Skip to content

Add mojo-security-validation opengrep rule for Chromium#865

Open
thypon wants to merge 1 commit intomainfrom
chromium/mojo-security-validation
Open

Add mojo-security-validation opengrep rule for Chromium#865
thypon wants to merge 1 commit intomainfrom
chromium/mojo-security-validation

Conversation

@thypon
Copy link
Member

@thypon thypon commented Nov 4, 2025

Supersedes: #855

@thypon thypon requested a review from a team as a code owner November 4, 2025 14:31
github-actions[bot]
github-actions bot reviewed Nov 4, 2025
View reviewed changes
assets/opengrep_rules/client/mojo-security-validation.cpp
public:
// SHOULD TRIGGER: File path without validation (dangerous)
// ruleid: chromium-mojo-privilege-validation
void ReadFile(const base::FilePath& file_path) override {
Copy link
Contributor

@github-actions github-actions bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[opengrep] Mojo interface methods that receive privilege-presuming data (like file paths,
origins, or URLs) should validate this data using ChildProcessSecurityPolicy
before use. Untrusted processes can send arbitrary data over IPC.
Use methods like CanAccessDataForOrigin(), CanReadFile(), etc.


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/mojo-security-validation.yaml


Cc @thypon @cdesouza-chromium

assets/opengrep_rules/client/mojo-security-validation.cpp

// SHOULD TRIGGER: URL without origin validation (dangerous)
// ruleid: chromium-mojo-privilege-validation
void FetchResource(const GURL& url, int render_process_id) override {
Copy link
Contributor

@github-actions github-actions bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[opengrep] Mojo interface methods that receive privilege-presuming data (like file paths,
origins, or URLs) should validate this data using ChildProcessSecurityPolicy
before use. Untrusted processes can send arbitrary data over IPC.
Use methods like CanAccessDataForOrigin(), CanReadFile(), etc.


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/mojo-security-validation.yaml


Cc @thypon @cdesouza-chromium

assets/opengrep_rules/client/mojo-security-validation.cpp

// SHOULD TRIGGER: Origin without validation (dangerous)
// ruleid: chromium-mojo-privilege-validation
void AccessOriginData(const url::Origin& origin, int pid) override {
Copy link
Contributor

@github-actions github-actions bot Nov 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reported by reviewdog 🐶
[opengrep] Mojo interface methods that receive privilege-presuming data (like file paths,
origins, or URLs) should validate this data using ChildProcessSecurityPolicy
before use. Untrusted processes can send arbitrary data over IPC.
Use methods like CanAccessDataForOrigin(), CanReadFile(), etc.


Source: https://github.com/brave/security-action/blob/main/assets/opengrep_rules/client/mojo-security-validation.yaml


Cc @thypon @cdesouza-chromium

@thypon thypon force-pushed the chromium/mojo-security-validation branch 2 times, most recently from badd7f7 to f12c92c Compare November 11, 2025 07:25
@thypon
Add mojo-security-validation opengrep rule for Chromium
7301cca 
Enforce privilege validation in Mojo IPC handlers to prevent privilege
escalation through IPC message spoofing.
@thypon thypon force-pushed the chromium/mojo-security-validation branch from f12c92c to 7301cca Compare November 11, 2025 08:04
@github-actions
Copy link
Contributor

github-actions bot commented Nov 11, 2025

Opengrep Findings

📈 Comparison Results

  • Base branch findings: 0
  • Current branch findings: 12
  • Net change: +12 (100%)
  • New findings from rule changes: 12
  • New rules introduced: 1

Summary by Rule

Rule ID Findings Severity Change
client.chromium-mojo-privilege-validation 12 WARNING 🆕 New

Detailed Findings

client.chromium-mojo-privilege-validation (12 findings)

  • browser/ai_chat/full_screenshotter_unittest.cc
  • browser/brave_news/brave_news_tab_helper_browsertest.cc
  • browser/brave_search/backup_results_service_impl.cc
  • browser/brave_wallet/brave_wallet_ethereum_chain_browsertest.cc
  • browser/brave_wallet/send_or_sign_transaction_browsertest.cc
  • browser/extensions/brave_crx_generation_browsertest.cc
  • browser/ui/webui/ai_chat/ai_chat_untrusted_conversation_ui.cc
  • browser/ui/webui/brave_education/brave_education_page_handler_unittest.cc
  • components/brave_wayback_machine/wayback_machine_url_fetcher_unittest.cc
  • components/content_settings/renderer/brave_content_settings_agent_impl_autoplay_browsertest.cc

... and 2 more files

bridiver
bridiver reviewed Nov 17, 2025
View reviewed changes
assets/opengrep_rules/client/mojo-security-validation.yaml
patterns:
- patterns:
- pattern-either:
- pattern-regex: void\s+\w+\([^)]*base::FilePath[^)]*\)\s*override\s*\{
Copy link
Collaborator

@bridiver bridiver Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as mentioned in the original PR I think this is far too broad and it would be better to target the mojom files directly instead of the cpp unless you can filter on classes that subclass mojom::*?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bridiver bridiver bridiver left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

@cdesouza-chromium cdesouza-chromium Awaiting requested review from cdesouza-chromium

Assignees

@thypon thypon

@cdesouza-chromium cdesouza-chromium

Labels

needs-security-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@thypon @bridiver @cdesouza-chromium