content/browser/web_contents/file_chooser_impl.cc

// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "content/browser/web_contents/file_chooser_impl.h"

#include <algorithm>

#include "base/files/file_util.h"
#include "base/logging.h"
#include "base/memory/ptr_util.h"
#include "base/task/thread_pool.h"
#include "content/browser/child_process_security_policy_impl.h"
#include "content/browser/renderer_host/back_forward_cache_disable.h"
#include "content/browser/renderer_host/render_frame_host_delegate.h"
#include "content/browser/renderer_host/render_frame_host_impl.h"
#include "content/browser/web_contents/web_contents_impl.h"
#include "content/public/browser/browser_context.h"
#include "content/public/browser/storage_partition.h"
#include "content/public/browser/web_contents.h"
#include "mojo/public/cpp/bindings/self_owned_receiver.h"

namespace content {

namespace {

// Removes any file that is a symlink or is inside a directory symlink.
// For |kUploadFolder| mode only. |base_dir| is the folder being uploaded.
std::vector<blink::mojom::FileChooserFileInfoPtr> RemoveSymlinks(
    std::vector<blink::mojom::FileChooserFileInfoPtr> files,
    base::FilePath base_dir) {
  DCHECK(!base_dir.empty());
  auto to_remove = std::ranges::remove_if(
      files,
      [&base_dir](const base::FilePath& file_path) {
        if (base::IsLink(file_path))
          return true;
        for (base::FilePath path = file_path.DirName(); base_dir.IsParent(path);
             path = path.DirName()) {
          if (base::IsLink(path))
            return true;
        }
        return false;
      },
      [](const auto& file) { return file->get_native_file()->file_path; });
  files.erase(to_remove.begin(), to_remove.end());
  return files;
}

}  // namespace

FileChooserImpl::FileSelectListenerImpl::FileSelectListenerImpl(
    FileChooserImpl* owner)
    : owner_(owner ? owner->GetWeakPtr() : nullptr) {}

FileChooserImpl::FileSelectListenerImpl::~FileSelectListenerImpl() {
#if DCHECK_IS_ON()
  if (!was_file_select_listener_function_called_) {
    LOG(ERROR) << "Must call either FileSelectListener::FileSelected() or "
                  "FileSelectListener::FileSelectionCanceled()";
  }
  // TODO(avi): Turn on the DCHECK on the following line. This cannot yet be
  // done because I can't say for sure that I know who all the callers who bind
  // blink::mojom::FileChooser are. https://crbug.com/1054811
  /* DCHECK(was_fullscreen_block_set_) << "The fullscreen block was not set"; */
#endif
}

void FileChooserImpl::FileSelectListenerImpl::SetFullscreenBlock(
    base::ScopedClosureRunner fullscreen_block) {
#if DCHECK_IS_ON()
  DCHECK(!was_fullscreen_block_set_)
      << "Fullscreen block must only be set once";
  was_fullscreen_block_set_ = true;
#endif
  fullscreen_block_ = std::move(fullscreen_block);
}

void FileChooserImpl::FileSelectListenerImpl::FileSelected(
    std::vector<blink::mojom::FileChooserFileInfoPtr> files,
    const base::FilePath& base_dir,
    blink::mojom::FileChooserParams::Mode mode) {
#if DCHECK_IS_ON()
  DCHECK(!was_file_select_listener_function_called_)
      << "Must not call both of FileSelectListener::FileSelected() and "
         "FileSelectListener::FileSelectionCanceled()";
  was_file_select_listener_function_called_ = true;
#endif
  if (!owner_)
    return;

  if (mode != blink::mojom::FileChooserParams::Mode::kUploadFolder) {
    owner_->FileSelected(base_dir, mode, std::move(files));
    return;
  }

  base::ThreadPool::PostTaskAndReplyWithResult(
      FROM_HERE,
      {base::MayBlock(), base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN},
      base::BindOnce(&RemoveSymlinks, std::move(files), base_dir),
      base::BindOnce(&FileChooserImpl::FileSelected, owner_, base_dir, mode));
}

void FileChooserImpl::FileSelectListenerImpl::FileSelectionCanceled() {
#if DCHECK_IS_ON()
  DCHECK(!was_file_select_listener_function_called_)
      << "Should not call both of FileSelectListener::FileSelected() and "
         "FileSelectListener::FileSelectionCanceled()";
  was_file_select_listener_function_called_ = true;
#endif
  if (owner_)
    owner_->FileSelectionCanceled();
}

void FileChooserImpl::FileSelectListenerImpl::
    SetListenerFunctionCalledTrueForTesting() {
#if DCHECK_IS_ON()
  was_file_select_listener_function_called_ = true;
#endif
}

// static
void FileChooserImpl::Create(
    RenderFrameHostImpl* render_frame_host,
    mojo::PendingReceiver<blink::mojom::FileChooser> receiver) {
  mojo::MakeSelfOwnedReceiver(
      base::WrapUnique(new FileChooserImpl(render_frame_host)),
      std::move(receiver));
}

// static
mojo::Remote<blink::mojom::FileChooser> FileChooserImpl::CreateBoundForTesting(
    RenderFrameHostImpl* render_frame_host) {
  mojo::Remote<blink::mojom::FileChooser> chooser;
  Create(render_frame_host, chooser.BindNewPipeAndPassReceiver());
  return chooser;
}

// static
std::pair<FileChooserImpl*, mojo::Remote<blink::mojom::FileChooser>>
FileChooserImpl::CreateForTesting(RenderFrameHostImpl* render_frame_host) {
  mojo::Remote<blink::mojom::FileChooser> chooser;
  FileChooserImpl* impl = new FileChooserImpl(render_frame_host);
  mojo::MakeSelfOwnedReceiver(base::WrapUnique(impl),
                              chooser.BindNewPipeAndPassReceiver());
  return std::make_pair(impl, std::move(chooser));
}

FileChooserImpl::FileChooserImpl(RenderFrameHostImpl* render_frame_host)
    : render_frame_host_id_(render_frame_host->GetGlobalId()) {}

FileChooserImpl::~FileChooserImpl() = default;

void FileChooserImpl::OpenFileChooser(blink::mojom::FileChooserParamsPtr params,
                                      OpenFileChooserCallback callback) {
  if (listener_impl_ || !render_frame_host()) {
    std::move(callback).Run(nullptr);
    return;
  }
  callback_ = std::move(callback);
  auto listener = base::MakeRefCounted<FileSelectListenerImpl>(this);
  listener_impl_ = listener.get();
  // Do not allow messages with absolute paths in them as this can permit a
  // renderer to coerce the browser to perform I/O on a renderer controlled
  // path.
  if (params->default_file_name != params->default_file_name.BaseName()) {
    mojo::ReportBadMessage(
        "FileChooser: The default file name must not be an absolute path.");
    listener->FileSelectionCanceled();
    return;
  }

  // Do not allow open dialogs to have renderer-controlled default_file_name.
  // See https://crbug.com/433800617 for context.
  if (params->mode != blink::mojom::FileChooserParams::Mode::kSave) {
    params->default_file_name = base::FilePath();
  }

  // Don't allow page with open FileChooser to enter BackForwardCache to avoid
  // any unexpected behaviour from BackForwardCache.
  BackForwardCache::DisableForRenderFrameHost(
      render_frame_host(),
      BackForwardCacheDisable::DisabledReason(
          BackForwardCacheDisable::DisabledReasonId::kFileChooser));

  WebContentsImpl::FromRenderFrameHostImpl(render_frame_host())
      ->RunFileChooser(GetWeakPtr(), render_frame_host(), std::move(listener),
                       *params);
}

void FileChooserImpl::EnumerateChosenDirectory(
    const base::FilePath& directory_path,
    EnumerateChosenDirectoryCallback callback) {
  if (listener_impl_ || !render_frame_host()) {
    std::move(callback).Run(nullptr);
    return;
  }
  callback_ = std::move(callback);
  auto listener = base::MakeRefCounted<FileSelectListenerImpl>(this);
  listener_impl_ = listener.get();
  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
  if (policy->CanReadFile(render_frame_host()->GetProcess()->GetDeprecatedID(),
                          directory_path)) {
    WebContentsImpl::FromRenderFrameHostImpl(render_frame_host())
        ->EnumerateDirectory(GetWeakPtr(), render_frame_host(),
                             std::move(listener), directory_path);
  } else {
    listener->FileSelectionCanceled();
  }
}

void FileChooserImpl::FileSelected(
    const base::FilePath& base_dir,
    blink::mojom::FileChooserParams::Mode mode,
    std::vector<blink::mojom::FileChooserFileInfoPtr> files) {
  listener_impl_ = nullptr;
  if (!render_frame_host()) {
    std::move(callback_).Run(nullptr);
    return;
  }
  storage::FileSystemContext* file_system_context = nullptr;
  const int pid = render_frame_host()->GetProcess()->GetDeprecatedID();
  auto* policy = ChildProcessSecurityPolicyImpl::GetInstance();
  // Grant the security access requested to the given files.
  for (const auto& file : files) {
    if (mode == blink::mojom::FileChooserParams::Mode::kSave) {
      policy->GrantCreateReadWriteFile(pid, file->get_native_file()->file_path);
      continue;
    }

    if (file->is_file_system()) {
      if (!file_system_context) {
        file_system_context =
            render_frame_host()->GetStoragePartition()->GetFileSystemContext();
      }
      policy->GrantReadFileSystem(
          pid, file_system_context
                   ->CrackURLInFirstPartyContext(file->get_file_system()->url)
                   .mount_filesystem_id());
    } else {
      policy->GrantReadFile(pid, file->get_native_file()->file_path);
    }
  }
  std::move(callback_).Run(FileChooserResult::New(std::move(files), base_dir));
}

void FileChooserImpl::FileSelectionCanceled() {
  listener_impl_ = nullptr;
  std::move(callback_).Run(nullptr);
}

RenderFrameHostImpl* FileChooserImpl::render_frame_host() {
  RenderFrameHostImpl* rfh = RenderFrameHostImpl::FromID(render_frame_host_id_);
  return (rfh && rfh->IsRenderFrameLive()) ? rfh : nullptr;
}

}  // namespace content