diff --git a/BUILD.gn b/BUILD.gn index a369924a970..6377bfe92c5 100644 --- a/BUILD.gn +++ b/BUILD.gn @@ -1024,6 +1024,12 @@ if (is_mac) { outputs = [ "{{bundle_resources_dir}}/{{source_file_part}}" ] } + asar_hashed_info_plist("electron_app_plist") { + keys = [ "DEFAULT_APP_ASAR_HEADER_SHA" ] + hash_targets = [ ":default_app_asar_header_hash" ] + plist_file = "shell/browser/resources/mac/Info.plist" + } + mac_app_bundle("electron_app") { output_name = electron_product_name sources = filenames.app_sources @@ -1031,6 +1037,7 @@ if (is_mac) { include_dirs = [ "." ] deps = [ ":electron_app_framework_bundle_data", + ":electron_app_plist", ":electron_app_resources", ":electron_fuses", "//base", @@ -1039,7 +1046,7 @@ if (is_mac) { if (is_mas_build) { deps += [ ":electron_login_helper_app" ] } - info_plist = "shell/browser/resources/mac/Info.plist" + info_plist_target = ":electron_app_plist" extra_substitutions = [ "ELECTRON_BUNDLE_ID=$electron_mac_bundle_id", "ELECTRON_VERSION=$electron_version", diff --git a/build/asar.gni b/build/asar.gni index 4df8ea34dd9..3e11845bd59 100644 --- a/build/asar.gni +++ b/build/asar.gni @@ -57,4 +57,42 @@ template("asar") { rebase_path(outputs[0]), ] } + + node_action(target_name + "_header_hash") { + invoker_out = invoker.outputs + + deps = [ ":" + invoker.target_name ] + sources = invoker.outputs + + script = "//electron/script/gn-asar-hash.js" + outputs = [ "$target_gen_dir/asar_hashes/$target_name.hash" ] + + args = [ + rebase_path(invoker_out[0]), + rebase_path(outputs[0]), + ] + } +} + +template("asar_hashed_info_plist") { + node_action(target_name) { + assert(defined(invoker.plist_file), + "Need plist_file to add hashed assets to") + assert(defined(invoker.keys), "Need keys to replace with asset hash") + assert(defined(invoker.hash_targets), "Need hash_targets to read hash from") + + deps = invoker.hash_targets + + script = "//electron/script/gn-plist-but-with-hashes.js" + inputs = [ invoker.plist_file ] + outputs = [ "$target_gen_dir/hashed_plists/$target_name.plist" ] + hash_files = [] + foreach(hash_target, invoker.hash_targets) { + hash_files += get_target_outputs(hash_target) + } + args = [ + rebase_path(invoker.plist_file), + rebase_path(outputs[0]), + ] + invoker.keys + rebase_path(hash_files) + } } diff --git a/build/fuses/fuses.json5 b/build/fuses/fuses.json5 index bb5ec6c1f21..f4984aa2a17 100644 --- a/build/fuses/fuses.json5 +++ b/build/fuses/fuses.json5 @@ -5,5 +5,7 @@ "run_as_node": "1", "cookie_encryption": "0", "node_options": "1", - "node_cli_inspect": "1" + "node_cli_inspect": "1", + "embedded_asar_integrity_validation": "0", + "only_load_app_from_asar": "0" } diff --git a/filenames.gni b/filenames.gni index 7ac65a09034..3d06281ddde 100644 --- a/filenames.gni +++ b/filenames.gni @@ -191,6 +191,7 @@ filenames = { "shell/browser/ui/tray_icon_cocoa.mm", "shell/common/api/electron_api_clipboard_mac.mm", "shell/common/api/electron_api_native_image_mac.mm", + "shell/common/asar/archive_mac.mm", "shell/common/application_info_mac.mm", "shell/common/language_util_mac.mm", "shell/common/mac/main_application_bundle.h", @@ -403,6 +404,8 @@ filenames = { "shell/browser/native_window.cc", "shell/browser/native_window.h", "shell/browser/native_window_observer.h", + "shell/browser/net/asar/asar_file_validator.cc", + "shell/browser/net/asar/asar_file_validator.h", "shell/browser/net/asar/asar_url_loader.cc", "shell/browser/net/asar/asar_url_loader.h", "shell/browser/net/asar/asar_url_loader_factory.cc", diff --git a/lib/asar/fs-wrapper.ts b/lib/asar/fs-wrapper.ts index c500b4fda63..87e03b73664 100644 --- a/lib/asar/fs-wrapper.ts +++ b/lib/asar/fs-wrapper.ts @@ -1,6 +1,7 @@ import { Buffer } from 'buffer'; import * as path from 'path'; import * as util from 'util'; +import type * as Crypto from 'crypto'; const asar = process._linkedBinding('electron_common_asar'); @@ -194,6 +195,20 @@ const overrideAPI = function (module: Record, name: string, pathArg } }; +let crypto: typeof Crypto; +function validateBufferIntegrity (buffer: Buffer, integrity: NodeJS.AsarFileInfo['integrity']) { + if (!integrity) return; + + // Delay load crypto to improve app boot performance + // when integrity protection is not enabled + crypto = crypto || require('crypto'); + const actual = crypto.createHash(integrity.algorithm).update(buffer).digest('hex'); + if (actual !== integrity.hash) { + console.error(`ASAR Integrity Violation: got a hash mismatch (${actual} vs ${integrity.hash})`); + process.exit(1); + } +} + const makePromiseFunction = function (orig: Function, pathArgumentIndex: number) { return function (this: any, ...args: any[]) { const pathArgument = args[pathArgumentIndex]; @@ -531,7 +546,7 @@ export const wrapFsWithAsar = (fs: Record) => { } const buffer = Buffer.alloc(info.size); - const fd = archive.getFd(); + const fd = archive.getFdAndValidateIntegrityLater(); if (!(fd >= 0)) { const error = createError(AsarError.NOT_FOUND, { asarPath, filePath }); nextTick(callback, [error]); @@ -540,6 +555,7 @@ export const wrapFsWithAsar = (fs: Record) => { logASARAccess(asarPath, filePath, info.offset); fs.read(fd, buffer, 0, info.size, info.offset, (error: Error) => { + validateBufferIntegrity(buffer, info.integrity); callback(error, encoding ? buffer.toString(encoding) : buffer); }); } @@ -595,11 +611,12 @@ export const wrapFsWithAsar = (fs: Record) => { const { encoding } = options; const buffer = Buffer.alloc(info.size); - const fd = archive.getFd(); + const fd = archive.getFdAndValidateIntegrityLater(); if (!(fd >= 0)) throw createError(AsarError.NOT_FOUND, { asarPath, filePath }); logASARAccess(asarPath, filePath, info.offset); fs.readSync(fd, buffer, 0, info.size, info.offset); + validateBufferIntegrity(buffer, info.integrity); return (encoding) ? buffer.toString(encoding) : buffer; }; @@ -713,11 +730,12 @@ export const wrapFsWithAsar = (fs: Record) => { } const buffer = Buffer.alloc(info.size); - const fd = archive.getFd(); + const fd = archive.getFdAndValidateIntegrityLater(); if (!(fd >= 0)) return []; logASARAccess(asarPath, filePath, info.offset); fs.readSync(fd, buffer, 0, info.size, info.offset); + validateBufferIntegrity(buffer, info.integrity); const str = buffer.toString('utf8'); return [str, str.length > 0]; }; diff --git a/lib/browser/init.ts b/lib/browser/init.ts index 487506bcc5c..5740af1a840 100644 --- a/lib/browser/init.ts +++ b/lib/browser/init.ts @@ -81,9 +81,10 @@ require('@electron/internal/browser/guest-view-manager'); require('@electron/internal/browser/guest-window-proxy'); // Now we try to load app's package.json. +const v8Util = process._linkedBinding('electron_common_v8_util'); let packagePath = null; let packageJson = null; -const searchPaths = ['app', 'app.asar', 'default_app.asar']; +const searchPaths: string[] = v8Util.getHiddenValue(global, 'appSearchPaths'); if (process.resourcesPath) { for (packagePath of searchPaths) { diff --git a/package.json b/package.json index 189117e0ef7..c47e3add083 100644 --- a/package.json +++ b/package.json @@ -30,7 +30,7 @@ "@types/webpack-env": "^1.15.2", "@typescript-eslint/eslint-plugin": "^4.4.1", "@typescript-eslint/parser": "^4.4.1", - "asar": "^3.0.3", + "asar": "^3.1.0", "aws-sdk": "^2.727.1", "check-for-leaks": "^1.2.1", "colors": "^1.4.0", diff --git a/script/gn-asar-hash.js b/script/gn-asar-hash.js new file mode 100644 index 00000000000..e9801838e53 --- /dev/null +++ b/script/gn-asar-hash.js @@ -0,0 +1,9 @@ +const asar = require('asar'); +const crypto = require('crypto'); +const fs = require('fs'); + +const archive = process.argv[2]; +const hashFile = process.argv[3]; + +const { headerString } = asar.getRawHeader(archive); +fs.writeFileSync(hashFile, crypto.createHash('SHA256').update(headerString).digest('hex')); diff --git a/script/gn-plist-but-with-hashes.js b/script/gn-plist-but-with-hashes.js new file mode 100644 index 00000000000..16ee734ef96 --- /dev/null +++ b/script/gn-plist-but-with-hashes.js @@ -0,0 +1,16 @@ +const fs = require('fs'); + +const [,, plistPath, outputPath, ...keySet] = process.argv; + +const keyPairs = {}; +for (let i = 0; i * 2 < keySet.length; i++) { + keyPairs[keySet[i]] = fs.readFileSync(keySet[(keySet.length / 2) + i], 'utf8'); +} + +let plistContents = fs.readFileSync(plistPath, 'utf8'); + +for (const key of Object.keys(keyPairs)) { + plistContents = plistContents.replace(`$\{${key}}`, keyPairs[key]); +} + +fs.writeFileSync(outputPath, plistContents); diff --git a/shell/browser/net/asar/asar_file_validator.cc b/shell/browser/net/asar/asar_file_validator.cc new file mode 100644 index 00000000000..34e114dea25 --- /dev/null +++ b/shell/browser/net/asar/asar_file_validator.cc @@ -0,0 +1,150 @@ +// Copyright (c) 2021 Slack Technologies, Inc. +// Use of this source code is governed by the MIT license that can be +// found in the LICENSE file. + +#include "shell/browser/net/asar/asar_file_validator.h" + +#include +#include +#include +#include + +#include "base/logging.h" +#include "base/notreached.h" +#include "base/strings/string_number_conversions.h" +#include "base/strings/string_util.h" +#include "crypto/sha2.h" + +namespace asar { + +AsarFileValidator::AsarFileValidator(IntegrityPayload integrity, + base::File file) + : file_(std::move(file)), integrity_(std::move(integrity)) { + current_block_ = 0; + max_block_ = integrity_.blocks.size() - 1; +} + +void AsarFileValidator::OnRead(base::span buffer, + mojo::FileDataSource::ReadResult* result) { + DCHECK(!done_reading_); + + uint64_t buffer_size = result->bytes_read; + + // Compute how many bytes we should hash, and add them to the current hash. + uint32_t block_size = integrity_.block_size; + uint64_t bytes_added = 0; + while (bytes_added < buffer_size) { + if (current_block_ > max_block_) { + LOG(FATAL) + << "Unexpected number of blocks while validating ASAR file stream"; + return; + } + + // Create a hash if we don't have one yet + if (!current_hash_) { + current_hash_byte_count_ = 0; + switch (integrity_.algorithm) { + case HashAlgorithm::SHA256: + current_hash_ = + crypto::SecureHash::Create(crypto::SecureHash::SHA256); + break; + case HashAlgorithm::NONE: + CHECK(false); + break; + } + } + + // Compute how many bytes we should hash, and add them to the current hash. + // We need to either add just enough bytes to fill up a block (block_size - + // current_bytes) or use every remaining byte (buffer_size - bytes_added) + int bytes_to_hash = std::min(block_size - current_hash_byte_count_, + buffer_size - bytes_added); + DCHECK_GT(bytes_to_hash, 0); + current_hash_->Update(buffer.data() + bytes_added, bytes_to_hash); + bytes_added += bytes_to_hash; + current_hash_byte_count_ += bytes_to_hash; + total_hash_byte_count_ += bytes_to_hash; + + if (current_hash_byte_count_ == block_size && !FinishBlock()) { + LOG(FATAL) << "Failed to validate block while streaming ASAR file: " + << current_block_; + return; + } + } +} + +bool AsarFileValidator::FinishBlock() { + if (current_hash_byte_count_ == 0) { + if (!done_reading_ || current_block_ > max_block_) { + return true; + } + } + + if (!current_hash_) { + // This happens when we fail to read the resource. Compute empty content's + // hash in this case. + current_hash_ = crypto::SecureHash::Create(crypto::SecureHash::SHA256); + } + + uint8_t actual[crypto::kSHA256Length]; + + // If the file reader is done we need to make sure we've either read up to the + // end of the file (the check below) or up to the end of a block_size byte + // boundary. If the below check fails we compute the next block boundary, how + // many bytes are needed to get there and then we manually read those bytes + // from our own file handle ensuring the data producer is unaware but we can + // validate the hash still. + if (done_reading_ && + total_hash_byte_count_ - extra_read_ != read_max_ - read_start_) { + uint64_t bytes_needed = std::min( + integrity_.block_size - current_hash_byte_count_, + read_max_ - read_start_ - total_hash_byte_count_ + extra_read_); + uint64_t offset = read_start_ + total_hash_byte_count_ - extra_read_; + std::vector abandoned_buffer(bytes_needed); + if (!file_.ReadAndCheck(offset, abandoned_buffer)) { + LOG(FATAL) << "Failed to read required portion of streamed ASAR archive"; + return false; + } + + current_hash_->Update(&abandoned_buffer.front(), bytes_needed); + } + + current_hash_->Finish(actual, sizeof(actual)); + current_hash_.reset(); + current_hash_byte_count_ = 0; + + const std::string expected_hash = integrity_.blocks[current_block_]; + const std::string actual_hex_hash = + base::ToLowerASCII(base::HexEncode(actual, sizeof(actual))); + + if (expected_hash != actual_hex_hash) { + return false; + } + + current_block_++; + + return true; +} + +void AsarFileValidator::OnDone() { + DCHECK(!done_reading_); + done_reading_ = true; + if (!FinishBlock()) { + LOG(FATAL) << "Failed to validate block while ending ASAR file stream: " + << current_block_; + } +} + +void AsarFileValidator::SetRange(uint64_t read_start, + uint64_t extra_read, + uint64_t read_max) { + read_start_ = read_start; + extra_read_ = extra_read; + read_max_ = read_max; +} + +void AsarFileValidator::SetCurrentBlock(int current_block) { + current_block_ = current_block; +} + +} // namespace asar diff --git a/shell/browser/net/asar/asar_file_validator.h b/shell/browser/net/asar/asar_file_validator.h new file mode 100644 index 00000000000..e082d76cc01 --- /dev/null +++ b/shell/browser/net/asar/asar_file_validator.h @@ -0,0 +1,60 @@ +// Copyright (c) 2021 Slack Technologies, Inc. +// Use of this source code is governed by the MIT license that can be +// found in the LICENSE file. + +#ifndef SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_ +#define SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_ + +#include +#include + +#include "crypto/secure_hash.h" +#include "mojo/public/cpp/system/file_data_source.h" +#include "mojo/public/cpp/system/filtered_data_source.h" +#include "shell/common/asar/archive.h" +#include "third_party/abseil-cpp/absl/types/optional.h" + +namespace asar { + +class AsarFileValidator : public mojo::FilteredDataSource::Filter { + public: + AsarFileValidator(IntegrityPayload integrity, base::File file); + + void OnRead(base::span buffer, + mojo::FileDataSource::ReadResult* result); + + void OnDone(); + + void SetRange(uint64_t read_start, uint64_t extra_read, uint64_t read_max); + void SetCurrentBlock(int current_block); + + protected: + bool FinishBlock(); + + private: + base::File file_; + IntegrityPayload integrity_; + + // The offset in the file_ that the underlying file reader is starting at + uint64_t read_start_ = 0; + // The number of bytes this DataSourceFilter will have seen that aren't used + // by the DataProducer. These extra bytes are exclusively for hash validation + // but we need to know how many we've used so we know when we're done. + uint64_t extra_read_ = 0; + // The maximum offset in the file_ that we should read to, used to determine + // which bytes we're missing or if we need to read up to a block boundary in + // OnDone + uint64_t read_max_ = 0; + bool done_reading_ = false; + int current_block_; + int max_block_; + uint64_t current_hash_byte_count_ = 0; + uint64_t total_hash_byte_count_ = 0; + std::unique_ptr current_hash_; + + DISALLOW_COPY_AND_ASSIGN(AsarFileValidator); +}; + +} // namespace asar + +#endif // SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_ diff --git a/shell/browser/net/asar/asar_url_loader.cc b/shell/browser/net/asar/asar_url_loader.cc index e976ec816bc..98731d9a559 100644 --- a/shell/browser/net/asar/asar_url_loader.cc +++ b/shell/browser/net/asar/asar_url_loader.cc @@ -4,6 +4,7 @@ #include "shell/browser/net/asar/asar_url_loader.h" +#include #include #include #include @@ -13,6 +14,7 @@ #include "base/task/post_task.h" #include "base/task/thread_pool.h" #include "content/public/browser/file_url_loader.h" +#include "electron/fuses.h" #include "mojo/public/cpp/bindings/receiver.h" #include "mojo/public/cpp/bindings/remote.h" #include "mojo/public/cpp/system/data_pipe_producer.h" @@ -23,6 +25,7 @@ #include "net/http/http_byte_range.h" #include "net/http/http_util.h" #include "services/network/public/mojom/url_response_head.mojom.h" +#include "shell/browser/net/asar/asar_file_validator.h" #include "shell/common/asar/archive.h" #include "shell/common/asar/asar_util.h" @@ -127,6 +130,7 @@ class AsarURLLoader : public network::mojom::URLLoader { OnClientComplete(net::ERR_FILE_NOT_FOUND); return; } + bool is_verifying_file = info.integrity.has_value(); // For unpacked path, read like normal file. base::FilePath real_path; @@ -149,12 +153,24 @@ class AsarURLLoader : public network::mojom::URLLoader { base::File file(info.unpacked ? real_path : archive->path(), base::File::FLAG_OPEN | base::File::FLAG_READ); auto file_data_source = - std::make_unique(std::move(file)); - mojo::DataPipeProducer::DataSource* data_source = file_data_source.get(); + std::make_unique(file.Duplicate()); + std::unique_ptr readable_data_source; + mojo::FileDataSource* file_data_source_raw = file_data_source.get(); + AsarFileValidator* file_validator_raw = nullptr; + if (info.integrity.has_value()) { + auto asar_validator = std::make_unique( + std::move(info.integrity.value()), std::move(file)); + file_validator_raw = asar_validator.get(); + readable_data_source.reset(new mojo::FilteredDataSource( + std::move(file_data_source), std::move(asar_validator))); + } else { + readable_data_source = std::move(file_data_source); + } - std::vector initial_read_buffer(net::kMaxBytesToSniff); - auto read_result = - data_source->Read(info.offset, base::span(initial_read_buffer)); + std::vector initial_read_buffer( + std::min(static_cast(net::kMaxBytesToSniff), info.size)); + auto read_result = readable_data_source.get()->Read( + info.offset, base::span(initial_read_buffer)); if (read_result.result != MOJO_RESULT_OK) { OnClientComplete(ConvertMojoResultToNetError(read_result.result)); return; @@ -183,6 +199,7 @@ class AsarURLLoader : public network::mojom::URLLoader { } uint64_t first_byte_to_send = 0; + uint64_t total_bytes_dropped_from_head = initial_read_buffer.size(); uint64_t total_bytes_to_send = info.size; if (byte_range.IsValid()) { @@ -214,6 +231,26 @@ class AsarURLLoader : public network::mojom::URLLoader { // Discount the bytes we just sent from the total range. first_byte_to_send = read_result.bytes_read; total_bytes_to_send -= write_size; + } else if (is_verifying_file && + first_byte_to_send >= + static_cast(info.integrity.value().block_size)) { + // If validation is active and the range of bytes the request wants starts + // beyond the first block we need to read the next 4MB-1KB to validate + // that block. Then we can skip ahead to the target block in the SetRange + // call below If we hit this case it is assumed that none of the data read + // will be needed by the producer + uint64_t bytes_to_drop = + info.integrity.value().block_size - net::kMaxBytesToSniff; + total_bytes_dropped_from_head += bytes_to_drop; + std::vector abandoned_buffer(bytes_to_drop); + auto abandon_read_result = + readable_data_source.get()->Read(info.offset + net::kMaxBytesToSniff, + base::span(abandoned_buffer)); + if (abandon_read_result.result != MOJO_RESULT_OK) { + OnClientComplete( + ConvertMojoResultToNetError(abandon_read_result.result)); + return; + } } if (!net::GetMimeTypeFromFile(path, &head->mime_type)) { @@ -234,23 +271,68 @@ class AsarURLLoader : public network::mojom::URLLoader { if (total_bytes_to_send == 0) { // There's definitely no more data, so we're already done. + // We provide the range data to the file validator so that + // it can validate the tiny amount of data we did send + if (file_validator_raw) + file_validator_raw->SetRange(info.offset + first_byte_to_send, + total_bytes_dropped_from_head, + info.offset + info.size); OnFileWritten(MOJO_RESULT_OK); return; } + if (is_verifying_file) { + uint32_t block_size = info.integrity.value().block_size; + int start_block = first_byte_to_send / block_size; + + // If we're starting from the first block, we might not be starting from + // where we sniffed. We might be a few KB into a file so we need to read + // the data in the middle so it gets hashed. + // + // If we're starting from a later block we might be starting half-way + // through the block regardless of what was sniffed. We need to read the + // data from the start of our initial block up to the start of our actual + // read point so it gets hashed. + uint64_t bytes_to_drop = + start_block == 0 ? first_byte_to_send - net::kMaxBytesToSniff + : first_byte_to_send - (start_block * block_size); + if (file_validator_raw) + file_validator_raw->SetCurrentBlock(start_block); + + if (bytes_to_drop > 0) { + uint64_t dropped_bytes_offset = + info.offset + (start_block * block_size); + if (start_block == 0) + dropped_bytes_offset += net::kMaxBytesToSniff; + total_bytes_dropped_from_head += bytes_to_drop; + std::vector abandoned_buffer(bytes_to_drop); + auto abandon_read_result = readable_data_source.get()->Read( + dropped_bytes_offset, base::span(abandoned_buffer)); + if (abandon_read_result.result != MOJO_RESULT_OK) { + OnClientComplete( + ConvertMojoResultToNetError(abandon_read_result.result)); + return; + } + } + } + // In case of a range request, seek to the appropriate position before // sending the remaining bytes asynchronously. Under normal conditions // (i.e., no range request) this Seek is effectively a no-op. // // Note that in Electron we also need to add file offset. - file_data_source->SetRange( + file_data_source_raw->SetRange( first_byte_to_send + info.offset, first_byte_to_send + info.offset + total_bytes_to_send); + if (file_validator_raw) + file_validator_raw->SetRange(info.offset + first_byte_to_send, + total_bytes_dropped_from_head, + info.offset + info.size); data_producer_ = std::make_unique(std::move(producer_handle)); data_producer_->Write( - std::move(file_data_source), + std::move(readable_data_source), base::BindOnce(&AsarURLLoader::OnFileWritten, base::Unretained(this))); } diff --git a/shell/browser/resources/mac/Info.plist b/shell/browser/resources/mac/Info.plist index 8c388a7cbd1..29a0823c150 100644 --- a/shell/browser/resources/mac/Info.plist +++ b/shell/browser/resources/mac/Info.plist @@ -49,5 +49,15 @@ This app needs access to Bluetooth NSBluetoothPeripheralUsageDescription This app needs access to Bluetooth + ElectronAsarIntegrity + + Resources/default_app.asar + + algorithm + SHA256 + hash + ${DEFAULT_APP_ASAR_HEADER_SHA} + + diff --git a/shell/common/api/electron_api_asar.cc b/shell/common/api/electron_api_asar.cc index d449e29db79..e04a6717b86 100644 --- a/shell/common/api/electron_api_asar.cc +++ b/shell/common/api/electron_api_asar.cc @@ -32,13 +32,12 @@ class Archive : public gin::Wrappable { gin::ObjectTemplateBuilder GetObjectTemplateBuilder( v8::Isolate* isolate) override { return gin::ObjectTemplateBuilder(isolate) - .SetProperty("path", &Archive::GetPath) .SetMethod("getFileInfo", &Archive::GetFileInfo) .SetMethod("stat", &Archive::Stat) .SetMethod("readdir", &Archive::Readdir) .SetMethod("realpath", &Archive::Realpath) .SetMethod("copyFileOut", &Archive::CopyFileOut) - .SetMethod("getFd", &Archive::GetFD); + .SetMethod("getFdAndValidateIntegrityLater", &Archive::GetFD); } const char* GetTypeName() override { return "Archive"; } @@ -47,9 +46,6 @@ class Archive : public gin::Wrappable { Archive(v8::Isolate* isolate, std::unique_ptr archive) : archive_(std::move(archive)) {} - // Returns the path of the file. - base::FilePath GetPath() { return archive_->path(); } - // Reads the offset and size of file. v8::Local GetFileInfo(v8::Isolate* isolate, const base::FilePath& path) { @@ -60,6 +56,20 @@ class Archive : public gin::Wrappable { dict.Set("size", info.size); dict.Set("unpacked", info.unpacked); dict.Set("offset", info.offset); + if (info.integrity.has_value()) { + gin_helper::Dictionary integrity(isolate, v8::Object::New(isolate)); + asar::HashAlgorithm algorithm = info.integrity.value().algorithm; + switch (algorithm) { + case asar::HashAlgorithm::SHA256: + integrity.Set("algorithm", "SHA256"); + break; + case asar::HashAlgorithm::NONE: + CHECK(false); + break; + } + integrity.Set("hash", info.integrity.value().hash); + dict.Set("integrity", integrity); + } return dict.GetHandle(); } @@ -108,7 +118,7 @@ class Archive : public gin::Wrappable { int GetFD() const { if (!archive_) return -1; - return archive_->GetFD(); + return archive_->GetUnsafeFD(); } private: diff --git a/shell/common/asar/archive.cc b/shell/common/asar/archive.cc index b3a8a7d1b0a..bc86ac77b0e 100644 --- a/shell/common/asar/archive.cc +++ b/shell/common/asar/archive.cc @@ -18,6 +18,8 @@ #include "base/task/post_task.h" #include "base/threading/thread_restrictions.h" #include "base/values.h" +#include "electron/fuses.h" +#include "shell/common/asar/asar_util.h" #include "shell/common/asar/scoped_temporary_file.h" #if defined(OS_WIN) @@ -95,6 +97,7 @@ bool GetNodeFromPath(std::string path, bool FillFileInfoWithNode(Archive::FileInfo* info, uint32_t header_size, + bool load_integrity, const base::DictionaryValue* node) { int size; if (!node->GetInteger("size", &size)) @@ -113,6 +116,42 @@ bool FillFileInfoWithNode(Archive::FileInfo* info, node->GetBoolean("executable", &info->executable); +#if defined(OS_MAC) + if (load_integrity && + electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled()) { + const base::DictionaryValue* integrity; + if (node->GetDictionary("integrity", &integrity)) { + IntegrityPayload integrity_payload; + std::string algorithm; + const base::ListValue* blocks; + int block_size; + if (integrity->GetString("algorithm", &algorithm) && + integrity->GetString("hash", &integrity_payload.hash) && + integrity->GetInteger("blockSize", &block_size) && + integrity->GetList("blocks", &blocks) && block_size > 0) { + integrity_payload.block_size = static_cast(block_size); + for (size_t i = 0; i < blocks->GetSize(); i++) { + std::string block; + if (!blocks->GetString(i, &block)) { + LOG(FATAL) + << "Invalid block integrity value for file in ASAR archive"; + } + integrity_payload.blocks.push_back(block); + } + if (algorithm == "SHA256") { + integrity_payload.algorithm = HashAlgorithm::SHA256; + info->integrity = std::move(integrity_payload); + } + } + } + + if (!info->integrity.has_value()) { + LOG(FATAL) << "Failed to read integrity for file in ASAR archive"; + return false; + } + } +#endif + return true; } @@ -191,6 +230,32 @@ bool Archive::Init() { return false; } +#if defined(OS_MAC) + // Validate header signature if required and possible + if (electron::fuses::IsEmbeddedAsarIntegrityValidationEnabled() && + RelativePath().has_value()) { + absl::optional integrity = HeaderIntegrity(); + if (!integrity.has_value()) { + LOG(FATAL) << "Failed to get integrity for validatable asar archive: " + << RelativePath().value(); + return false; + } + + // Currently we only support the sha256 algorithm, we can add support for + // more below ensure we read them in preference order from most secure to + // least + if (integrity.value().algorithm != HashAlgorithm::NONE) { + ValidateIntegrityOrDie(header.c_str(), header.length(), + integrity.value()); + } else { + LOG(FATAL) << "No eligible hash for validatable asar archive: " + << RelativePath().value(); + } + + header_validated_ = true; + } +#endif + absl::optional value = base::JSONReader::Read(header); if (!value || !value->is_dict()) { LOG(ERROR) << "Failed to parse header"; @@ -203,6 +268,16 @@ bool Archive::Init() { return true; } +#if !defined(OS_MAC) +absl::optional Archive::HeaderIntegrity() const { + return absl::optional(); +} + +absl::optional Archive::RelativePath() const { + return absl::optional(); +} +#endif + bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const { if (!header_) return false; @@ -215,7 +290,7 @@ bool Archive::GetFileInfo(const base::FilePath& path, FileInfo* info) const { if (node->GetString("link", &link)) return GetFileInfo(base::FilePath::FromUTF8Unsafe(link), info); - return FillFileInfoWithNode(info, header_size_, node); + return FillFileInfoWithNode(info, header_size_, header_validated_, node); } bool Archive::Stat(const base::FilePath& path, Stats* stats) const { @@ -238,7 +313,7 @@ bool Archive::Stat(const base::FilePath& path, Stats* stats) const { return true; } - return FillFileInfoWithNode(stats, header_size_, node); + return FillFileInfoWithNode(stats, header_size_, header_validated_, node); } bool Archive::Readdir(const base::FilePath& path, @@ -304,7 +379,8 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) { auto temp_file = std::make_unique(); base::FilePath::StringType ext = path.Extension(); - if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size)) + if (!temp_file->InitFromFile(&file_, ext, info.offset, info.size, + info.integrity)) return false; #if defined(OS_POSIX) @@ -319,7 +395,7 @@ bool Archive::CopyFileOut(const base::FilePath& path, base::FilePath* out) { return true; } -int Archive::GetFD() const { +int Archive::GetUnsafeFD() const { return fd_; } diff --git a/shell/common/asar/archive.h b/shell/common/asar/archive.h index a25ae4d4de3..352b36cdf64 100644 --- a/shell/common/asar/archive.h +++ b/shell/common/asar/archive.h @@ -6,12 +6,14 @@ #define SHELL_COMMON_ASAR_ARCHIVE_H_ #include +#include #include #include #include "base/files/file.h" #include "base/files/file_path.h" #include "base/synchronization/lock.h" +#include "third_party/abseil-cpp/absl/types/optional.h" namespace base { class DictionaryValue; @@ -21,6 +23,19 @@ namespace asar { class ScopedTemporaryFile; +enum HashAlgorithm { + SHA256, + NONE, +}; + +struct IntegrityPayload { + IntegrityPayload() : algorithm(HashAlgorithm::NONE), block_size(0) {} + HashAlgorithm algorithm; + std::string hash; + uint32_t block_size; + std::vector blocks; +}; + // This class represents an asar package, and provides methods to read // information from it. It is thread-safe after |Init| has been called. class Archive { @@ -31,6 +46,7 @@ class Archive { bool executable; uint32_t size; uint64_t offset; + absl::optional integrity; }; struct Stats : public FileInfo { @@ -46,6 +62,9 @@ class Archive { // Read and parse the header. bool Init(); + absl::optional HeaderIntegrity() const; + absl::optional RelativePath() const; + // Get the info of a file. bool GetFileInfo(const base::FilePath& path, FileInfo* info) const; @@ -64,12 +83,16 @@ class Archive { bool CopyFileOut(const base::FilePath& path, base::FilePath* out); // Returns the file's fd. - int GetFD() const; + // Using this fd will not validate the integrity of any files + // you read out of the ASAR manually. Callers are responsible + // for integrity validation after this fd is handed over. + int GetUnsafeFD() const; base::FilePath path() const { return path_; } private: bool initialized_; + bool header_validated_ = false; const base::FilePath path_; base::File file_; int fd_ = -1; diff --git a/shell/common/asar/archive_mac.mm b/shell/common/asar/archive_mac.mm new file mode 100644 index 00000000000..3ad60faf24c --- /dev/null +++ b/shell/common/asar/archive_mac.mm @@ -0,0 +1,65 @@ +// Copyright (c) 2021 Slack Technologies, Inc. +// Use of this source code is governed by the MIT license that can be +// found in the LICENSE file. + +#include "shell/common/asar/archive.h" + +#include +#include +#include + +#include +#include + +#include "base/logging.h" +#include "base/mac/bundle_locations.h" +#include "base/mac/foundation_util.h" +#include "base/mac/scoped_cftyperef.h" +#include "base/strings/sys_string_conversions.h" +#include "shell/common/asar/asar_util.h" + +namespace asar { + +absl::optional Archive::RelativePath() const { + base::FilePath bundle_path = base::mac::MainBundlePath().Append("Contents"); + + base::FilePath relative_path; + if (!bundle_path.AppendRelativePath(path_, &relative_path)) + return absl::nullopt; + + return relative_path; +} + +absl::optional Archive::HeaderIntegrity() const { + absl::optional relative_path = RelativePath(); + // Callers should have already asserted this + CHECK(relative_path.has_value()); + + NSDictionary* integrity = [[NSBundle mainBundle] + objectForInfoDictionaryKey:@"ElectronAsarIntegrity"]; + + // Integrity not provided + if (!integrity) + return absl::nullopt; + + NSString* ns_relative_path = + base::mac::FilePathToNSString(relative_path.value()); + + NSDictionary* integrity_payload = [integrity objectForKey:ns_relative_path]; + + if (!integrity_payload) + return absl::nullopt; + + NSString* algorithm = [integrity_payload objectForKey:@"algorithm"]; + NSString* hash = [integrity_payload objectForKey:@"hash"]; + if (algorithm && hash && [algorithm isEqualToString:@"SHA256"]) { + IntegrityPayload header_integrity; + header_integrity.algorithm = HashAlgorithm::SHA256; + header_integrity.hash = base::SysNSStringToUTF8(hash); + return header_integrity; + } + + return absl::nullopt; +} + +} // namespace asar diff --git a/shell/common/asar/asar_util.cc b/shell/common/asar/asar_util.cc index 4800fb13421..1eaf8f88063 100644 --- a/shell/common/asar/asar_util.cc +++ b/shell/common/asar/asar_util.cc @@ -11,11 +11,16 @@ #include "base/files/file_path.h" #include "base/files/file_util.h" #include "base/lazy_instance.h" +#include "base/logging.h" #include "base/no_destructor.h" #include "base/stl_util.h" +#include "base/strings/string_number_conversions.h" +#include "base/strings/string_util.h" #include "base/synchronization/lock.h" #include "base/threading/thread_local.h" #include "base/threading/thread_restrictions.h" +#include "crypto/secure_hash.h" +#include "crypto/sha2.h" #include "shell/common/asar/archive.h" namespace asar { @@ -130,9 +135,38 @@ bool ReadFileToString(const base::FilePath& path, std::string* contents) { return false; contents->resize(info.size); - return static_cast(info.size) == - src.Read(info.offset, const_cast(contents->data()), - contents->size()); + if (static_cast(info.size) != + src.Read(info.offset, const_cast(contents->data()), + contents->size())) { + return false; + } + + if (info.integrity.has_value()) { + ValidateIntegrityOrDie(contents->data(), contents->size(), + info.integrity.value()); + } + + return true; +} + +void ValidateIntegrityOrDie(const char* data, + size_t size, + const IntegrityPayload& integrity) { + if (integrity.algorithm == HashAlgorithm::SHA256) { + uint8_t hash[crypto::kSHA256Length]; + auto hasher = crypto::SecureHash::Create(crypto::SecureHash::SHA256); + hasher->Update(data, size); + hasher->Finish(hash, sizeof(hash)); + const std::string hex_hash = + base::ToLowerASCII(base::HexEncode(hash, sizeof(hash))); + + if (integrity.hash != hex_hash) { + LOG(FATAL) << "Integrity check failed for asar archive (" + << integrity.hash << " vs " << hex_hash << ")"; + } + } else { + LOG(FATAL) << "Unsupported hashing algorithm in ValidateIntegrityOrDie"; + } } } // namespace asar diff --git a/shell/common/asar/asar_util.h b/shell/common/asar/asar_util.h index efeaf59a16b..228a752b086 100644 --- a/shell/common/asar/asar_util.h +++ b/shell/common/asar/asar_util.h @@ -15,6 +15,7 @@ class FilePath; namespace asar { class Archive; +struct IntegrityPayload; // Gets or creates and caches a new Archive from the path. std::shared_ptr GetOrCreateAsarArchive(const base::FilePath& path); @@ -31,6 +32,10 @@ bool GetAsarArchivePath(const base::FilePath& full_path, // Same with base::ReadFileToString but supports asar Archive. bool ReadFileToString(const base::FilePath& path, std::string* contents); +void ValidateIntegrityOrDie(const char* data, + size_t size, + const IntegrityPayload& integrity); + } // namespace asar #endif // SHELL_COMMON_ASAR_ASAR_UTIL_H_ diff --git a/shell/common/asar/scoped_temporary_file.cc b/shell/common/asar/scoped_temporary_file.cc index b9bc500f04f..283a534e855 100644 --- a/shell/common/asar/scoped_temporary_file.cc +++ b/shell/common/asar/scoped_temporary_file.cc @@ -7,7 +7,9 @@ #include #include "base/files/file_util.h" +#include "base/logging.h" #include "base/threading/thread_restrictions.h" +#include "shell/common/asar/asar_util.h" namespace asar { @@ -48,21 +50,28 @@ bool ScopedTemporaryFile::Init(const base::FilePath::StringType& ext) { return true; } -bool ScopedTemporaryFile::InitFromFile(base::File* src, - const base::FilePath::StringType& ext, - uint64_t offset, - uint64_t size) { +bool ScopedTemporaryFile::InitFromFile( + base::File* src, + const base::FilePath::StringType& ext, + uint64_t offset, + uint64_t size, + const absl::optional& integrity) { if (!src->IsValid()) return false; if (!Init(ext)) return false; + base::ThreadRestrictions::ScopedAllowIO allow_io; std::vector buf(size); int len = src->Read(offset, buf.data(), buf.size()); if (len != static_cast(size)) return false; + if (integrity.has_value()) { + ValidateIntegrityOrDie(buf.data(), buf.size(), integrity.value()); + } + base::File dest(path_, base::File::FLAG_OPEN | base::File::FLAG_WRITE); if (!dest.IsValid()) return false; diff --git a/shell/common/asar/scoped_temporary_file.h b/shell/common/asar/scoped_temporary_file.h index e42a244e122..3651ec5a6a9 100644 --- a/shell/common/asar/scoped_temporary_file.h +++ b/shell/common/asar/scoped_temporary_file.h @@ -6,6 +6,8 @@ #define SHELL_COMMON_ASAR_SCOPED_TEMPORARY_FILE_H_ #include "base/files/file_path.h" +#include "shell/common/asar/archive.h" +#include "third_party/abseil-cpp/absl/types/optional.h" namespace base { class File; @@ -31,7 +33,8 @@ class ScopedTemporaryFile { bool InitFromFile(base::File* src, const base::FilePath::StringType& ext, uint64_t offset, - uint64_t size); + uint64_t size, + const absl::optional& integrity); base::FilePath path() const { return path_; } diff --git a/shell/common/node_bindings.cc b/shell/common/node_bindings.cc index b5796649a77..ccf92b74b84 100644 --- a/shell/common/node_bindings.cc +++ b/shell/common/node_bindings.cc @@ -433,13 +433,29 @@ node::Environment* NodeBindings::CreateEnvironment( break; } - gin_helper::Dictionary global(context->GetIsolate(), context->Global()); + v8::Isolate* isolate = context->GetIsolate(); + gin_helper::Dictionary global(isolate, context->Global()); // Do not set DOM globals for renderer process. // We must set this before the node bootstrapper which is run inside // CreateEnvironment if (browser_env_ != BrowserEnvironment::kBrowser) global.Set("_noBrowserGlobals", true); + if (browser_env_ == BrowserEnvironment::kBrowser) { + const std::vector search_paths = {"app.asar", "app", + "default_app.asar"}; + const std::vector app_asar_search_paths = {"app.asar"}; + context->Global()->SetPrivate( + context, + v8::Private::ForApi( + isolate, + gin::ConvertToV8(isolate, "appSearchPaths").As()), + gin::ConvertToV8(isolate, + electron::fuses::IsOnlyLoadAppFromAsarEnabled() + ? app_asar_search_paths + : search_paths)); + } + std::vector exec_args; base::FilePath resources_path = GetResourcesPath(); std::string init_script = "electron/js2c/" + process_type + "_init"; diff --git a/spec-main/node-spec.ts b/spec-main/node-spec.ts index c667603e3b4..41fc0e2369d 100644 --- a/spec-main/node-spec.ts +++ b/spec-main/node-spec.ts @@ -350,7 +350,7 @@ describe('node feature', () => { }); it('Can find a module using a package.json main field', () => { - const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')]); + const result = childProcess.spawnSync(process.execPath, [path.resolve(fixtures, 'api', 'electron-main-module', 'app.asar')], { stdio: 'inherit' }); expect(result.status).to.equal(0); }); diff --git a/spec/asar-spec.js b/spec/asar-spec.js index f8e830c4c7d..0a432d6bdfb 100644 --- a/spec/asar-spec.js +++ b/spec/asar-spec.js @@ -1564,7 +1564,7 @@ describe('asar package', function () { forked.on('message', function (stats) { try { expect(stats.isFile).to.be.true(); - expect(stats.size).to.equal(778); + expect(stats.size).to.equal(3458); done(); } catch (e) { done(e); @@ -1588,7 +1588,7 @@ describe('asar package', function () { try { const stats = JSON.parse(output); expect(stats.isFile).to.be.true(); - expect(stats.size).to.equal(778); + expect(stats.size).to.equal(3458); done(); } catch (e) { done(e); diff --git a/spec/fixtures/test.asar/a.asar b/spec/fixtures/test.asar/a.asar index 0b74f5639cd..852f460b6d5 100644 Binary files a/spec/fixtures/test.asar/a.asar and b/spec/fixtures/test.asar/a.asar differ diff --git a/spec/fixtures/test.asar/echo.asar b/spec/fixtures/test.asar/echo.asar index 4d72f7a92a7..b7caacca179 100644 Binary files a/spec/fixtures/test.asar/echo.asar and b/spec/fixtures/test.asar/echo.asar differ diff --git a/spec/fixtures/test.asar/empty.asar b/spec/fixtures/test.asar/empty.asar index 10cddfb6765..2c4be954d30 100644 Binary files a/spec/fixtures/test.asar/empty.asar and b/spec/fixtures/test.asar/empty.asar differ diff --git a/spec/fixtures/test.asar/logo.asar b/spec/fixtures/test.asar/logo.asar index fe21fd9ab7b..4c2c9f6020b 100644 Binary files a/spec/fixtures/test.asar/logo.asar and b/spec/fixtures/test.asar/logo.asar differ diff --git a/spec/fixtures/test.asar/repack.js b/spec/fixtures/test.asar/repack.js new file mode 100644 index 00000000000..1220b595a8e --- /dev/null +++ b/spec/fixtures/test.asar/repack.js @@ -0,0 +1,22 @@ +// Use this script to regenerate these fixture files +// using a new version of the asar package + +const asar = require('asar'); +const fs = require('fs'); +const os = require('os'); +const path = require('path'); + +const archives = []; +for (const child of fs.readdirSync(__dirname)) { + if (child.endsWith('.asar')) { + archives.push(path.resolve(__dirname, child)); + } +} + +for (const archive of archives) { + const tmp = fs.mkdtempSync(path.resolve(os.tmpdir(), 'asar-spec-')); + asar.extractAll(archive, tmp); + asar.createPackageWithOptions(tmp, archive, { + unpack: fs.existsSync(archive + '.unpacked') ? '*' : undefined + }); +} diff --git a/spec/fixtures/test.asar/script.asar b/spec/fixtures/test.asar/script.asar index 7239786ec90..1b7f3e23fb7 100755 Binary files a/spec/fixtures/test.asar/script.asar and b/spec/fixtures/test.asar/script.asar differ diff --git a/spec/fixtures/test.asar/unpack.asar b/spec/fixtures/test.asar/unpack.asar index 8c1231c1b23..de64d63853a 100644 Binary files a/spec/fixtures/test.asar/unpack.asar and b/spec/fixtures/test.asar/unpack.asar differ diff --git a/spec/fixtures/test.asar/video.asar b/spec/fixtures/test.asar/video.asar index 3d31a6e5895..d73dee7b84f 100644 Binary files a/spec/fixtures/test.asar/video.asar and b/spec/fixtures/test.asar/video.asar differ diff --git a/spec/fixtures/test.asar/web.asar b/spec/fixtures/test.asar/web.asar index 1e9db65b812..3057de38030 100644 Binary files a/spec/fixtures/test.asar/web.asar and b/spec/fixtures/test.asar/web.asar differ diff --git a/typings/internal-ambient.d.ts b/typings/internal-ambient.d.ts index 4f695936653..b8540dc1197 100644 --- a/typings/internal-ambient.d.ts +++ b/typings/internal-ambient.d.ts @@ -63,6 +63,10 @@ declare namespace NodeJS { size: number; unpacked: boolean; offset: number; + integrity?: { + algorithm: 'SHA256'; + hash: string; + } }; type AsarFileStat = { @@ -74,13 +78,12 @@ declare namespace NodeJS { } interface AsarArchive { - readonly path: string; getFileInfo(path: string): AsarFileInfo | false; stat(path: string): AsarFileStat | false; readdir(path: string): string[] | false; realpath(path: string): string | false; copyFileOut(path: string): string | false; - getFd(): number | -1; + getFdAndValidateIntegrityLater(): number | -1; } interface AsarBinding { diff --git a/yarn.lock b/yarn.lock index 9cf7591329d..402daf14e84 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1079,10 +1079,10 @@ arrify@^1.0.0: resolved "https://registry.yarnpkg.com/arrify/-/arrify-1.0.1.tgz#898508da2226f380df904728456849c1501a4b0d" integrity sha1-iYUI2iIm84DfkEcoRWhJwVAaSw0= -asar@^3.0.3: - version "3.0.3" - resolved "https://registry.yarnpkg.com/asar/-/asar-3.0.3.tgz#1fef03c2d6d2de0cbad138788e4f7ae03b129c7b" - integrity sha512-k7zd+KoR+n8pl71PvgElcoKHrVNiSXtw7odKbyNpmgKe7EGRF9Pnu3uLOukD37EvavKwVFxOUpqXTIZC5B5Pmw== +asar@^3.1.0: + version "3.1.0" + resolved "https://registry.yarnpkg.com/asar/-/asar-3.1.0.tgz#70b0509449fe3daccc63beb4d3c7d2e24d3c6473" + integrity sha512-vyxPxP5arcAqN4F/ebHd/HhwnAiZtwhglvdmc7BR2f0ywbVNTOpSeyhLDbGXtE/y58hv1oC75TaNIXutnsOZsQ== dependencies: chromium-pickle-js "^0.2.0" commander "^5.0.0"