feat: add support for validating asar archives on macOS (#30667)

* feat: add support for validating asar archives on macOS

* chore: fix lint

* chore: update as per feedback

* feat: switch implementation to asar integrity hash checks

* feat: make ranged requests work with the asar file validator DataSourceFilter

* chore: fix lint

* chore: fix missing log include on non-darwin

* fix: do not pull block size out of missing optional

* fix: match ValidateOrDie symbol on non-darwin

* chore: fix up asar specs by repacking archives

* fix: maintain integrity chain, do not load file integrity if header integrity was not loaded

* debug test

* Update node-spec.ts

* fix: initialize header_validated_

* chore: update PR per feedback

* chore: update per feedback

* build: use final asar module

* Update fuses.json5

shell/browser/net/asar/asar_file_validator.cc

@@ -0,0 +1,150 @@
+// Copyright (c) 2021 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#include "shell/browser/net/asar/asar_file_validator.h"
+
+#include <algorithm>
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/logging.h"
+#include "base/notreached.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "crypto/sha2.h"
+
+namespace asar {
+
+AsarFileValidator::AsarFileValidator(IntegrityPayload integrity,
+                                     base::File file)
+    : file_(std::move(file)), integrity_(std::move(integrity)) {
+  current_block_ = 0;
+  max_block_ = integrity_.blocks.size() - 1;
+}
+
+void AsarFileValidator::OnRead(base::span<char> buffer,
+                               mojo::FileDataSource::ReadResult* result) {
+  DCHECK(!done_reading_);
+
+  uint64_t buffer_size = result->bytes_read;
+
+  // Compute how many bytes we should hash, and add them to the current hash.
+  uint32_t block_size = integrity_.block_size;
+  uint64_t bytes_added = 0;
+  while (bytes_added < buffer_size) {
+    if (current_block_ > max_block_) {
+      LOG(FATAL)
+          << "Unexpected number of blocks while validating ASAR file stream";
+      return;
+    }
+
+    // Create a hash if we don't have one yet
+    if (!current_hash_) {
+      current_hash_byte_count_ = 0;
+      switch (integrity_.algorithm) {
+        case HashAlgorithm::SHA256:
+          current_hash_ =
+              crypto::SecureHash::Create(crypto::SecureHash::SHA256);
+          break;
+        case HashAlgorithm::NONE:
+          CHECK(false);
+          break;
+      }
+    }
+
+    // Compute how many bytes we should hash, and add them to the current hash.
+    // We need to either add just enough bytes to fill up a block (block_size -
+    // current_bytes) or use every remaining byte (buffer_size - bytes_added)
+    int bytes_to_hash = std::min(block_size - current_hash_byte_count_,
+                                 buffer_size - bytes_added);
+    DCHECK_GT(bytes_to_hash, 0);
+    current_hash_->Update(buffer.data() + bytes_added, bytes_to_hash);
+    bytes_added += bytes_to_hash;
+    current_hash_byte_count_ += bytes_to_hash;
+    total_hash_byte_count_ += bytes_to_hash;
+
+    if (current_hash_byte_count_ == block_size && !FinishBlock()) {
+      LOG(FATAL) << "Failed to validate block while streaming ASAR file: "
+                 << current_block_;
+      return;
+    }
+  }
+}
+
+bool AsarFileValidator::FinishBlock() {
+  if (current_hash_byte_count_ == 0) {
+    if (!done_reading_ || current_block_ > max_block_) {
+      return true;
+    }
+  }
+
+  if (!current_hash_) {
+    // This happens when we fail to read the resource. Compute empty content's
+    // hash in this case.
+    current_hash_ = crypto::SecureHash::Create(crypto::SecureHash::SHA256);
+  }
+
+  uint8_t actual[crypto::kSHA256Length];
+
+  // If the file reader is done we need to make sure we've either read up to the
+  // end of the file (the check below) or up to the end of a block_size byte
+  // boundary. If the below check fails we compute the next block boundary, how
+  // many bytes are needed to get there and then we manually read those bytes
+  // from our own file handle ensuring the data producer is unaware but we can
+  // validate the hash still.
+  if (done_reading_ &&
+      total_hash_byte_count_ - extra_read_ != read_max_ - read_start_) {
+    uint64_t bytes_needed = std::min(
+        integrity_.block_size - current_hash_byte_count_,
+        read_max_ - read_start_ - total_hash_byte_count_ + extra_read_);
+    uint64_t offset = read_start_ + total_hash_byte_count_ - extra_read_;
+    std::vector<uint8_t> abandoned_buffer(bytes_needed);
+    if (!file_.ReadAndCheck(offset, abandoned_buffer)) {
+      LOG(FATAL) << "Failed to read required portion of streamed ASAR archive";
+      return false;
+    }
+
+    current_hash_->Update(&abandoned_buffer.front(), bytes_needed);
+  }
+
+  current_hash_->Finish(actual, sizeof(actual));
+  current_hash_.reset();
+  current_hash_byte_count_ = 0;
+
+  const std::string expected_hash = integrity_.blocks[current_block_];
+  const std::string actual_hex_hash =
+      base::ToLowerASCII(base::HexEncode(actual, sizeof(actual)));
+
+  if (expected_hash != actual_hex_hash) {
+    return false;
+  }
+
+  current_block_++;
+
+  return true;
+}
+
+void AsarFileValidator::OnDone() {
+  DCHECK(!done_reading_);
+  done_reading_ = true;
+  if (!FinishBlock()) {
+    LOG(FATAL) << "Failed to validate block while ending ASAR file stream: "
+               << current_block_;
+  }
+}
+
+void AsarFileValidator::SetRange(uint64_t read_start,
+                                 uint64_t extra_read,
+                                 uint64_t read_max) {
+  read_start_ = read_start;
+  extra_read_ = extra_read;
+  read_max_ = read_max;
+}
+
+void AsarFileValidator::SetCurrentBlock(int current_block) {
+  current_block_ = current_block;
+}
+
+}  // namespace asar

shell/browser/net/asar/asar_file_validator.h

@@ -0,0 +1,60 @@
+// Copyright (c) 2021 Slack Technologies, Inc.
+// Use of this source code is governed by the MIT license that can be
+// found in the LICENSE file.
+
+#ifndef SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
+#define SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_
+
+#include <algorithm>
+#include <memory>
+
+#include "crypto/secure_hash.h"
+#include "mojo/public/cpp/system/file_data_source.h"
+#include "mojo/public/cpp/system/filtered_data_source.h"
+#include "shell/common/asar/archive.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
+
+namespace asar {
+
+class AsarFileValidator : public mojo::FilteredDataSource::Filter {
+ public:
+  AsarFileValidator(IntegrityPayload integrity, base::File file);
+
+  void OnRead(base::span<char> buffer,
+              mojo::FileDataSource::ReadResult* result);
+
+  void OnDone();
+
+  void SetRange(uint64_t read_start, uint64_t extra_read, uint64_t read_max);
+  void SetCurrentBlock(int current_block);
+
+ protected:
+  bool FinishBlock();
+
+ private:
+  base::File file_;
+  IntegrityPayload integrity_;
+
+  // The offset in the file_ that the underlying file reader is starting at
+  uint64_t read_start_ = 0;
+  // The number of bytes this DataSourceFilter will have seen that aren't used
+  // by the DataProducer.  These extra bytes are exclusively for hash validation
+  // but we need to know how many we've used so we know when we're done.
+  uint64_t extra_read_ = 0;
+  // The maximum offset in the file_ that we should read to, used to determine
+  // which bytes we're missing or if we need to read up to a block boundary in
+  // OnDone
+  uint64_t read_max_ = 0;
+  bool done_reading_ = false;
+  int current_block_;
+  int max_block_;
+  uint64_t current_hash_byte_count_ = 0;
+  uint64_t total_hash_byte_count_ = 0;
+  std::unique_ptr<crypto::SecureHash> current_hash_;
+
+  DISALLOW_COPY_AND_ASSIGN(AsarFileValidator);
+};
+
+}  // namespace asar
+
+#endif  // SHELL_BROWSER_NET_ASAR_ASAR_FILE_VALIDATOR_H_

shell/browser/net/asar/asar_url_loader.cc

@@ -4,6 +4,7 @@
 
 #include "shell/browser/net/asar/asar_url_loader.h"
 
+#include <algorithm>
 #include <memory>
 #include <string>
 #include <utility>
@@ -13,6 +14,7 @@
 #include "base/task/post_task.h"
 #include "base/task/thread_pool.h"
 #include "content/public/browser/file_url_loader.h"
+#include "electron/fuses.h"
 #include "mojo/public/cpp/bindings/receiver.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "mojo/public/cpp/system/data_pipe_producer.h"
@@ -23,6 +25,7 @@
 #include "net/http/http_byte_range.h"
 #include "net/http/http_util.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
+#include "shell/browser/net/asar/asar_file_validator.h"
 #include "shell/common/asar/archive.h"
 #include "shell/common/asar/asar_util.h"
 
@@ -127,6 +130,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
       OnClientComplete(net::ERR_FILE_NOT_FOUND);
       return;
     }
+    bool is_verifying_file = info.integrity.has_value();
 
     // For unpacked path, read like normal file.
     base::FilePath real_path;
@@ -149,12 +153,24 @@ class AsarURLLoader : public network::mojom::URLLoader {
     base::File file(info.unpacked ? real_path : archive->path(),
                     base::File::FLAG_OPEN | base::File::FLAG_READ);
     auto file_data_source =
-        std::make_unique<mojo::FileDataSource>(std::move(file));
-    mojo::DataPipeProducer::DataSource* data_source = file_data_source.get();
+        std::make_unique<mojo::FileDataSource>(file.Duplicate());
+    std::unique_ptr<mojo::DataPipeProducer::DataSource> readable_data_source;
+    mojo::FileDataSource* file_data_source_raw = file_data_source.get();
+    AsarFileValidator* file_validator_raw = nullptr;
+    if (info.integrity.has_value()) {
+      auto asar_validator = std::make_unique<AsarFileValidator>(
+          std::move(info.integrity.value()), std::move(file));
+      file_validator_raw = asar_validator.get();
+      readable_data_source.reset(new mojo::FilteredDataSource(
+          std::move(file_data_source), std::move(asar_validator)));
+    } else {
+      readable_data_source = std::move(file_data_source);
+    }
 
-    std::vector<char> initial_read_buffer(net::kMaxBytesToSniff);
-    auto read_result =
-        data_source->Read(info.offset, base::span<char>(initial_read_buffer));
+    std::vector<char> initial_read_buffer(
+        std::min(static_cast<uint32_t>(net::kMaxBytesToSniff), info.size));
+    auto read_result = readable_data_source.get()->Read(
+        info.offset, base::span<char>(initial_read_buffer));
     if (read_result.result != MOJO_RESULT_OK) {
       OnClientComplete(ConvertMojoResultToNetError(read_result.result));
       return;
@@ -183,6 +199,7 @@ class AsarURLLoader : public network::mojom::URLLoader {
     }
 
     uint64_t first_byte_to_send = 0;
+    uint64_t total_bytes_dropped_from_head = initial_read_buffer.size();
     uint64_t total_bytes_to_send = info.size;
 
     if (byte_range.IsValid()) {
@@ -214,6 +231,26 @@ class AsarURLLoader : public network::mojom::URLLoader {
       // Discount the bytes we just sent from the total range.
       first_byte_to_send = read_result.bytes_read;
       total_bytes_to_send -= write_size;
+    } else if (is_verifying_file &&
+               first_byte_to_send >=
+                   static_cast<uint64_t>(info.integrity.value().block_size)) {
+      // If validation is active and the range of bytes the request wants starts
+      // beyond the first block we need to read the next 4MB-1KB to validate
+      // that block. Then we can skip ahead to the target block in the SetRange
+      // call below If we hit this case it is assumed that none of the data read
+      // will be needed by the producer
+      uint64_t bytes_to_drop =
+          info.integrity.value().block_size - net::kMaxBytesToSniff;
+      total_bytes_dropped_from_head += bytes_to_drop;
+      std::vector<char> abandoned_buffer(bytes_to_drop);
+      auto abandon_read_result =
+          readable_data_source.get()->Read(info.offset + net::kMaxBytesToSniff,
+                                           base::span<char>(abandoned_buffer));
+      if (abandon_read_result.result != MOJO_RESULT_OK) {
+        OnClientComplete(
+            ConvertMojoResultToNetError(abandon_read_result.result));
+        return;
+      }
     }
 
     if (!net::GetMimeTypeFromFile(path, &head->mime_type)) {
@@ -234,23 +271,68 @@ class AsarURLLoader : public network::mojom::URLLoader {
 
     if (total_bytes_to_send == 0) {
       // There's definitely no more data, so we're already done.
+      // We provide the range data to the file validator so that
+      // it can validate the tiny amount of data we did send
+      if (file_validator_raw)
+        file_validator_raw->SetRange(info.offset + first_byte_to_send,
+                                     total_bytes_dropped_from_head,
+                                     info.offset + info.size);
       OnFileWritten(MOJO_RESULT_OK);
       return;
     }
 
+    if (is_verifying_file) {
+      uint32_t block_size = info.integrity.value().block_size;
+      int start_block = first_byte_to_send / block_size;
+
+      // If we're starting from the first block, we might not be starting from
+      // where we sniffed. We might be a few KB into a file so we need to read
+      // the data in the middle so it gets hashed.
+      //
+      // If we're starting from a later block we might be starting half-way
+      // through the block regardless of what was sniffed.  We need to read the
+      // data from the start of our initial block up to the start of our actual
+      // read point so it gets hashed.
+      uint64_t bytes_to_drop =
+          start_block == 0 ? first_byte_to_send - net::kMaxBytesToSniff
+                           : first_byte_to_send - (start_block * block_size);
+      if (file_validator_raw)
+        file_validator_raw->SetCurrentBlock(start_block);
+
+      if (bytes_to_drop > 0) {
+        uint64_t dropped_bytes_offset =
+            info.offset + (start_block * block_size);
+        if (start_block == 0)
+          dropped_bytes_offset += net::kMaxBytesToSniff;
+        total_bytes_dropped_from_head += bytes_to_drop;
+        std::vector<char> abandoned_buffer(bytes_to_drop);
+        auto abandon_read_result = readable_data_source.get()->Read(
+            dropped_bytes_offset, base::span<char>(abandoned_buffer));
+        if (abandon_read_result.result != MOJO_RESULT_OK) {
+          OnClientComplete(
+              ConvertMojoResultToNetError(abandon_read_result.result));
+          return;
+        }
+      }
+    }
+
     // In case of a range request, seek to the appropriate position before
     // sending the remaining bytes asynchronously. Under normal conditions
     // (i.e., no range request) this Seek is effectively a no-op.
     //
     // Note that in Electron we also need to add file offset.
-    file_data_source->SetRange(
+    file_data_source_raw->SetRange(
         first_byte_to_send + info.offset,
         first_byte_to_send + info.offset + total_bytes_to_send);
+    if (file_validator_raw)
+      file_validator_raw->SetRange(info.offset + first_byte_to_send,
+                                   total_bytes_dropped_from_head,
+                                   info.offset + info.size);
 
     data_producer_ =
         std::make_unique<mojo::DataPipeProducer>(std::move(producer_handle));
     data_producer_->Write(
-        std::move(file_data_source),
+        std::move(readable_data_source),
         base::BindOnce(&AsarURLLoader::OnFileWritten, base::Unretained(this)));
   }
 

shell/browser/resources/mac/Info.plist

@@ -49,5 +49,15 @@
     <string>This app needs access to Bluetooth</string>
     <key>NSBluetoothPeripheralUsageDescription</key>
     <string>This app needs access to Bluetooth</string>
+    <key>ElectronAsarIntegrity</key>
+    <dict>
+      <key>Resources/default_app.asar</key>
+      <dict>
+        <key>algorithm</key>
+        <string>SHA256</string>
+        <key>hash</key>
+        <string>${DEFAULT_APP_ASAR_HEADER_SHA}</string>
+      </dict>
+    </dict>
   </dict>
 </plist>