[dart:io] Introduce per-domain policy for strict secure connections.

The default behavior is controlled via a private configuration variable
settable by embedders (#_mayUseInsecureSocket). It is, by default,
configured to allow insecure connections. The domain configuration
itself is sent as a JSON encoded string which gets parsed once.

Embedders are expected to set these configurations before they run any
user code.

This is a re-work of https://dart-review.googlesource.com/c/sdk/+/142446
[dart:_http] Allow the embedder to prohibit HTTP traffic.

Change-Id: I4ccbd35da9ce25bf5f81ad4468111018d6af2f03
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/154180
Commit-Queue: Mehmet Fidanboylu <[email protected]>
Reviewed-by: Jonas Termansen <[email protected]>

Author: mehmetf

sdk/lib/_http/embedder_config.dart

@@ -7,5 +7,9 @@ part of dart._http;
 /// Embedder-specific `dart:_http` configuration.
 
 /// [HttpClient] will disallow HTTP URLs if this value is set to `false`.
+///
+/// TODO(https://github.com/dart-lang/sdk/issues/41796): This setting will be
+/// removed in favor of explicit domain settings.
+@deprecated
 @pragma("vm:entry-point")
 bool _embedderAllowsHttp = true;

sdk/lib/_http/http_impl.dart

@@ -2271,32 +2271,6 @@ class _HttpClient implements HttpClient {
     });
   }
 
-  /// Whether HTTP requests are currently allowed.
-  ///
-  /// If the [Zone] variable `#dart.library.io.allow_http` is set to a boolean,
-  /// it determines whether the HTTP protocol is allowed. If the zone variable
-  /// is set to any other non-null value, HTTP is not allowed.
-  /// Otherwise, if the `dart.library.io.allow_http` environment flag
-  /// is set to `false`, HTTP is not allowed.
-  /// Otherwise, [_embedderAllowsHttp] determines the result.
-  bool get _isHttpAllowed {
-    final zoneOverride = Zone.current[#dart.library.io.allow_http];
-    if (zoneOverride != null) return true == zoneOverride;
-    bool envOverride =
-        bool.fromEnvironment("dart.library.io.allow_http", defaultValue: true);
-    return envOverride && _embedderAllowsHttp;
-  }
-
-  bool _isLoopback(String host) {
-    if (host.isEmpty) return false;
-    if ("localhost" == host) return true;
-    try {
-      return InternetAddress(host).isLoopback;
-    } on ArgumentError {
-      return false;
-    }
-  }
-
   Future<_HttpClientRequest> _openUrl(String method, Uri uri) {
     if (_closing) {
       throw new StateError("Client is closed");
@@ -2318,11 +2292,6 @@ class _HttpClient implements HttpClient {
     }
 
     bool isSecure = uri.isScheme("https");
-    if (!_isHttpAllowed && !isSecure && !_isLoopback(uri.host)) {
-      throw new StateError(
-          "Insecure HTTP is not allowed by the current platform: $uri");
-    }
-
     int port = uri.port;
     if (port == 0) {
       port =

sdk/lib/io/embedder_config.dart

@@ -32,6 +32,18 @@ abstract class _EmbedderConfig {
   @pragma('vm:entry-point')
   static bool _maySleep = true;
 
+  /// The Isolate may establish insecure socket connections to all domains.
+  ///
+  /// This setting can be overridden by per-domain policies.
+  @pragma('vm:entry-point')
+  static bool _mayInsecurelyConnectToAllDomains = true;
+
+  /// Domain network policies set by embedder.
+  @pragma('vm:entry-point')
+  static void _setDomainPolicies(String domainNetworkPolicyJson) {
+    _domainPolicies = _constructDomainPolicies(domainNetworkPolicyJson);
+  }
+
   // TODO(zra): Consider adding:
   // - an option to disallow modifying SecurityContext.defaultContext
   // - an option to disallow closing stdout and stderr.

sdk/lib/io/io.dart

@@ -215,6 +215,7 @@ part 'io_sink.dart';
 part 'io_service.dart';
 part 'link.dart';
 part 'namespace_impl.dart';
+part 'network_policy.dart';
 part 'network_profiling.dart';
 part 'overrides.dart';
 part 'platform.dart';

sdk/lib/io/network_policy.dart

@@ -0,0 +1,192 @@
+// Copyright (c) 2020, the Dart project authors.  Please see the AUTHORS file
+// for details. All rights reserved. Use of this source code is governed by a
+// BSD-style license that can be found in the LICENSE file.
+
+part of dart.io;
+
+/// Whether insecure connections to [host] are allowed.
+///
+/// [host] must be a [String] or [InternetAddress].
+///
+/// If any of the domain policies match [host], the matching policy will make
+/// the decision. If multiple policies apply, the top matching policy makes the
+/// decision. If none of the domain policies match, the embedder default is
+/// used.
+///
+/// Loopback addresses are always allowed.
+bool isInsecureConnectionAllowed(dynamic host) {
+  String hostString;
+  if (host is String) {
+    try {
+      if ("localhost" == host || InternetAddress(host).isLoopback) return true;
+    } on ArgumentError {
+      // Assume not loopback.
+    }
+    hostString = host;
+  } else if (host is InternetAddress) {
+    if (host.isLoopback) return true;
+    hostString = host.host;
+  } else {
+    throw ArgumentError.value(
+        host, "host", "Must be a String or InternetAddress");
+  }
+  final topMatchedPolicy = _findBestDomainNetworkPolicy(hostString);
+  final envOverride = bool.fromEnvironment(
+      "dart.library.io.may_insecurely_connect_to_all_domains",
+      defaultValue: true);
+  return topMatchedPolicy?.allowInsecureConnections ??
+      (envOverride && _EmbedderConfig._mayInsecurelyConnectToAllDomains);
+}
+
+/// Policy for a specific domain.
+///
+/// [_DomainNetworkPolicy] can be used to create exceptions to the global
+/// network policy.
+class _DomainNetworkPolicy {
+  /// https://tools.ietf.org/html/rfc1034#:~:text=Name%20space%20specifications
+  ///
+  /// We specifically do not allow IP addresses.
+  static final _domainMatcher = RegExp(
+      r"^(?:[a-z\d-]{1,63}\.)+[a-z][a-z\d-]{0,62}$",
+      caseSensitive: false);
+
+  /// The domain on which the policy is being set.
+  ///
+  /// This cannot be a numeric IP address.
+  ///
+  /// For example: `example.com`.
+  final String domain;
+
+  /// Whether to allow insecure socket connections for this domain.
+  final bool allowInsecureConnections;
+
+  /// Whether this domain policy covers sub-domains as well.
+  ///
+  /// If this is true, all subdomains inherit the same policy. For instance,
+  /// a policy set on `example.com` would apply to `*.example.com` such as
+  /// `subdomain.example.com` or `www.example.com`.
+  final bool includesSubDomains;
+
+  /// Creates a new domain exception in the network policy.
+  ///
+  /// [domain] is the domain on which the policy is being set.
+  ///
+  /// [includesSubDomains] determines whether the policy applies to
+  /// all sub domains. If this is set to true, all subdomains inherit the
+  /// same policy. For instance, a policy set on `example.com` would apply to
+  /// `*.example.com` such as `subdomain.example.com` or `www.example.com`.
+  ///
+  /// [allowInsecureConnections] determines whether to allow insecure socket
+  /// connections for this [domain].
+  _DomainNetworkPolicy(this.domain,
+      {this.includesSubDomains = false,
+      this.allowInsecureConnections = false}) {
+    if (domain.length > 255 || !_domainMatcher.hasMatch(domain)) {
+      throw ArgumentError.value(domain, "domain", "Invalid domain name");
+    }
+  }
+
+  /// Calculates how well the policy matches to a given host string.
+  ///
+  /// A host matches a [policy] if it ends with its [domain].
+  ///
+  /// A score is given to such a match depending on the specificity of the
+  /// [domain]:
+  ///
+  /// * A longer domain receives a higher score.
+  /// * A domain that does not allow sub domains receives a higher score.
+  ///
+  /// Returns -1 if the policy does not match.
+  int matchScore(String host) {
+    final domainLength = domain.length;
+    final hostLength = host.length;
+    final lengthDelta = hostLength - domainLength;
+    if (host.endsWith(domain) &&
+        (lengthDelta == 0 ||
+            includesSubDomains && host.codeUnitAt(lengthDelta - 1) == 0x2e)) {
+      return domainLength * 2 + (includesSubDomains ? 0 : 1);
+    }
+    return -1;
+  }
+
+  /// Checks whether the [policy] to be added conflicts with existing policies.
+  ///
+  /// Returns [true] if policy is safe to add to existing policy set and [false]
+  ///     if policy can safely be ignored.
+  ///
+  /// Throws [ArgumentError] if a conflict is detected.
+  bool checkConflict(List<_DomainNetworkPolicy> existingPolicies) {
+    for (final existingPolicy in existingPolicies) {
+      if (includesSubDomains == existingPolicy.includesSubDomains &&
+          domain == existingPolicy.domain) {
+        if (allowInsecureConnections ==
+            existingPolicy.allowInsecureConnections) {
+          // This is a duplicate policy
+          return false;
+        }
+        throw StateError("Contradiction in the domain security policies: "
+            "'$this' contradicts '$existingPolicy'");
+      }
+    }
+    return true;
+  }
+
+  /// This is used for encoding information about the policy in user visible
+  /// errors.
+  @override
+  String toString() {
+    final subDomainPrefix = includesSubDomains ? '*.' : '';
+    final insecureConnectionPermission =
+        allowInsecureConnections ? 'Allows' : 'Disallows';
+    return "$subDomainPrefix$domain: "
+        "$insecureConnectionPermission insecure connections";
+  }
+}
+
+/// Finds the top [DomainNetworkPolicy] instance that match given a single
+/// [domain].
+///
+/// We order the policies according to how specific they are. The final policy
+/// for a given [domain] is determined by the top matching
+/// [DomainNetworkPolicy].
+///
+/// Returns null if there's no matching policy.
+_DomainNetworkPolicy? _findBestDomainNetworkPolicy(String domain) {
+  var topScore = 0;
+  _DomainNetworkPolicy? topPolicy;
+  for (final _DomainNetworkPolicy policy in _domainPolicies) {
+    final score = policy.matchScore(domain);
+    if (score > topScore) {
+      topScore = score;
+      topPolicy = policy;
+    }
+  }
+  return topPolicy;
+}
+
+/// Domain level policies that dart:io is enforcing.
+late List<_DomainNetworkPolicy> _domainPolicies =
+    _constructDomainPolicies(null);
+
+List<_DomainNetworkPolicy> _constructDomainPolicies(
+    String? domainPoliciesString) {
+  final domainPolicies = <_DomainNetworkPolicy>[];
+  domainPoliciesString ??= String.fromEnvironment(
+      "dart.library.io.domain_network_policies",
+      defaultValue: "");
+  if (domainPoliciesString.isNotEmpty) {
+    final List<dynamic> policiesJson = json.decode(domainPoliciesString);
+    for (final List<dynamic> policyJson in policiesJson) {
+      assert(policyJson.length == 3);
+      final policy = _DomainNetworkPolicy(
+        policyJson[0],
+        includesSubDomains: policyJson[1],
+        allowInsecureConnections: policyJson[2],
+      );
+      if (policy.checkConflict(domainPolicies)) {
+        domainPolicies.add(policy);
+      }
+    }
+  }
+  return domainPolicies;
+}

sdk/lib/io/socket.dart

@@ -801,6 +801,10 @@ abstract class Socket implements Stream<Uint8List>, IOSink {
       {sourceAddress, Duration? timeout}) {
     final IOOverrides? overrides = IOOverrides.current;
     if (overrides == null) {
+      if (!isInsecureConnectionAllowed(host)) {
+        throw new SocketException(
+            "Insecure socket connections are disallowed by platform: $host");
+      }
       return Socket._connect(host, port,
           sourceAddress: sourceAddress, timeout: timeout);
     }
@@ -815,6 +819,10 @@ abstract class Socket implements Stream<Uint8List>, IOSink {
       {sourceAddress}) {
     final IOOverrides? overrides = IOOverrides.current;
     if (overrides == null) {
+      if (!isInsecureConnectionAllowed(host)) {
+        throw new SocketException(
+            "Insecure socket connections are disallowed by platform: $host");
+      }
       return Socket._startConnect(host, port, sourceAddress: sourceAddress);
     }
     return overrides.socketStartConnect(host, port,