Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c5add83 authored by Billy Huang's avatar Billy Huang
Browse files

RESTRICT AUTOMERGE backport "opp: validate that content uri belongs to current user" 

Bug: 296915500
Flag: EXEMPT trivial fix with complete testing coverage
Test: atest GoogleBluetoothInstrumentationTests:BluetoothOppSendFileInfoTest
Ignore-AOSP-First: fix for undisclosed vulnerability
Merged-In: I76b25fcd446d5e0530308e21deafa68d0b768edc
Change-Id: I0b6423025c95c13eeea3cbf584212913b5fbf307
parent 6aca8560

android/app/src/com/android/bluetooth/opp/BluetoothOppSendFileInfo.java

+15 −0
Original line number Diff line number Diff line
@@ -32,6 +32,8 @@ 


package com.android.bluetooth.opp;



import static android.os.UserHandle.myUserId;



import android.content.ContentResolver;

import android.content.Context;

import android.content.res.AssetFileDescriptor;
@@ -39,6 +41,7 @@ import android.database.Cursor; 
import android.database.sqlite.SQLiteException;

import android.net.Uri;

import android.provider.OpenableColumns;

import android.text.TextUtils;

import android.util.EventLog;

import android.util.Log;
@@ -49,6 +52,7 @@ import java.io.File; 
import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.IOException;

import java.util.Objects;



/**

 * This class stores information about a single sending file It will only be
@@ -117,6 +121,11 @@ public class BluetoothOppSendFileInfo { 
                return SEND_FILE_INFO_ERROR;

            }



            if (isContentUriForOtherUser(uri)) {

                Log.e(TAG, "Uri: " + uri + " is invalid for user " + myUserId());

                return SEND_FILE_INFO_ERROR;

            }



            contentType = contentResolver.getType(uri);

            Cursor metadataCursor;

            try {
@@ -253,6 +262,12 @@ public class BluetoothOppSendFileInfo { 
        return new BluetoothOppSendFileInfo(fileName, contentType, length, is, 0);

    }



    private static boolean isContentUriForOtherUser(Uri uri) {

        String uriUserId = uri.getUserInfo();

        return !TextUtils.isEmpty(uriUserId)

                && !Objects.equals(uriUserId, String.valueOf(myUserId()));

    }



    private static long getStreamSize(FileInputStream is) throws IOException {

        long length = 0;

        byte[] unused = new byte[4096];

android/app/tests/unit/src/com/android/bluetooth/opp/BluetoothOppSendFileInfoTest.java

+106 −1
Original line number Diff line number Diff line
@@ -17,6 +17,8 @@ 


package com.android.bluetooth.opp;



import static android.os.UserHandle.myUserId;



import static com.google.common.truth.Truth.assertThat;



import static org.mockito.ArgumentMatchers.any;
@@ -31,7 +33,6 @@ import android.content.res.AssetFileDescriptor; 
import android.database.MatrixCursor;

import android.net.Uri;

import android.provider.OpenableColumns;

import android.util.Log;



import androidx.test.platform.app.InstrumentationRegistry;

import androidx.test.runner.AndroidJUnit4;
@@ -120,6 +121,110 @@ public class BluetoothOppSendFileInfoTest { 
        assertThat(info).isEqualTo(BluetoothOppSendFileInfo.SEND_FILE_INFO_ERROR);

    }



    @Test

    public void generateFileInfo_withContentUriForOtherUser_returnsSendFileInfoError()

            throws Exception {

        String type = "image/jpeg";

        Uri uri = buildContentUriWithEncodedAuthority((myUserId() + 1) + "@media");



        long fileLength = 1000;

        String fileName = "pic.jpg";



        FileInputStream fs = mock(FileInputStream.class);

        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);

        doReturn(fileLength).when(fd).getLength();

        doReturn(fs).when(fd).createInputStream();



        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());



        mCursor =

                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});

        mCursor.addRow(new Object[] {fileName, fileLength});



        doReturn(mCursor)

                .when(mCallProxy)

                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());



        BluetoothOppSendFileInfo info =

                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);



        assertThat(info).isEqualTo(BluetoothOppSendFileInfo.SEND_FILE_INFO_ERROR);

    }



    @Test

    public void generateFileInfo_withContentUriForImplicitUser_returnsInfoWithCorrectLength()

            throws Exception {

        String type = "image/jpeg";

        Uri uri = buildContentUriWithEncodedAuthority("media");



        long fileLength = 1000;

        String fileName = "pic.jpg";



        FileInputStream fs = mock(FileInputStream.class);

        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);

        doReturn(fileLength).when(fd).getLength();

        doReturn(fs).when(fd).createInputStream();



        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());



        mCursor =

                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});

        mCursor.addRow(new Object[] {fileName, fileLength});



        doReturn(mCursor)

                .when(mCallProxy)

                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());



        BluetoothOppSendFileInfo info =

                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);



        assertThat(info.mInputStream).isEqualTo(fs);

        assertThat(info.mFileName).isEqualTo(fileName);

        assertThat(info.mLength).isEqualTo(fileLength);

        assertThat(info.mStatus).isEqualTo(0);

    }



    @Test

    public void generateFileInfo_withContentUriForSameUser_returnsInfoWithCorrectLength()

            throws Exception {

        String type = "image/jpeg";

        Uri uri = buildContentUriWithEncodedAuthority(myUserId() + "@media");



        long fileLength = 1000;

        String fileName = "pic.jpg";



        FileInputStream fs = mock(FileInputStream.class);

        AssetFileDescriptor fd = mock(AssetFileDescriptor.class);

        doReturn(fileLength).when(fd).getLength();

        doReturn(fs).when(fd).createInputStream();



        doReturn(fd).when(mCallProxy).contentResolverOpenAssetFileDescriptor(any(), eq(uri), any());



        mCursor =

                new MatrixCursor(new String[] {OpenableColumns.DISPLAY_NAME, OpenableColumns.SIZE});

        mCursor.addRow(new Object[] {fileName, fileLength});



        doReturn(mCursor)

                .when(mCallProxy)

                .contentResolverQuery(any(), eq(uri), any(), any(), any(), any());



        BluetoothOppSendFileInfo info =

                BluetoothOppSendFileInfo.generateFileInfo(mContext, uri, type, true);



        assertThat(info.mInputStream).isEqualTo(fs);

        assertThat(info.mFileName).isEqualTo(fileName);

        assertThat(info.mLength).isEqualTo(fileLength);

        assertThat(info.mStatus).isEqualTo(0);

    }



    private static Uri buildContentUriWithEncodedAuthority(String authority) {

        return new Uri.Builder()

                .scheme("content")

                .encodedAuthority(authority)

                .path("external/images/media/1")

                .build();

    }



    @Test

    public void generateFileInfo_withoutPermissionForAccessingUri_returnsSendFileInfoError() {

        String type = "text/plain";