)
Operating System: Windows 10 Updated to latest Patch
REPRODUCTION CASE
Poc
If we can specify the exact folder to open via showDirectoryPicker Method Then This will have a higher impact which of similar to my above report
We can trick the user to hold enter for 2 Sec this will Accept all the dialogs and save the file.
I have tried open the direct sub folder but it is not possible so it needs User interaction to download a file
CREDIT INFORMATION
Externally reported security bugs may appear in Chrome release notes. If
this bug is included, how would you like to be credited?
Reporter credit: Ameen Basha M K (Acknowledge my name with my profile/ mail id)