Remove Intent selector from 2-pane deep link Intent

To guard against the arbitrary Intent injection through Selector.

Bug: 246300272
Test: make RunSettingsRoboTests ROBOTEST_FILTER=SettingsActivityTest
Change-Id: I8b3b936de490f09f4be960fdafc6e66a1d858ee2

src/com/android/settings/SettingsActivity.java

@@ -397,6 +397,10 @@ public class SettingsActivity extends SettingsBaseActivity
      */
     public static Intent getTrampolineIntent(Intent intent, String highlightMenuKey) {
         final Intent detailIntent = new Intent(intent);
+        // Guard against the arbitrary Intent injection.
+        if (detailIntent.getSelector() != null) {
+            detailIntent.setSelector(null);
+        }
         // It's a deep link intent, SettingsHomepageActivity will set SplitPairRule and start it.
         final Intent trampolineIntent = new Intent(ACTION_SETTINGS_EMBED_DEEP_LINK_ACTIVITY)
                 .setPackage(Utils.SETTINGS_PACKAGE_NAME)

tests/robotests/src/com/android/settings/SettingsActivityTest.java

@@ -16,6 +16,8 @@
 
 package com.android.settings;
 
+import static android.provider.Settings.EXTRA_SETTINGS_EMBEDDED_DEEP_LINK_INTENT_URI;
+
 import static com.android.settings.SettingsActivity.EXTRA_SHOW_FRAGMENT;
 
 import static com.google.common.truth.Truth.assertThat;
@@ -30,6 +32,7 @@ import static org.mockito.Mockito.when;
 import android.app.ActivityManager;
 import android.content.Context;
 import android.content.Intent;
+import android.net.Uri;
 
 import androidx.fragment.app.Fragment;
 import androidx.fragment.app.FragmentManager;
@@ -49,6 +52,7 @@ import org.robolectric.RobolectricTestRunner;
 import org.robolectric.RuntimeEnvironment;
 import org.robolectric.annotation.Config;
 
+import java.net.URISyntaxException;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -114,6 +118,29 @@ public class SettingsActivityTest {
         assertThat(((ListenerFragment) fragments.get(1)).mOnActivityResultCalled).isTrue();
     }
 
+    @Test
+    public void getTrampolineIntent_intentSelector_shouldNotChangeIntentAction() {
+        Intent targetIntent = new Intent().setClassName("android",
+                "com.android.internal.app.PlatLogoActivity");
+        Intent intent = new Intent(android.provider.Settings.ACTION_DISPLAY_SETTINGS);
+        intent.setComponent(intent.resolveActivity(mContext.getPackageManager()));
+        intent.setSelector(new Intent().setData(
+                Uri.fromParts(targetIntent.toUri(Intent.URI_INTENT_SCHEME), /* ssp= */ "",
+                /* fragment= */ null)));
+
+        Intent resultIntent = SettingsActivity.getTrampolineIntent(intent, "menu_key");
+
+        String intentUriString =
+                resultIntent.getStringExtra(EXTRA_SETTINGS_EMBEDDED_DEEP_LINK_INTENT_URI);
+        Intent parsedIntent = null;
+        try {
+            parsedIntent = Intent.parseUri(intentUriString, Intent.URI_INTENT_SCHEME);
+        } catch (URISyntaxException e) {
+            // Do nothng.
+        }
+        assertThat(parsedIntent.getAction()).isEqualTo(intent.getAction());
+    }
+
     public static class ListenerFragment extends Fragment implements OnActivityResultListener {
 
         private boolean mOnActivityResultCalled;