MozillaWiki

Security/Reviews/Gaia/DownloadManager

< Security‎ | Reviews‎ | Gaia
Revision as of 17:21, 30 January 2014 by Rfletcher (talk | contribs) (→‎XSS & HTML Injection Attacks)

Download Manager API

Review Details

Overview

Download Manager API handles downloads on Firefox OS. The settings and system applications are the only applications that have the certified 'downloads' permission and they are responsible for managing downloads. The system application handles the download event and the settings application has a "Download" section that allows a user to view, delete, stop, and restart current downloads. When a download is initiated, a notification is created in the notifications pull down menu.

Any HTTP response with content type of "application/octet-stream" will cause the file to be downloaded. The files are saved to /sdcard/downloads/ on the filesystem.

The main file responsible for Download Manager API is:

 

Notes from Gregor: 

 There is still a missing piece in the implementation: Bug 957592. We want to remove all the download related objects if the process doesn't have the 'download' permission.

 If we access the download api from the system app we don't have the child/parent separation because the system app runs in the parent. The system app is chrome code so this should be fine.

Notes from Aus about how activities open file after it is downloaded: 

 By default with B2G we will always Save To Disk *first*. After the file is downloaded and saved to disk we will then route it to the appropriate application when it's "pressed" (either from the notifications or the downloads list in the Settings).
 
 You can see where we default to save to disk here:
 https://mxr.mozilla.org/mozilla-central/source/b2g/components/HelperAppDialog.js
 
 Once the content is downloaded and the user opts to open it, it will go through this:
 https://mxr.mozilla.org/mozilla-central/source/b2g/components/ContentHandler.js
 
 Which in turn, will call this:
 https://github.com/mozilla-b2g/gaia/blob/5ffb0c1dbe1d4af68713c681baff6698665bbf5a/shared/js/mime_mapper.js
 
 Which will actually help launch the right activity (based on the applications registered types, in the application web manifest.)

Gaia

Code

System App

Settings App

Shared Code

Permissions

Settings and System are only apps with certified ‘downloads’ permission. 

"downloads": {
  app: DENY_ACTION,
  privileged: DENY_ACTION,
  certified: ALLOW_ACTION
},

Gecko

Code

WebIDL File for mozDownloadManager

Parent Process

Child Process

Downloads.jsm

Downloads.jsm depracates nsIDownloadManager and is used in Download Manager on FxOS. Downloads.jsm provides single point of entry for all things relating to downloading.

 

Features

  • 906255 - ability to view status of downloads
  • 906256 - ability to cancel downloads
  • 906257 - ability to view list of previously downloaded files
  • 906265 - ability to open downloaded files with supported MIME types
  • 848371 - ability to download any content through Browser to the SD Card(including HTTP downloading)
  • 957592 - ability to cancel downloads from processes that do not have 'downloads' permission

How is a download initiated?

  • A simple <a> tag with a href pointing to a server that returns a Content-Type of "application/octet-stream"
  • mozDownloadManager.ondownloadstart (download_manager.js) creates download start notification

How does the phone know to download the file instead of try to do something with it?

Once the file has downloaded, how does phone open file?

Conclusion

Attack surface is greatly reduced through the combination of using WebIDL, 'downloads' permissions is Certified, and the fact that Download Manager API uses the new Downloads.jsm.

Code Review Notes

XSS & HTML Injection Attacks

User controlled values are pretty much limited to filename. The filename is displayed in the notifications pull-down as well as the Settings Downloads list. 960749 prevented us from being able to completely check for HTML injections. (See Future Work below)

Based on source code inspection, there are no dangerous coding practices (like misuse of innerHTML) that will result in HTML/JS injections.

Characters ',",>, \, & and < were tested in filenames. We could not directly test > or < because the filesystem disallowed those characters in filenames, however we did use App Manager to break into the JS and insert those characters to see if filenames were rendered safely in the Notifications pull down as well as the Settings->Downloads menu.

Secure Communications

There are no instances of sensitive communications over HTTP. Nor are there any leaks via XHR requests.

Secure Data Storage

No issues relating to insecure data storage.

Denial of Service

960739 was identified as a potential DoS attack.

Interfaces with other Apps/Content

The Download Manager API is used within the System and Settings applications.

There is still currently a feature to develop, that would allow FxOS to remove all download objects that were initiated by application that do not have the 'downloads' permission.

Permissions

The 'downloads' permission is checked in the parent here.

Future Work

960749 prevented us from being able to look for HTML injections via filenames. This will need to be checked once that bug is resolved. However, it appears to be an issue with the filesystem disallowing those characters, so most likely even after an error message is added, there will be no avenue to have those characters in the filename.

Issues

Retrieved from "https://wiki.allizom.org/index.php?title=Security/Reviews/Gaia/DownloadManager&oldid=911038"