xref: /cts/hostsidetests/securitybulletin/test-apps/CVE-2023-20918/test-app/src/android/security/cts/CVE_2023_20918_test/DeviceTest.java

/*
 * Copyright (C) 2022 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package android.security.cts.CVE_2023_20918_test;

import static androidx.test.core.app.ApplicationProvider.getApplicationContext;

import static org.junit.Assert.assertFalse;
import static org.junit.Assume.assumeNoException;

import android.app.PendingIntent;
import android.content.BroadcastReceiver;
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
import android.net.Uri;

import androidx.test.runner.AndroidJUnit4;

import org.junit.Test;
import org.junit.runner.RunWith;

import java.io.OutputStream;
import java.nio.charset.StandardCharsets;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.TimeUnit;

@RunWith(AndroidJUnit4.class)
public class DeviceTest {
    private static final long TIMEOUT_MS = 10_000L;
    private String mAssumeFailMsg;

    @Test
    public void testCVE_2023_20918() {
        try {
            Context context = getApplicationContext();
            mAssumeFailMsg = context.getString(R.string.msgAssumeFailDefault);
            final CompletableFuture<Boolean> exploitActivityReturn = new CompletableFuture<>();
            final String bcastActionFail = context.getString(R.string.bcastActionTestFail);
            final String bcastActionPass = context.getString(R.string.bcastActionTestPass);
            final String bcastActionAssumeFail =
                    context.getString(R.string.bcastActionTestAssumeFail);

            // Register a broadcast receiver to receive broadcast from ExploitActivity indicating
            // presence of vulnerability
            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
                @Override
                public void onReceive(Context context, Intent intent) {
                    try {
                        if (intent.getAction().equals(bcastActionFail)) {
                            exploitActivityReturn.complete(true);
                        } else if (intent.getAction().equals(bcastActionPass)) {
                            exploitActivityReturn.complete(false);
                        } else if (intent.getAction().equals(bcastActionAssumeFail)) {
                            // mAssumeFailMsg set here is used in assumeNoException() triggered
                            // when exploitActivityReturn.get() raises a timeout exception
                            mAssumeFailMsg = intent
                                    .getStringExtra(context.getString(R.string.keyMsgAssumeFail));
                        }
                    } catch (Exception ignored) {
                        // ignore the exceptions
                    }
                }
            };
            IntentFilter filter = new IntentFilter();
            filter.addAction(bcastActionFail);
            filter.addAction(bcastActionPass);
            filter.addAction(bcastActionAssumeFail);
            context.registerReceiver(broadcastReceiver, filter);

            // Write some data to the Uri content://authority/file_path/poc.txt
            final String uriString = context.getString(R.string.contentUri);
            try (OutputStream outputStream =
                    context.getContentResolver().openOutputStream(Uri.parse(uriString));) {
                outputStream.write(
                        context.getString(R.string.fileContents).getBytes(StandardCharsets.UTF_8));
            }

            // Creating an intent to launch ExploitActivity
            Intent intent = new Intent();
            final String attackerPkg = context.getString(R.string.pkgAttacker);
            final String exploitActivity = context.getString(R.string.activityExploit);
            intent.setClassName(attackerPkg, exploitActivity);
            intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);

            // Creating the inner intent for PendingIntent
            Intent innerIntent = new Intent(Intent.ACTION_MAIN, Uri.parse(uriString));
            innerIntent.setClassName(attackerPkg, exploitActivity);
            innerIntent.addFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
            innerIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);

            // Launch the ExploitActivity passing PendingIntent as data
            intent.putExtra(context.getString(R.string.keyPendingIntent), PendingIntent
                    .getActivity(context, 0, innerIntent, PendingIntent.FLAG_IMMUTABLE));
            context.startActivity(intent);

            // On vulnerable device, the PendingIntent launchIntentFlags will be added even though
            // it is immutable, so the test should fail if the flags are found to take effect.
            assertFalse(context.getString(R.string.msgFail),
                    exploitActivityReturn.get(TIMEOUT_MS, TimeUnit.MILLISECONDS));
        } catch (Exception e) {
            assumeNoException(mAssumeFailMsg, e);
        }
    }
}