Recover shady content:// paths.android-security-8.0.0_r54android-security-8.0.0_r53android-security-8.0.0_r52android-8.0.0_r51android-8.0.0_r50android-8.0.0_r49android-8.0.0_r48android-8.0.0_r47android-8.0.0_r46android-8.0.0_r45android-8.0.0_r44android-8.0.0_r43android-8.0.0_r42android-8.0.0_r41android-8.0.0_r40android-8.0.0_r39android-8.0.0_r38android-8.0.0_r37security-oc-releaseoreo-security-release

The path-permission element offers prefix or regex style matching of
paths, but most providers internally use UriMatcher to decide what
to do with an incoming Uri.

This causes trouble because UriMatcher uses Uri.getPathSegments(),
which quietly ignores "empty" paths.  Consider this example:

    <path-permission android:pathPrefix="/private" ... />

    uriMatcher.addURI("com.example", "/private", CODE_PRIVATE);

    content://com.example//private

The Uri above will pass the security check, since it's not
technically a prefix match.  But the UriMatcher will then match it
as CODE_PRIVATE, since it ignores the "//" zero-length path.

Since we can't safely change the behavior of either path-permission
or UriMatcher, we're left with recovering these shady paths by
trimming away zero-length paths.

Bug: 112555574
cts-tradefed run cts -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AppSecurityTests
Change-Id: Ia62aa19b7d554b806b29875eb6e397adfe69d23b
Merged-In: Ia62aa19b7d554b806b29875eb6e397adfe69d23b

(cherry picked from commit 3a22542c503d70dcf98e22a06ac9caa0ce8e5ab3)

1 files changed, 30 insertions, 0 deletions

diff --git a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
index 0e569015132..f2cbc6c552f 100644
--- a/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
+++ b/hostsidetests/appsecurity/test-apps/UsePermissionDiffCert/src/com/android/cts/usespermissiondiffcertapp/AccessPermissionWithDiffSigTest.java
@@ -114,6 +114,16 @@ public class AccessPermissionWithDiffSigTest extends AndroidTestCase {
         }
     }
 
+    private void assertContentUriAllowed(Uri uri) {
+        assertReadingContentUriAllowed(uri);
+        assertWritingContentUriAllowed(uri);
+    }
+
+    private void assertContentUriNotAllowed(Uri uri, String msg) {
+        assertReadingContentUriNotAllowed(uri, msg);
+        assertWritingContentUriNotAllowed(uri, msg);
+    }
+
     private void assertWritingContentUriNotAllowed(Uri uri, String msg) {
         final ContentResolver resolver = getContext().getContentResolver();
         try {
@@ -1197,6 +1207,26 @@ public class AccessPermissionWithDiffSigTest extends AndroidTestCase {
     }
 
     /**
+     * Test that shady {@link Uri} are blocked by {@code path-permission}.
+     */
+    public void testRestrictingProviderMatchingShadyPaths() {
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/"));
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting//"));
+        assertContentUriAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting///"));
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting//foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting///foo"), null);
+        assertContentUriNotAllowed(
+                Uri.parse("content://ctspermissionwithsignaturepathrestricting/foo//baz"), null);
+    }
+
+    /**
      * Verify that at least one {@code path-permission} rule will grant access,
      * even if the caller doesn't hold another matching {@code path-permission}.
      */