Merge "CTS test for Android Security b/179042963" into tm-dev am: 6f4b53d am: 9186d11

Original change: https://googleplex-android-review.googlesource.com/c/platform/cts/+/24240210

Change-Id: Ia6d3ee197d6d9d0204bd5922acda00e00bf1d2af
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

Author: Treehugger Robot

tests/tests/security/AndroidManifest.xml

@@ -261,6 +261,19 @@
             </intent-filter>
         </service>
 
+        <activity android:name="android.security.cts.CVE_2021_0600.PocActivity" />
+
+        <receiver android:name="android.security.cts.CVE_2021_0600.PocDeviceAdminReceiver"
+            android:permission="android.permission.BIND_DEVICE_ADMIN"
+            android:exported="true">
+            <meta-data
+                android:name="android.app.device_admin"
+                android:resource="@xml/device_admin_cve_2021_0600" />
+            <intent-filter>
+                <action android:name="android.app.action.DEVICE_ADMIN_ENABLED" />
+            </intent-filter>
+        </receiver>
+
         <activity android:name="android.security.cts.CVE_2023_20953.PocActivity"
             android:exported="true" />
 

tests/tests/security/res/values/strings.xml

@@ -44,4 +44,19 @@
     <string name="cve_2023_20960_uriStringComponent">component=</string>
     <string name="cve_2023_20960_uriStringIntent">intent:#Intent;</string>
     <string name="cve_2023_20960_uriStringSuffix">;end</string>
+
+    <!-- CVE-2021-0600 -->
+    <string name="cve_2021_0600_action">CVE_2021_0600_action</string>
+    <string name="cve_2021_0600_errorCreateCharSeq">Failed to create a charsequence to contain HTML
+    text</string>
+    <string name="cve_2021_0600_failMsg">Vulnerable to b/179042963 !!</string>
+    <string name="cve_2021_0600_intentNotFound">Failed to resolve %1$s</string>
+    <string name="cve_2021_0600_keyException">exception</string>
+    <string name="cve_2021_0600_keyHtml">html</string>
+    <string name="cve_2021_0600_noException">noException</string>
+    <string name="cve_2021_0600_pattern">.*CVE_2021_0600_EXPN.*</string>
+    <string name="cve_2021_0600_patternNotFound">UI element with text pattern %1$s not found
+    </string>
+    <string name="cve_2021_0600_targetText">CVE_2021_0600_EXPN</string>
+    <string name="cve_2021_0600_targetTextHtml"><![CDATA[<h1>CVE_2021_0600_EXPN</h1>]]></string>
 </resources>

tests/tests/security/res/xml/device_admin_cve_2021_0600.xml

@@ -0,0 +1,20 @@
+<?xml version ="1.0" encoding ="utf-8"?>
+<!--
+  Copyright 2023 The Android Open Source Project
+
+  Licensed under the Apache License, Version 2.0 (the "License");
+  you may not use this file except in compliance with the License.
+  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+  -->
+
+<device-admin>
+    <uses-policies />
+</device-admin>

tests/tests/security/src/android/security/cts/CVE_2021_0600/CVE_2021_0600.java

@@ -0,0 +1,137 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0600;
+
+import static androidx.test.platform.app.InstrumentationRegistry.getInstrumentation;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assume.assumeNoException;
+import static org.junit.Assume.assumeTrue;
+
+import android.app.Instrumentation;
+import android.content.BroadcastReceiver;
+import android.content.Context;
+import android.content.Intent;
+import android.content.IntentFilter;
+import android.graphics.Rect;
+import android.platform.test.annotations.AsbSecurityTest;
+import android.security.cts.R;
+import android.support.test.uiautomator.By;
+import android.support.test.uiautomator.BySelector;
+import android.support.test.uiautomator.UiDevice;
+import android.support.test.uiautomator.UiObject2;
+import android.support.test.uiautomator.Until;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.sts.common.util.StsExtraBusinessLogicTestCase;
+
+import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.TimeUnit;
+import java.util.regex.Pattern;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+@RunWith(AndroidJUnit4.class)
+public class CVE_2021_0600 extends StsExtraBusinessLogicTestCase {
+    private static final long TIMEOUT_MS = 5000;
+    private CompletableFuture<String> mPocActivityReturn;
+    private UiDevice mDevice;
+    private Context mContext;
+
+    // b/179042963
+    // Vulnerable package : com.android.settings (As per AOSP code)
+    // Vulnerable app     : Settings.apk (As per AOSP code)
+    @AsbSecurityTest(cveBugId = 179042963)
+    @Test
+    public void testPocCVE_2021_0600() {
+        try {
+            Instrumentation instrumentation = getInstrumentation();
+            mDevice = UiDevice.getInstance(instrumentation);
+            mContext = instrumentation.getContext();
+
+            // Registering a broadcast receiver to receive broadcast from PocActivity.
+            mPocActivityReturn = new CompletableFuture<>();
+            BroadcastReceiver broadcastReceiver = new BroadcastReceiver() {
+                @Override
+                public void onReceive(Context context, Intent intent) {
+                    try {
+                        mPocActivityReturn.complete(intent.getStringExtra(
+                                mContext.getString(R.string.cve_2021_0600_keyException)));
+                    } catch (Exception e) {
+                        // ignore.
+                    }
+                }
+            };
+            mContext.registerReceiver(broadcastReceiver,
+                    new IntentFilter(mContext.getString(R.string.cve_2021_0600_action)));
+
+            // Launch the PocActivity which in turn starts DeviceAdminAdd activity with normal
+            // text as 'explanation'.
+            Intent intent = new Intent(mContext, PocActivity.class);
+            intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TASK);
+            intent.putExtra(mContext.getString(R.string.cve_2021_0600_keyHtml), false);
+            mContext.startActivity(intent);
+            String pocActivityException = mPocActivityReturn.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);
+            assumeTrue(pocActivityException, pocActivityException.trim()
+                    .equals(mContext.getString(R.string.cve_2021_0600_noException)));
+
+            // Get the height of the normal text with no formatting. Because width is same both
+            // with and without fix, height is being used for comparing the with and without
+            // fix behaviour.
+            int heightWoHtml = getVulnerableUIHeight();
+            assumeTrue(heightWoHtml != -1);
+
+            // Launch PocActivity again such that DeviceAdminAdd activity starts with formatted text
+            // this time.
+            mPocActivityReturn = new CompletableFuture<>();
+            intent.putExtra(mContext.getString(R.string.cve_2021_0600_keyHtml), true);
+            mContext.startActivity(intent);
+            pocActivityException = mPocActivityReturn.get(TIMEOUT_MS, TimeUnit.MILLISECONDS);
+            assumeTrue(pocActivityException, pocActivityException
+                    .equalsIgnoreCase(mContext.getString(R.string.cve_2021_0600_noException)));
+
+            // Get the height of HTML text with formatting.
+            int heightWithHtml = getVulnerableUIHeight();
+            assumeTrue(heightWithHtml != -1);
+
+            // On vulnerable device, the text displayed on the screen will be HTML formatted, so
+            // there will be considerable increase in height of the text due to <h1> tag, if there
+            // is at least 20% increase in height, the test will fail.
+            assertFalse(mContext.getString(R.string.cve_2021_0600_failMsg),
+                    heightWithHtml > 1.2 * heightWoHtml);
+        } catch (Exception e) {
+            assumeNoException(e);
+        }
+    }
+
+    private int getVulnerableUIHeight() {
+        Pattern pattern = Pattern.compile(mContext.getString(R.string.cve_2021_0600_pattern),
+                Pattern.CASE_INSENSITIVE);
+        BySelector selector = By.text(pattern);
+        assumeTrue(mContext.getString(R.string.cve_2021_0600_patternNotFound, pattern),
+                mDevice.wait(Until.hasObject(selector), TIMEOUT_MS));
+        UiObject2 obj = mDevice.findObject(selector);
+        if (obj != null && obj.getText() != null
+                && obj.getText().contains(mContext.getString(R.string.cve_2021_0600_targetText))) {
+            Rect bounds = obj.getVisibleBounds();
+            return bounds.bottom - bounds.top;
+        }
+        return -1;
+    }
+}

tests/tests/security/src/android/security/cts/CVE_2021_0600/PocActivity.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0600;
+
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNotNull;
+
+import android.app.Activity;
+import android.app.admin.DevicePolicyManager;
+import android.content.ComponentName;
+import android.content.Intent;
+import android.os.Bundle;
+import android.security.cts.R;
+import android.text.Html;
+
+// The vulnerable activity ADD_DEVICE_ADMIN can't be started as a new task hence PocActivity is
+// created to launch it.
+public class PocActivity extends Activity {
+
+    @Override
+    protected void onCreate(Bundle savedInstanceState) {
+        try {
+            super.onCreate(savedInstanceState);
+
+            // Create an intent to launch DeviceAdminAdd activity.
+            Intent intent = new Intent(DevicePolicyManager.ACTION_ADD_DEVICE_ADMIN);
+            assumeNotNull(getString(R.string.cve_2021_0600_intentNotFound, intent),
+                    intent.resolveActivity(getPackageManager()));
+            intent.putExtra(DevicePolicyManager.EXTRA_DEVICE_ADMIN,
+                    new ComponentName(this, PocDeviceAdminReceiver.class));
+
+            // For adding an extra 'explanation' to the intent, creating a charsequence object.
+            CharSequence seq = Html.fromHtml(getString(R.string.cve_2021_0600_targetText));
+            if (getIntent().getBooleanExtra(getString(R.string.cve_2021_0600_keyHtml), false)) {
+                seq = Html.fromHtml(getString(R.string.cve_2021_0600_targetTextHtml));
+            }
+
+            // Using Html.fromHtml() causes whitespaces to occur at the start/end of the text which
+            // are unwanted. Remove the whitespace characters if any at the start and end of the
+            // charsequence.
+            int end = seq.length() - 1;
+            int start = 0;
+            while ((Character.isWhitespace(seq.charAt(start))) && start < end) {
+                ++start;
+            }
+            while ((Character.isWhitespace(seq.charAt(end))) && end > start) {
+                --end;
+            }
+
+            // Check if the charsequence is valid after trimming the whitespaces.
+            assumeFalse(getString(R.string.cve_2021_0600_errorCreateCharSeq), start > end);
+
+            // Adding the extra 'explanation' and launching the activity.
+            intent.putExtra(DevicePolicyManager.EXTRA_ADD_EXPLANATION,
+                    seq.subSequence(start, end + 1));
+            startActivity(intent);
+
+            // Send a broadcast to indicate no exceptions occurred.
+            sendBroadcast(new Intent(getString(R.string.cve_2021_0600_action)).putExtra(
+                    getString(R.string.cve_2021_0600_keyException),
+                    getString(R.string.cve_2021_0600_noException)));
+        } catch (Exception e) {
+            try {
+                // Send a broadcast to report exception.
+                sendBroadcast(new Intent(getString(R.string.cve_2021_0600_action))
+                        .putExtra(getString(R.string.cve_2021_0600_keyException), e.getMessage()));
+            } catch (Exception ignored) {
+                // ignore.
+            }
+        }
+    }
+}

tests/tests/security/src/android/security/cts/CVE_2021_0600/PocDeviceAdminReceiver.java

@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts.CVE_2021_0600;
+
+import android.app.admin.DeviceAdminReceiver;
+
+public class PocDeviceAdminReceiver extends DeviceAdminReceiver {
+}