Security/Reviews/Gaia/DownloadManager: Difference between revisions
| Line 70: | Line 70: | ||
* 906265 - ability to open downloaded files with supported MIME types | * 906265 - ability to open downloaded files with supported MIME types | ||
* 848371 - ability to download any content through Browser to the SD Card(including HTTP downloading) | * 848371 - ability to download any content through Browser to the SD Card(including HTTP downloading) | ||
* 957592 - ability to cancel downloads from processes that do not have 'downloads' permission | |||
== Conclusion == | == Conclusion == | ||
Revision as of 22:30, 16 January 2014
Download Manager API
Review Details
- Topic: Download Manager API for FxOS
- Review Date: January, 2014
- Review Lead: Rob Fletcher <rfletcher@mozilla.com> (:omerta)
- Repo: git://github.com/mozilla-b2g/B2G.git:5a5ab327af050bc622d475bb29ca3ad3955bd238
- Connections: "Ghislain 'Aus' Lacroix" <aus@mozilla.com> (:auswerk), "Gregor Wagner" <gwagner@mozilla.com>
- Main Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=926955
- Landing: B2G 1.4
Overview
Download Manager API handles downloads on Firefox OS. The settings and system applications are the only applications that have the certified 'downloads' permission and they are responsible for managing downloads. The system application handles the download event and the settings application has a "Download" section that allows a user to view, delete, stop, and restart current downloads. When a download is initiated, a notification is created in the notifications pull down menu.
Any HTTP response with content type of "application/octet-stream" will cause the file to be downloaded. The files are saved to /sdcard/downloads/ on the filesystem.
The main file responsible for Download Manager API is:
Gaia
Code
System App
- github.com/mozilla-b2g/gaia/apps/system/js/download/download_manager.js
- github.com/mozilla-b2g/gaia/apps/system/js/download/download_notification.js
Settings App
- github.com/mozilla-b2g/gaia/apps/settings/js/downloads/download_api_manager.js
- github.com/mozilla-b2g/gaia/apps/settings/js/downloads/download_item.js
- github.com/mozilla-b2g/gaia/apps/settings/js/downloads/downloads_list.js
- github.com/mozilla-b2g/gaia/apps/settings/js/downloads/desktop/desktop_moz_downloads.js
- github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_formatter.js
- github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_helper.js
- github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_store.js
- github.com/mozilla-b2g/gaia/blob/master/shared/js/download/download_ui.js
Permissions
Settings and System are only apps with certified ‘downloads’ permission.
"downloads": {
app: DENY_ACTION,
privileged: DENY_ACTION,
certified: ALLOW_ACTION
},
Gecko
Code
WebIDL File for mozDownloadManager
Parent Process
- mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsAPI.jsm
- mxr.mozilla.org/mozilla-central/source/toolkit/components/jsdownloads/src/Downloads.jsm
Child Process
- mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsAPI.js
- mxr.mozilla.org/mozilla-central/source/dom/downloads/src/DownloadsIPC.jsm
Downloads.jsm
Downloads.jsm depracates nsIDownloadManager and is used in Download Manager on FxOS. Downloads.jsm provides single point of entry for all things relating to downloading.
Features
- 906255 - ability to view status of downloads
- 906256 - ability to cancel downloads
- 906257 - ability to view list of previously downloaded files
- 906265 - ability to open downloaded files with supported MIME types
- 848371 - ability to download any content through Browser to the SD Card(including HTTP downloading)
- 957592 - ability to cancel downloads from processes that do not have 'downloads' permission
Conclusion
Attack surface is greatly reduced through the combination of using WebIDL, 'downloads' permissions is Certified, and the fact that Download Manager API uses the new Downloads.jsm.
Code Review Notes
XSS & HTML Injection Attacks
User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. 960749 prevented us from being able to completely check for HTML injections. (See Future Work below)
Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.
Secure Communications
There are no instances of sensitive communications over HTTP. Nor are there any leaks via XHR requests.
Secure Data Storage
No issues relating to insecure data storage.
Denial of Service
960739 was identified as a potential DoS attack.
Interfaces with other Apps/Content
The Download Manager API is used within the System and Settings applications.
There is still currently a feature to develop, that would allow FxOS to remove all download objects that were initiated by application that do not have the 'downloads' permission.
Future Work
960749 prevented us from being able to look for HTML injections via filenames. This will need to be checked once that bug is resolved. However, it appears to be an issue with the filesystem disallowing those characters, so most likely even after an error message is added, there will be no avenue to have those characters in the filename.