Bug 1331139 - Enable download protection for V4 lists draft
authorThomas Nguyen <tnguyen@mozilla.com>
Tue, 14 Feb 2017 17:15:00 +0800
changeset 483377 71deec77db72d1f0e8e520a91c9b91417d80554e
parent 483291 195049fabb7ac5709e5f75614ba630ba3d1b5a9b
child 545646 2a413d158bb51f013a94ae038c53cb3fce85a460
push id45319
push usertnguyen@mozilla.com
push dateTue, 14 Feb 2017 09:54:25 +0000
bugs1331139
milestone54.0a1
Bug 1331139 - Enable download protection for V4 lists MozReview-Commit-ID: 4m26LmjuB29
modules/libpref/init/all.js
toolkit/components/url-classifier/chromium/README.txt
toolkit/components/url-classifier/chromium/safebrowsing.proto
toolkit/components/url-classifier/nsUrlClassifierUtils.cpp
toolkit/components/url-classifier/protobuf/safebrowsing.pb.cc
toolkit/components/url-classifier/protobuf/safebrowsing.pb.h
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -5090,23 +5090,23 @@ pref("urlclassifier.malwareTable", "goog
 // In the official build, we are allowed to use google's private
 // phishing list "goog-phish-shavar". See Bug 1288840.
 pref("urlclassifier.phishTable", "goog-phish-shavar,test-phish-simple");
 #else
 pref("urlclassifier.phishTable", "googpub-phish-shavar,test-phish-simple");
 #endif
 
 // Tables for application reputation.
-pref("urlclassifier.downloadBlockTable", "goog-badbinurl-shavar");
+pref("urlclassifier.downloadBlockTable", "goog-badbinurl-shavar,goog-badbinurl-proto");
 
 #ifdef XP_WIN
  // Only download the whitelist on Windows, since the whitelist is
  // only useful for suppressing remote lookups for signed binaries which we can
  // only verify on Windows (Bug 974579). Other platforms always do remote lookups.
-pref("urlclassifier.downloadAllowTable", "goog-downloadwhite-digest256");
+pref("urlclassifier.downloadAllowTable", "goog-downloadwhite-digest256,goog-downloadwhite-proto");
 #else
 pref("urlclassifier.downloadAllowTable", "");
 #endif
 
 pref("urlclassifier.disallow_completions", "test-malware-simple,test-phish-simple,test-unwanted-simple,test-track-simple,test-trackwhite-simple,test-block-simple,test-flashallow-simple,testexcept-flashallow-simple,test-flash-simple,testexcept-flash-simple,test-flashsubdoc-simple,testexcept-flashsubdoc-simple,goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256");
 
 // The table and update/gethash URLs for Safebrowsing phishing and malware
 // checks.
@@ -5148,17 +5148,17 @@ pref("browser.safebrowsing.debug", false
 pref("browser.safebrowsing.provider.google.pver", "2.2");
 pref("browser.safebrowsing.provider.google.lists", "goog-badbinurl-shavar,goog-downloadwhite-digest256,goog-phish-shavar,googpub-phish-shavar,goog-malware-shavar,goog-unwanted-shavar");
 pref("browser.safebrowsing.provider.google.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2&key=%GOOGLE_API_KEY%");
 pref("browser.safebrowsing.provider.google.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2");
 pref("browser.safebrowsing.provider.google.reportURL", "https://safebrowsing.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=");
 
 // Prefs for v4.
 pref("browser.safebrowsing.provider.google4.pver", "4");
-pref("browser.safebrowsing.provider.google4.lists", "goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto");
+pref("browser.safebrowsing.provider.google4.lists", "goog-badbinurl-proto,goog-downloadwhite-proto,goog-phish-proto,googpub-phish-proto,goog-malware-proto,goog-unwanted-proto");
 pref("browser.safebrowsing.provider.google4.updateURL", "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGLE_API_KEY%");
 // Leave it empty until we roll out v4 hash completion feature. See Bug 1323856.
 pref("browser.safebrowsing.provider.google4.gethashURL", "");
 pref("browser.safebrowsing.provider.google4.reportURL", "https://safebrowsing.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=");
 
 pref("browser.safebrowsing.reportPhishMistakeURL", "https://%LOCALE%.phish-error.mozilla.com/?hl=%LOCALE%&url=");
 pref("browser.safebrowsing.reportPhishURL", "https://%LOCALE%.phish-report.mozilla.com/?hl=%LOCALE%&url=");
 pref("browser.safebrowsing.reportMalwareMistakeURL", "https://%LOCALE%.malware-error.mozilla.com/?hl=%LOCALE%&url=");
--- a/toolkit/components/url-classifier/chromium/README.txt
+++ b/toolkit/components/url-classifier/chromium/README.txt
@@ -1,16 +1,16 @@
 # Overview
 
-'safebrowsing.proto' is modified from [1] with the following line added:
+'safebrowsing.proto' is modified from [1] with the following changes:
 
-"package mozilla.safebrowsing;"
-
+1. Add "package mozilla.safebrowsing;"
 to avoid naming pollution. We use this source file along with protobuf compiler (protoc) to generate safebrowsing.pb.h/cc for safebrowsing v4 update and hash completion. The current generated files are compiled by protoc 2.6.1 since the protobuf library in gecko is not upgraded to 3.0 yet.
 
+2. Remove Chrome specific element
 # Update
 
 If you want to update to the latest upstream version,
 
 1. Checkout the latest one in [2]
 2. Use protoc to generate safebrowsing.pb.h and safebrowsing.pb.cc. For example,
 
 $ protoc -I=. --cpp_out="../protobuf/" safebrowsing.proto
--- a/toolkit/components/url-classifier/chromium/safebrowsing.proto
+++ b/toolkit/components/url-classifier/chromium/safebrowsing.proto
@@ -144,18 +144,18 @@ message FetchThreatListUpdatesResponse {
     // client when the response is received.
     optional ResponseType response_type = 4;
 
     // A set of entries to add to a local threat type's list. Repeated to allow
     // for a combination of compressed and raw data to be sent in a single
     // response.
     repeated ThreatEntrySet additions = 5;
 
-    // A set of entries to remove from a local threat type's list. Repeated for
-    // the same reason as above.
+    // A set of entries to remove from a local threat type's list. In practice,
+    // this field is empty or contains exactly one ThreatEntrySet.
     repeated ThreatEntrySet removals = 6;
 
     // The new client state, in encrypted format. Opaque to clients.
     optional bytes new_client_state = 7;
 
     // The expected SHA256 hash of the client state; that is, of the sorted list
     // of all hashes present in the database after applying the provided update.
     // If the client state doesn't match the expected state, the client must
@@ -262,16 +262,32 @@ enum ThreatType {
   // Potentially harmful application threat type.
   POTENTIALLY_HARMFUL_APPLICATION = 4;
 
   // Social engineering threat type for internal use.
   SOCIAL_ENGINEERING = 5;
 
   // API abuse threat type.
   API_ABUSE = 6;
+
+  // Malicious binary threat type.
+  MALICIOUS_BINARY = 7;
+
+  // Client side detection whitelist threat type.
+  CSD_WHITELIST = 8;
+
+  // Client side download detection whitelist threat type.
+  CSD_DOWNLOAD_WHITELIST = 9;
+
+  // Client incident threat type.
+  CLIENT_INCIDENT = 10;
+
+  // Patterns to be used for activating the subresource filter. Interstitial
+  // will not be shown for patterns from this list.
+  SUBRESOURCE_FILTER = 13;
 }
 
 // Types of platforms.
 enum PlatformType {
   // Unknown platform.
   PLATFORM_TYPE_UNSPECIFIED = 0;
 
   // Threat posed to Windows.
@@ -349,16 +365,25 @@ enum ThreatEntryType {
   // A host-suffix/path-prefix URL expression; for example, "foo.bar.com/baz/".
   URL = 1;
 
   // An executable program.
   EXECUTABLE = 2;
 
   // An IP range.
   IP_RANGE = 3;
+
+  // Chrome extension.
+  CHROME_EXTENSION = 4;
+
+  // Filename.
+  FILENAME = 5;
+
+  // CERT.
+  CERT = 6;
 }
 
 // A set of threats that should be added or removed from a client's local
 // database.
 message ThreatEntrySet {
   // The compression type for the entries in this set.
   optional CompressionType compression_type = 1;
 
--- a/toolkit/components/url-classifier/nsUrlClassifierUtils.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierUtils.cpp
@@ -233,16 +233,20 @@ static const struct {
   const char* mListName;
   uint32_t mThreatType;
 } THREAT_TYPE_CONV_TABLE[] = {
   { "goog-malware-proto",  MALWARE_THREAT},            // 1
   { "googpub-phish-proto", SOCIAL_ENGINEERING_PUBLIC}, // 2
   { "goog-unwanted-proto", UNWANTED_SOFTWARE},         // 3
   { "goog-phish-proto", SOCIAL_ENGINEERING},           // 5
 
+  // For application reputation
+  { "goog-badbinurl-proto", MALICIOUS_BINARY},         // 7
+  { "goog-downloadwhite-proto", CSD_DOWNLOAD_WHITELIST},  // 9
+
   // For testing purpose.
   { "test-phish-proto",    SOCIAL_ENGINEERING_PUBLIC}, // 2
   { "test-unwanted-proto", UNWANTED_SOFTWARE}, // 3
 };
 
 NS_IMETHODIMP
 nsUrlClassifierUtils::ConvertThreatTypeToListNames(uint32_t aThreatType,
                                                    nsACString& aListNames)
--- a/toolkit/components/url-classifier/protobuf/safebrowsing.pb.cc
+++ b/toolkit/components/url-classifier/protobuf/safebrowsing.pb.cc
@@ -127,16 +127,21 @@ bool ThreatType_IsValid(int value) {
   switch(value) {
     case 0:
     case 1:
     case 2:
     case 3:
     case 4:
     case 5:
     case 6:
+    case 7:
+    case 8:
+    case 9:
+    case 10:
+    case 13:
       return true;
     default:
       return false;
   }
 }
 
 bool PlatformType_IsValid(int value) {
   switch(value) {
@@ -167,16 +172,19 @@ bool CompressionType_IsValid(int value) 
 }
 
 bool ThreatEntryType_IsValid(int value) {
   switch(value) {
     case 0:
     case 1:
     case 2:
     case 3:
+    case 4:
+    case 5:
+    case 6:
       return true;
     default:
       return false;
   }
 }
 
 
 // ===================================================================
--- a/toolkit/components/url-classifier/protobuf/safebrowsing.pb.h
+++ b/toolkit/components/url-classifier/protobuf/safebrowsing.pb.h
@@ -82,21 +82,26 @@ const int ThreatHit_ThreatSourceType_Thr
 
 enum ThreatType {
   THREAT_TYPE_UNSPECIFIED = 0,
   MALWARE_THREAT = 1,
   SOCIAL_ENGINEERING_PUBLIC = 2,
   UNWANTED_SOFTWARE = 3,
   POTENTIALLY_HARMFUL_APPLICATION = 4,
   SOCIAL_ENGINEERING = 5,
-  API_ABUSE = 6
+  API_ABUSE = 6,
+  MALICIOUS_BINARY = 7,
+  CSD_WHITELIST = 8,
+  CSD_DOWNLOAD_WHITELIST = 9,
+  CLIENT_INCIDENT = 10,
+  SUBRESOURCE_FILTER = 13
 };
 bool ThreatType_IsValid(int value);
 const ThreatType ThreatType_MIN = THREAT_TYPE_UNSPECIFIED;
-const ThreatType ThreatType_MAX = API_ABUSE;
+const ThreatType ThreatType_MAX = SUBRESOURCE_FILTER;
 const int ThreatType_ARRAYSIZE = ThreatType_MAX + 1;
 
 enum PlatformType {
   PLATFORM_TYPE_UNSPECIFIED = 0,
   WINDOWS_PLATFORM = 1,
   LINUX_PLATFORM = 2,
   ANDROID_PLATFORM = 3,
   OSX_PLATFORM = 4,
@@ -119,21 +124,24 @@ bool CompressionType_IsValid(int value);
 const CompressionType CompressionType_MIN = COMPRESSION_TYPE_UNSPECIFIED;
 const CompressionType CompressionType_MAX = RICE;
 const int CompressionType_ARRAYSIZE = CompressionType_MAX + 1;
 
 enum ThreatEntryType {
   THREAT_ENTRY_TYPE_UNSPECIFIED = 0,
   URL = 1,
   EXECUTABLE = 2,
-  IP_RANGE = 3
+  IP_RANGE = 3,
+  CHROME_EXTENSION = 4,
+  FILENAME = 5,
+  CERT = 6
 };
 bool ThreatEntryType_IsValid(int value);
 const ThreatEntryType ThreatEntryType_MIN = THREAT_ENTRY_TYPE_UNSPECIFIED;
-const ThreatEntryType ThreatEntryType_MAX = IP_RANGE;
+const ThreatEntryType ThreatEntryType_MAX = CERT;
 const int ThreatEntryType_ARRAYSIZE = ThreatEntryType_MAX + 1;
 
 // ===================================================================
 
 class ThreatInfo : public ::google::protobuf::MessageLite {
  public:
   ThreatInfo();
   virtual ~ThreatInfo();