1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
|
// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/policy/core/common/policy_loader_common.h"
#include <string>
#include "base/metrics/histogram_functions.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/string_util.h"
#include "components/policy/core/common/policy_map.h"
#include "components/policy/policy_constants.h"
#include "components/strings/grit/components_strings.h"
namespace policy {
namespace {
#if !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_IOS)
// Duplicate the extension constants in order to avoid extension dependency.
// However, those values below must be synced with files in extension folders.
// In long term, we can refactor the code and create an interface for sensitive
// policy filtering so that each policy component users can have their own
// implementation. And the Chrome one can be moved to c/b/policy.
// From extensions/common/extension_urls.cc
const char kChromeWebstoreUpdateURL[] =
"https://clients2.google.com/service/update2/crx";
const char16_t kChromeWebstoreUpdateURL16[] =
u"https://clients2.google.com/service/update2/crx";
// From chrome/browser/extensions/extension_management_constants.cc
const char kWildcard[] = "*";
const char kInstallationMode[] = "installation_mode";
const char kForceInstalled[] = "force_installed";
const char kNormalInstalled[] = "normal_installed";
const char kUpdateUrl[] = "update_url";
// String to be prepended to each blocked entry.
const char kBlockedExtensionPrefix[] = "[BLOCKED]";
#endif
// List of policies that are considered only if the user is part of a AD domain
// on Windows or managed on the Mac. Please document any new additions in the
// policy definition file.
// Please keep the list in alphabetical order!
const char* kSensitivePolicies[] = {
key::kDefaultSearchProviderEnabled,
key::kSafeBrowsingEnabled,
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX) || \
BUILDFLAG(IS_CHROMEOS)
key::kAutoOpenFileTypes,
key::kEnterpriseSearchAggregatorSettings,
key::kHomepageIsNewTabPage,
key::kPasswordProtectionChangePasswordURL,
key::kPasswordProtectionLoginURLs,
key::kRestoreOnStartup,
key::kRestoreOnStartupURLs,
key::kSafeBrowsingAllowlistDomains,
key::kSiteSearchSettings,
#endif
#if BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX)
key::kCommandLineFlagSecurityWarningsEnabled,
key::kEnterpriseCustomLabelForBrowser,
key::kEnterpriseLogoUrlForBrowser,
key::kNTPFooterManagementNoticeEnabled,
#endif
#if !BUILDFLAG(IS_IOS)
key::kFirstPartySetsOverrides,
key::kHomepageLocation,
#endif
#if !BUILDFLAG(IS_ANDROID)
key::kNewTabPageLocation,
#endif
#if !BUILDFLAG(IS_CHROMEOS)
key::kMetricsReportingEnabled,
#endif
#if BUILDFLAG(IS_WIN)
key::kSafeBrowsingForTrustedSourcesEnabled,
#endif
};
void RecordInvalidPolicies(const std::string& policy_name) {
const PolicyDetails* details = GetChromePolicyDetails(policy_name);
base::UmaHistogramSparse("EnterpriseCheck.InvalidPolicies", details->id);
}
#if !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_IOS)
// Marks the sensitive ExtensionInstallForceList policy entries, returns true if
// there is any sensitive entries in the policy.
bool FilterSensitiveExtensionsInstallForcelist(PolicyMap::Entry* map_entry) {
bool has_invalid_policies = false;
if (!map_entry)
return false;
base::Value* policy_list_value = map_entry->value(base::Value::Type::LIST);
if (!policy_list_value)
return false;
// Using index for loop to update the list in place.
for (size_t i = 0; i < policy_list_value->GetList().size(); i++) {
const auto& list_entry = policy_list_value->GetList()[i];
if (!list_entry.is_string())
continue;
const std::string& entry = list_entry.GetString();
size_t pos = entry.find(';');
if (pos == std::string::npos)
continue;
// Only allow custom update urls in enterprise environments.
if (!base::EqualsCaseInsensitiveASCII(entry.substr(pos + 1),
kChromeWebstoreUpdateURL)) {
policy_list_value->GetList()[i] =
base::Value(kBlockedExtensionPrefix + entry);
has_invalid_policies = true;
}
}
if (has_invalid_policies) {
map_entry->AddMessage(PolicyMap::MessageType::kWarning,
IDS_POLICY_OFF_CWS_URL_ERROR,
{kChromeWebstoreUpdateURL16});
RecordInvalidPolicies(key::kExtensionInstallForcelist);
}
return has_invalid_policies;
}
// Marks the sensitive ExtensionSettings policy entries, returns the number of
// sensitive entries in the policy.
bool FilterSensitiveExtensionSettings(PolicyMap::Entry* map_entry) {
if (!map_entry)
return false;
base::Value* policy_dict_value = map_entry->value(base::Value::Type::DICT);
if (!policy_dict_value) {
return false;
}
base::Value::Dict& policy_dict = policy_dict_value->GetDict();
// Note that we only search for sensitive entries, all other validations will
// be handled by ExtensionSettingsPolicyHandler.
std::vector<std::string> filtered_extensions;
for (auto entry : policy_dict) {
if (entry.first == kWildcard)
continue;
if (!entry.second.is_dict())
continue;
base::Value::Dict& entry_dict = entry.second.GetDict();
std::string* installation_mode = entry_dict.FindString(kInstallationMode);
if (!installation_mode || (*installation_mode != kForceInstalled &&
*installation_mode != kNormalInstalled)) {
continue;
}
std::string* update_url = entry_dict.FindString(kUpdateUrl);
if (!update_url || base::EqualsCaseInsensitiveASCII(
*update_url, kChromeWebstoreUpdateURL)) {
continue;
}
filtered_extensions.push_back(entry.first);
}
// Marking the blocked extension by adding the "[BLOCKED]" prefix. This is an
// invalid extension id and will be removed by PolicyHandler later.
if (!filtered_extensions.empty()) {
for (const auto& extension : filtered_extensions) {
auto setting = policy_dict.Extract(extension);
if (!setting)
continue;
policy_dict.Set(kBlockedExtensionPrefix + extension,
std::move(setting.value()));
}
map_entry->AddMessage(PolicyMap::MessageType::kWarning,
IDS_POLICY_OFF_CWS_URL_ERROR,
{kChromeWebstoreUpdateURL16});
RecordInvalidPolicies(key::kExtensionSettings);
}
return !filtered_extensions.empty();
}
#endif
} // namespace
void FilterSensitivePolicies(PolicyMap* policy) {
int invalid_policies = 0;
#if !BUILDFLAG(IS_ANDROID) && !BUILDFLAG(IS_IOS)
if (FilterSensitiveExtensionsInstallForcelist(
policy->GetMutable(key::kExtensionInstallForcelist))) {
invalid_policies++;
}
if (FilterSensitiveExtensionSettings(
policy->GetMutable(key::kExtensionSettings))) {
invalid_policies++;
}
#endif
for (const char* sensitive_policy : kSensitivePolicies) {
if (policy->Get(sensitive_policy)) {
policy->GetMutable(sensitive_policy)->SetBlocked();
invalid_policies++;
RecordInvalidPolicies(sensitive_policy);
}
}
UMA_HISTOGRAM_COUNTS_1M("EnterpriseCheck.InvalidPoliciesDetected",
invalid_policies);
}
bool IsPolicyNameSensitive(const std::string& policy_name) {
for (const char* sensitive_policy : kSensitivePolicies) {
if (sensitive_policy == policy_name) {
return true;
}
}
return false;
}
} // namespace policy
|
