From e46514fcd87d69d1ca60d8160b485c29abc384a2 Mon Sep 17 00:00:00 2001
From: Francois Marier <francois@brave.com>
Date: Wed, 19 Jun 2019 15:24:09 -0700
Subject: [PATCH] Prevent extensions from tampering with Uphold linking flow
 (brave/brave-browser#4928)

---
 browser/extensions/BUILD.gn                   |  1 +
 extensions/common/BUILD.gn                    | 11 ++++++++++
 extensions/common/brave_extension_urls.cc     | 22 +++++++++++++++++++
 extensions/common/brave_extension_urls.h      | 18 +++++++++++++++
 ...b_request-web_request_permissions.cc.patch | 21 ++++++++++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 extensions/common/BUILD.gn
 create mode 100644 extensions/common/brave_extension_urls.cc
 create mode 100644 extensions/common/brave_extension_urls.h
 create mode 100644 patches/extensions-browser-api-web_request-web_request_permissions.cc.patch

diff --git a/browser/extensions/BUILD.gn b/browser/extensions/BUILD.gn
index 458fb23096f1..bfc0401559d4 100644
--- a/browser/extensions/BUILD.gn
+++ b/browser/extensions/BUILD.gn
@@ -51,6 +51,7 @@ source_set("extensions") {
     "//brave/components/brave_sync",
     "//brave/components/brave_sync:generated_resources",
     "//brave/components/brave_sync:static_resources",
+    "//brave/extensions/common",
     "//components/prefs",
     "//components/update_client:patch_impl",
     "//components/update_client:unzip_impl",
diff --git a/extensions/common/BUILD.gn b/extensions/common/BUILD.gn
new file mode 100644
index 000000000000..63df74e4d947
--- /dev/null
+++ b/extensions/common/BUILD.gn
@@ -0,0 +1,11 @@
+source_set("common") {
+  sources = [
+    "brave_extension_urls.cc",
+    "brave_extension_urls.h",
+  ]
+
+  deps = [
+    "//base",
+    "//extensions/common",
+  ]
+}
diff --git a/extensions/common/brave_extension_urls.cc b/extensions/common/brave_extension_urls.cc
new file mode 100644
index 000000000000..4e7134fe77cf
--- /dev/null
+++ b/extensions/common/brave_extension_urls.cc
@@ -0,0 +1,22 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#include "brave/extensions/common/brave_extension_urls.h"
+
+#include "base/strings/string_util.h"
+#include "url/origin.h"
+
+namespace extension_urls {
+
+bool IsBraveProtectedUrl(const url::Origin& origin, base::StringPiece path) {
+  return (origin.DomainIs("sandbox.uphold.com") &&
+          base::StartsWith(path, "/authorize/",
+                           base::CompareCase::SENSITIVE)) ||
+      (origin.DomainIs("api.uphold.com") &&
+       base::StartsWith(path, "/oauth2/token",
+                        base::CompareCase::SENSITIVE));
+}
+
+}  // namespace extension_urls
diff --git a/extensions/common/brave_extension_urls.h b/extensions/common/brave_extension_urls.h
new file mode 100644
index 000000000000..dd50c92fbbc2
--- /dev/null
+++ b/extensions/common/brave_extension_urls.h
@@ -0,0 +1,18 @@
+/* Copyright (c) 2019 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at https://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_EXTENSIONS_COMMON_EXTENSION_URLS_H_
+#define BRAVE_EXTENSIONS_COMMON_EXTENSION_URLS_H_
+
+#include "extensions/common/extension_urls.h"
+
+namespace extension_urls {
+
+// Returns true if the URL points to a security-critical service.
+bool IsBraveProtectedUrl(const url::Origin& origin, base::StringPiece path);
+
+}  // namespace extension_urls
+
+#endif  // BRAVE_EXTENSIONS_COMMON_EXTENSION_URLS_H_
diff --git a/patches/extensions-browser-api-web_request-web_request_permissions.cc.patch b/patches/extensions-browser-api-web_request-web_request_permissions.cc.patch
new file mode 100644
index 000000000000..96ea6e47ffd4
--- /dev/null
+++ b/patches/extensions-browser-api-web_request-web_request_permissions.cc.patch
@@ -0,0 +1,21 @@
+diff --git a/extensions/browser/api/web_request/web_request_permissions.cc b/extensions/browser/api/web_request/web_request_permissions.cc
+index bf321bd13711feaf4f7889f71d876ed6d71ebd7c..d6d66bd52170db2e7d4f11c8f8e59af40abe1936 100644
+--- a/extensions/browser/api/web_request/web_request_permissions.cc
++++ b/extensions/browser/api/web_request/web_request_permissions.cc
+@@ -9,6 +9,7 @@
+ #include "base/strings/string_piece.h"
+ #include "base/strings/string_util.h"
+ #include "base/strings/stringprintf.h"
++#include "brave/extensions/common/brave_extension_urls.h"
+ #include "content/public/browser/child_process_security_policy.h"
+ #include "content/public/browser/resource_request_info.h"
+ #include "extensions/browser/api/extensions_api_client.h"
+@@ -320,6 +321,8 @@ bool WebRequestPermissions::HideRequest(
+   // for requests from common renderers.
+   if (extension_urls::IsWebstoreUpdateUrl(url) ||
+       extension_urls::IsBlacklistUpdateUrl(url) ||
++      extension_urls::IsBraveProtectedUrl(url::Origin::Create(url),
++                                          url.path_piece()) ||
+       extension_urls::IsSafeBrowsingUrl(url::Origin::Create(url),
+                                         url.path_piece()) ||
+       (url.DomainIs("chrome.google.com") &&