Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f79ea861 authored by Tony Huang's avatar Tony Huang
Browse files

Remove grant flags before forward to other activity 

DocsUI which have Documenter permission can read / write many files.
For security concern, we should remove grant flags before forward to
other activity.

Bug: 144286721
Test: atest DocumentsUIGoogleTests
Change-Id: Icdb47a03d5ed5347248e3e19c99356d0fdb6d850
parent 77cae99c

src/com/android/documentsui/picker/ActionHandler.java

+6 −1
Original line number Diff line number Diff line
@@ -298,7 +298,12 @@ class ActionHandler<T extends FragmentActivity & Addons> extends AbstractActionH 
        Metrics.logAppVisited(info);

        mInjector.pickResult.increaseActionCount();

        final Intent intent = new Intent(mActivity.getIntent());

        intent.setFlags(intent.getFlags() & ~Intent.FLAG_ACTIVITY_FORWARD_RESULT);

        final int flagsRemoved = Intent.FLAG_ACTIVITY_FORWARD_RESULT

                | Intent.FLAG_GRANT_READ_URI_PERMISSION

                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION

                | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION

                | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION;

        intent.setFlags(intent.getFlags() & ~flagsRemoved);

        intent.setComponent(new ComponentName(

                info.activityInfo.applicationInfo.packageName, info.activityInfo.name));

        try {

tests/unit/com/android/documentsui/picker/ActionHandlerTest.java

+20 −0
Original line number Diff line number Diff line
@@ -544,6 +544,26 @@ public class ActionHandlerTest { 
        assertNotNull(mActivity.startActivityForResult.getLastValue().first);

    }



    @Test

    public void testOpenAppRoot_removeFlags() throws Exception {

        mActivity.intent.setFlags(Intent.FLAG_ACTIVITY_FORWARD_RESULT

                | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION

                | Intent.FLAG_GRANT_PREFIX_URI_PERMISSION

                | Intent.FLAG_GRANT_WRITE_URI_PERMISSION

                | Intent.FLAG_GRANT_READ_URI_PERMISSION);

        mHandler.openRoot(TestResolveInfo.create());

        assertEquals((long) mActivity.startActivityForResult.getLastValue().second,

                AbstractActionHandler.CODE_FORWARD);

        assertNotNull(mActivity.startActivityForResult.getLastValue().first);



        int flags = mActivity.startActivityForResult.getLastValue().first.getFlags();

        assertEquals(0, flags & Intent.FLAG_ACTIVITY_FORWARD_RESULT);

        assertEquals(0, flags & Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);

        assertEquals(0, flags & Intent.FLAG_GRANT_PREFIX_URI_PERMISSION);

        assertEquals(0, flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION);

        assertEquals(0, flags & Intent.FLAG_GRANT_READ_URI_PERMISSION);

    }



    @Test

    public void testOpenAppRootWithQueryContent_matchedContent() throws Exception {

        final String queryContent = "query";