Sanitize VPN label to prevent HTML injection

    default_applicable_licenses: ["frameworks_base_license"],

}

android_library {

    name: "VpnDialogsLib",

    srcs: ["src/**/*.java"],

}

android_app {

    name: "VpnDialogs",

    certificate: "platform",

    privileged: true,

    srcs: ["src/**/*.java"],

    static_libs: ["VpnDialogsLib"],

    platform_apis: true,

}

         without any consequences. [CHAR LIMIT=20] -->

    <string name="dismiss">Dismiss</string>

    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs

         into displaying what they want. The system will attempt to sanitize the label, and if the

         label is deemed dangerous, then this string is used instead. The first argument is the

         first 30 characters of the label, and the second argument is the package name of the app.

         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read

         "My VPN app wants to set up a VPN connection...". If the label is very long, then, this

         will be used to show "VerylongVPNlabel… (com.my.vpn.app) wants to set up a VPN

         connection...". For this case, the code will refer to sanitized_vpn_label_with_ellipsis.

    -->

    <string name="sanitized_vpn_label_with_ellipsis">

        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="My VPN app">%1$s</xliff:g>… (

        <xliff:g id="sanitized_vpn_label_with_ellipsis" example="com.my.vpn.app">%2$s</xliff:g>)

    </string>

    <!-- Malicious VPN apps may provide very long labels or cunning HTML to trick the system dialogs

         into displaying what they want. The system will attempt to sanitize the label, and if the

         label is deemed dangerous, then this string is used instead. The first argument is the

         label, and the second argument is the package name of the app.

         Example : Normally a VPN app may be called "My VPN app" in which case the dialog will read

         "My VPN app wants to set up a VPN connection...". If the VPN label contains HTML tag but

         the length is not very long, the dialog will show "VpnLabelWith<br>HtmlTag

         (com.my.vpn.app) wants to set up a VPN connection...". For this case, the code will refer

         to sanitized_vpn_label.

    -->

    <string name="sanitized_vpn_label">

        <xliff:g id="sanitized_vpn_label" example="My VPN app">%1$s</xliff:g> (

        <xliff:g id="sanitized_vpn_label" example="com.my.vpn.app">%2$s</xliff:g>)

    </string>

</resources>

import android.widget.Button;

import android.widget.TextView;

import com.android.internal.annotations.VisibleForTesting;

import com.android.internal.app.AlertActivity;

import com.android.internal.net.VpnConfig;

        implements DialogInterface.OnClickListener, ImageGetter {

    private static final String TAG = "VpnConfirm";

    // Usually the label represents the app name, 150 code points might be enough to display the app

    // name, and 150 code points won't cover the warning message from VpnDialog.

    @VisibleForTesting

    static final int MAX_VPN_LABEL_LENGTH = 150;

    @VpnManager.VpnType private final int mVpnType;

    private String mPackage;

    private VpnManager mVm;

    private View mView;

    public ConfirmDialog() {

        this(VpnManager.TYPE_VPN_SERVICE);

    }

        mVpnType = vpnType;

    }

    /**

     * This function will use the string resource to combine the VPN label and the package name.

     *

     * If the VPN label violates the length restriction, the first 30 code points of VPN label and

     * the package name will be returned. Or return the VPN label and the package name directly if

     * the VPN label doesn't violate the length restriction.

     *

     * The result will be something like,

     * - ThisIsAVeryLongVpnAppNameWhich... (com.vpn.app)

     *   if the VPN label violates the length restriction.

     * or

     * - VpnLabelWith<br>HtmlTag (com.vpn.app)

     *   if the VPN label doesn't violate the length restriction.

     *

     */

    private String getSimplifiedLabel(String vpnLabel, String packageName) {

        if (vpnLabel.codePointCount(0, vpnLabel.length()) > 30) {

            return getString(R.string.sanitized_vpn_label_with_ellipsis,

                    vpnLabel.substring(0, vpnLabel.offsetByCodePoints(0, 30)),

                            packageName);

        }

        return getString(R.string.sanitized_vpn_label, vpnLabel, packageName);

    }

    @VisibleForTesting

    protected String getSanitizedVpnLabel(String vpnLabel, String packageName) {

        final String sanitizedVpnLabel = Html.escapeHtml(vpnLabel);

        final boolean exceedMaxVpnLabelLength = sanitizedVpnLabel.codePointCount(0,

                sanitizedVpnLabel.length()) > MAX_VPN_LABEL_LENGTH;

        if (exceedMaxVpnLabelLength || !vpnLabel.equals(sanitizedVpnLabel)) {

            return getSimplifiedLabel(sanitizedVpnLabel, packageName);

        }

        return sanitizedVpnLabel;

    }

    @Override

    protected void onCreate(Bundle savedInstanceState) {

        super.onCreate(savedInstanceState);

            finish();

            return;

        }

        View view = View.inflate(this, R.layout.confirm, null);

        ((TextView) view.findViewById(R.id.warning)).setText(

                Html.fromHtml(getString(R.string.warning, getVpnLabel()),

                        this, null /* tagHandler */));

        mView = View.inflate(this, R.layout.confirm, null);

        ((TextView) mView.findViewById(R.id.warning)).setText(

                Html.fromHtml(getString(R.string.warning, getSanitizedVpnLabel(

                        getVpnLabel().toString(), mPackage)),

                        this /* imageGetter */, null /* tagHandler */));

        mAlertParams.mTitle = getText(R.string.prompt);

        mAlertParams.mPositiveButtonText = getText(android.R.string.ok);

        mAlertParams.mPositiveButtonListener = this;

        mAlertParams.mNegativeButtonText = getText(android.R.string.cancel);

        mAlertParams.mView = view;

        mAlertParams.mView = mView;

        setupAlert();

        getWindow().setCloseOnTouchOutside(false);

        button.setFilterTouchesWhenObscured(true);

    }

    @VisibleForTesting

    public CharSequence getWarningText() {

        return ((TextView) mView.findViewById(R.id.warning)).getText();

    }

    private CharSequence getVpnLabel() {

        try {

            return VpnConfig.getVpnLabel(this, mPackage);

// Copyright 2022, The Android Open Source Project

//

// Licensed under the Apache License, Version 2.0 (the "License");

// you may not use this file except in compliance with the License.

// You may obtain a copy of the License at

//

//     http://www.apache.org/licenses/LICENSE-2.0

//

// Unless required by applicable law or agreed to in writing, software

// distributed under the License is distributed on an "AS IS" BASIS,

// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

// See the License for the specific language governing permissions and

// limitations under the License.

package {

    default_applicable_licenses: ["frameworks_base_license"],

}

android_test {

    name: "VpnDialogsTests",

    // Use platform certificate because the test will invoke a hidden API.

    // (e.g. VpnManager#prepareVpn()).

    certificate: "platform",

    libs: [

        "android.test.runner",

        "android.test.base",

    ],

    static_libs: [

        "androidx.test.core",

        "androidx.test.rules",

        "androidx.test.ext.junit",

        "mockito-target-minus-junit4",

        "VpnDialogsLib",

    ],

    srcs: ["src/**/*.java"],

}

<?xml version="1.0" encoding="utf-8"?>

<!--

/*

 * Copyright (C) 2022 The Android Open Source Project

 *

 * Licensed under the Apache License, Version 2.0 (the "License");

 * you may not use this file except in compliance with the License.

 * You may obtain a copy of the License at

 *

 *      http://www.apache.org/licenses/LICENSE-2.0

 *

 * Unless required by applicable law or agreed to in writing, software

 * distributed under the License is distributed on an "AS IS" BASIS,

 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

-->

<manifest xmlns:android="http://schemas.android.com/apk/res/android"

          xmlns:tools="http://schemas.android.com/tools"

          package="com.android.vpndialogs.tests">

    <application android:debuggable="true">

        <uses-library android:name="android.test.runner" />

        <activity android:name="com.android.vpndialogs.VpnDialogTest$InstrumentedConfirmDialog"/>

    </application>

    <instrumentation android:name="androidx.test.runner.AndroidJUnitRunner"

                     android:targetPackage="com.android.vpndialogs.tests"

                     android:label="Vpn dialog tests">

    </instrumentation>

</manifest>