Reject referral promo header names unless whitelisted

Fix brave/brave-browser#3301 Currently the only whitelisted header is 'X-Brave-Partner'.
brave · Feb 11, 2019 · 2d54f91 · 2d54f91
1 parent c3b61b0
commit 2d54f91
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 2 deletions.
diff --git a/browser/net/brave_referrals_network_delegate_helper.cc b/browser/net/brave_referrals_network_delegate_helper.cc
@@ -6,6 +6,7 @@
 
 #include "base/values.h"
 #include "brave/components/brave_referrals/browser/brave_referrals_service.h"
+#include "brave/common/network_constants.h"
 #include "chrome/browser/browser_process.h"
 #include "content/public/browser/browser_thread.h"
 #include "extensions/common/url_pattern.h"
@@ -27,7 +28,9 @@ int OnBeforeStartTransaction_ReferralsWork(
           *ctx->referral_headers_list, &request_headers_dict, request->url()))
     return net::OK;
   for (const auto& it : request_headers_dict->DictItems()) {
-    headers->SetHeader(it.first, it.second.GetString());
+    if (it.first == kBravePartnerHeader) {
+      headers->SetHeader(it.first, it.second.GetString());
+    }
   }
   return net::OK;
 }

diff --git a/browser/net/brave_referrals_network_delegate_helper_unittest.cc b/browser/net/brave_referrals_network_delegate_helper_unittest.cc
@@ -21,7 +21,8 @@ const char kTestReferralHeaders[] = R"(
          "barrons.com"
       ],
       "headers": {
-         "X-Brave-Partner":"dowjones"
+         "X-Brave-Partner":"dowjones",
+         "X-Invalid": "test"
       },
       "cookieNames": [
       ],
@@ -89,6 +90,10 @@ TEST_F(BraveReferralsNetworkDelegateHelperTest, ReplaceHeadersForMatchingDomain)
   headers.GetHeader("X-Brave-Partner", &partner_header);
   EXPECT_EQ(partner_header, "dowjones");
 
+  std::string invalid_partner_header;
+  EXPECT_EQ(headers.GetHeader("X-Invalid", &invalid_partner_header), false);
+  EXPECT_EQ(invalid_partner_header, "");
+
   EXPECT_EQ(ret, net::OK);
 }
 

diff --git a/common/network_constants.cc b/common/network_constants.cc
@@ -26,6 +26,7 @@ const char kCookieHeader[] = "Cookie";
 // Intentional misspelling on referrer to match HTTP spec
 const char kRefererHeader[] = "Referer";
 const char kUserAgentHeader[] = "User-Agent";
+const char kBravePartnerHeader[] = "X-Brave-Partner";
 
 const char kBittorrentMimeType[] = "application/x-bittorrent";
 const char kOctetStreamMimeType[] = "application/octet-stream";
diff --git a/common/network_constants.h b/common/network_constants.h
@@ -24,6 +24,7 @@ extern const char kTwitterRedirectURL[];
 extern const char kCookieHeader[];
 extern const char kRefererHeader[];
 extern const char kUserAgentHeader[];
+extern const char kBravePartnerHeader[];
 
 extern const char kBittorrentMimeType[];
 extern const char kOctetStreamMimeType[];