Add hidden renderer for fetching backup search results

[DJAndries]

Resolves brave/brave-browser#43399

Submitter Checklist:

• I confirm that no security/privacy review is needed and no other type of reviews are needed, or that I have requested them
• There is a ticket for my issue
• Used Github auto-closing keywords in the PR description above
• Wrote a good PR/commit description
• Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
• Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
• Checked the PR locally:
  • npm run test -- brave_browser_tests, npm run test -- brave_unit_tests wiki
  • npm run presubmit wiki, npm run gn_check, npm run tslint
• Ran git rebase master (if needed)

Reviewer Checklist:

• A security review is not needed, or a link to one is included in the PR description
• New files have MPL-2.0 license header
• Adequate test coverage exists to prevent regressions
• Major classes, functions and non-trivial code blocks are well-commented
• Changes in component dependencies are properly reflected in gn
• Code follows the style guide
• Test plan is specified in PR before merging

After-merge Checklist:

• The associated issue milestone is set to the smallest version that the
  changes has landed on
• All relevant documentation has been updated, for instance:
  • https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
  • https://github.com/brave/brave-browser/wiki/Proxy-redirected-URLs
  • https://github.com/brave/brave-browser/wiki/Fingerprinting-Protections
  • https://github.com/brave/brave-browser/wiki/Brave%E2%80%99s-Use-of-Referral-Codes
  • https://github.com/brave/brave-browser/wiki/Web-Compatibility-Exceptions-in-Brave
  • https://github.com/brave/brave-browser/wiki/QA-Guide
  • https://github.com/brave/brave-browser/wiki/P3A

Test Plan:

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] BindOnce/BindRepeating may allow callers to access objects which may already be freed in the C++ lifecycle.
Verify the occurrences manually.


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[diracdeltas]

can limit to only HTTPS here?

[diracdeltas]

actually we can limit it to only google? the API should not be able to initiate a load to any other origin.

[DJAndries]

can limit to only HTTPS here?

done

actually we can limit it to only google? the API should not be able to initiate a load to any other origin.

We may invoke requests using various TLDs depending on the user's locale, which makes this less straightforward. In HandleWebContentsStartRequest, we do ensure that the redirected requests have the same origin as the original URL.

[ShivanKaul]

Shouldn't we do the same thing as WDP extension here?

[diracdeltas]

@DJAndries can you point to the logic that decides on the TLD based on locale? it would be really bad if we assumed google.$TLD was owned by google and allowed that to go through but it actually wasn't. i think we need to be stricter than the original WDP logic @ShivanKaul given the risks are higher here.

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] BindOnce/BindRepeating may allow callers to access objects which may already be freed in the C++ lifecycle.
Verify the occurrences manually.


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

_{reported by reviewdog 🐶}
[semgrep] base::Unretained is most of the time unrequited, and a weak reference is better suited for secure coding.
Consider swapping Unretained for a weak reference.
base::Unretained usage may be acceptable when a callback owner is guaranteed
to be destroyed with the object base::Unretained is pointing to, for example:

- PrefChangeRegistrar
- base::*Timer
- mojo::Receiver
- any other class member destroyed when the class is deallocated


Source: https://github.com/brave/security-action/blob/main/assets/semgrep_rules/client/chromium-uaf.yaml


Cc @thypon @goodov @iefremov

[github-actions]

[puLL-Merge] - brave/brave-core@27285

Description

This PR implements a backup results service for Brave Search, allowing it to fetch and process search results from backup providers. It includes functionality for both direct URL fetching and full page rendering modes, with support for cookie handling and request throttling. This is used to support features like fallback mixing (GMix) and Web Discovery Project.

Security Hotspots

1. Cookie Handling: The service processes cookies from backup search providers in an OTR profile to isolate cookie storage. The service needs to ensure cookies are not leaked between sessions.

   • Location: backup_results_service_impl.cc, backup_results_navigation_throttle.cc

2. URL Loading: The service makes HTTP requests to external search providers. User input validation and URL sanitization are critical.

   • Location: brave_search_fallback_host.cc

3. Resource Limits: The service limits request size and timeout periods to prevent resource exhaustion attacks.

   • Location: backup_results_service_impl.cc

Changes

Changes

1. Browser Service

• Added BackupResultsService interface and implementation
• Created factory for service instantiation
• Implemented URL loading and page rendering functionality

2. Navigation Control

• Added BackupResultsNavigationThrottle to control navigation in backup result web contents
• Implemented request filtering and validation

3. Extension API

• Added webDiscovery extension API endpoint
• Implemented retrieveBackupResults function for extension access

4. Tests

• Added browser tests for backup results service
• Added render and navigation tests
• Updated existing search tests

sequenceDiagram
    participant Extension
    participant BackupResultsService
    participant OTRProfile
    participant WebContents
    participant BackupProvider

    Extension->>BackupResultsService: retrieveBackupResults(url)
    BackupResultsService->>OTRProfile: Create
    
    alt Full Render Mode
        BackupResultsService->>WebContents: Create
        WebContents->>BackupProvider: Initial Request
        BackupProvider->>WebContents: Response with Redirect
        WebContents->>BackupProvider: Follow Redirect
        BackupProvider->>WebContents: Final Results
        WebContents->>BackupResultsService: Extract HTML
    else Direct Mode
        BackupResultsService->>BackupProvider: Direct Request
        BackupProvider->>BackupResultsService: Results
    end
    
    BackupResultsService->>Extension: Return Results
    BackupResultsService->>OTRProfile: Cleanup

Loading