1380325 - Malicious downloads are allowed on the first download from a fresh profile

Status: NEW

(Toolkit :: Safe Browsing, defect, P5)

Description

[Cristian Comorasu, QA [:ccomorasu], Release Desktop QA]

[Affected versions]:
 Fx 54.0.1
 Fx 55.0b8
 Fx 56.0a1

[Affected platforms]:
 Windows 10 x64
 macOS X 10.12.3
 Ubuntu 14.04 LTS 

[Steps to reproduce]:
 1. Launch Firefox on a clean profile.
 2. Go to http://testsafebrowsing.appspot.com/.
 3. Click on the link from "1.Should show a "malicious" warning, based on URL" from "Desktop Download Warnings".

[Expected result]:
 The download is not started and the user is warned about the malicious download by displaying the red dot warning from the download panel icon.

[Actual result]:
 The download is finished.

[Regression range]:
 Last good build ID: 20170205030206
 First bad build ID: 20170206030211
 Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e555770a90a41e04bbb4ac41b65fa2f1db6977d&tochange=20a8536b0bfac74389d3a57bd8dd957d98779ce1

[Additional notes]:
 a. Screen record with the issue: http://imgur.com/a/x0z0S
 b. This issue occurs only on the first download from a clean profile.

Comment 1

[:Paolo Amadini]

(In reply to Cristian Comorasu [:CristiComo] from comment #0)
>  b. This issue occurs only on the first download from a clean profile.

I have sometimes observed this on an existing profile as well, so it may be worth investigating, see related bug 1146976 which happened some time ago. This might not depend on us but on the Safe Browsing service, though.

The issue with new profiles is well-known, and it happens because the full Safe Browsing lists haven't been updated yet. Since our QA is often stumbling on this issue, see bug 1299170 as example, is there a way to set up our own test URIs that are hardcoded in the client? In fact for the Downloads Panel we just need to test the verdicts, in particular malware, potentially unwanted, and uncommon downloads.

Comment 2

[Thomas Nguyen (:tnguyen)]

(In reply to :Paolo Amadini from comment #1)
> The issue with new profiles is well-known, and it happens because the full
> Safe Browsing lists haven't been updated yet. Since our QA is often
> stumbling on this issue, see bug 1299170 as example

Indeed, for the new profile, the Safe Browsing lists updating will be kicked off after a random time between 0 - 1 mins, so we probably have to wait for about 3-5 minutes to get the lists.
We wrote a support page to let users manually update Safe Browsing list in about:url-classifier. You will see some update button, if you want to test malicious warning page, just click update before your test.

Comment 3

[François Marier [:francois]]

(In reply to Thomas Nguyen[:tnguyen] ni plz from comment #2)
> Indeed, for the new profile, the Safe Browsing lists updating will be kicked
> off after a random time between 0 - 1 mins, so we probably have to wait for
> about 3-5 minutes to get the lists.
> We wrote a support page to let users manually update Safe Browsing list in
> about:url-classifier. You will see some update button, if you want to test
> malicious warning page, just click update before your test.

What Thomas said is true in general (and for V4 that's all we'll care about), but for V2 (Fx <= 55), there is an extra complication: it takes up to 14 hours for the entire list to be downloaded.

So because the first test of the "Download Warnings" section is based on URL blocking (as opposed to the contents of the download), then if you're using a new profile, you need to first leave it running for 14 hours before running through the tests.

After that, it should work fine. All of the tests should pass.

Comment 4

[:Paolo Amadini]

Thanks for the explanation, the 14 hours running time is probably the reason for the issues with the first download I observed in existing profiles.

Since this is not an issue anymore in Firefox 56, the most common reason for which QA thinks something is broken in the client could be gone. Maybe we should just leave this bug open as reference for QA until 56 is released.