Fix bluetooth settings will broadcast to anywhere when some cases

BluetoothPermissionActivity and DevicePickerFragment will send broadcast to return the result to calling apps. As this broadcast intent is from Settings with uid 1000, it will be sent to any protected BroadcastReceivers in the device. It can make an attacker send broadcast to protected BroadcastReceivers like factory reset intent (android/com.android.server.MasterClearReceiver) via BluetoothPermissionActivity or DevicePickerFragment. This CL will compare to calling package name with launch package name. If they are not equal, the broadcast will not send to launch package name. Bug: 179386960 Bug: 179386068 Test: make -j42 RunSettingsRoboTests and use test apk to manually test to verify factory reset not started and no system UI notification. Change-Id: Ib8a5acde663e875912d300dd4912c4e9416f02f1
2021-03-12 10:40:20 +08:00
parent 6d513a2c67
commit 9d00364da4
5 changed files with 268 additions and 115 deletions
--- a/tests/robotests/src/com/android/settings/bluetooth/DevicePickerFragmentTest.java
+++ b/tests/robotests/src/com/android/settings/bluetooth/DevicePickerFragmentTest.java
@@ -16,28 +16,46 @@

 package com.android.settings.bluetooth;

+import static com.google.common.truth.Truth.assertThat;
+
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
 import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import android.bluetooth.BluetoothDevice;
+import android.content.Context;
+import android.content.Intent;
+
+import com.android.settingslib.bluetooth.CachedBluetoothDevice;

 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
 import org.mockito.Mock;
 import org.mockito.MockitoAnnotations;
 import org.robolectric.RobolectricTestRunner;
+import org.robolectric.RuntimeEnvironment;

@RunWith(RobolectricTestRunner.class)
 public class DevicePickerFragmentTest {

    @Mock
    private BluetoothProgressCategory mAvailableDevicesCategory;
+
    private DevicePickerFragment mFragment;
+    private Context mContext;

    @Before
    public void setUp() {
        MockitoAnnotations.initMocks(this);

        mFragment = new DevicePickerFragment();
-
+        mContext = spy(RuntimeEnvironment.application);
+        mFragment.mContext = mContext;
        mFragment.mAvailableDevicesCategory = mAvailableDevicesCategory;
    }

@@ -49,4 +67,40 @@ public class DevicePickerFragmentTest {

        verify(mAvailableDevicesCategory).setProgress(true);
    }
+
+    @Test
+    public void callingPackageIsEqualToLaunchPackage_sendBroadcastToLaunchPackage() {
+        final CachedBluetoothDevice cachedDevice = mock(CachedBluetoothDevice.class);
+        final BluetoothDevice bluetoothDevice = mock(BluetoothDevice.class);
+        final ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class);
+        when(cachedDevice.getDevice()).thenReturn(bluetoothDevice);
+        mFragment.mSelectedDevice = bluetoothDevice;
+        mFragment.mLaunchPackage = "com.android.settings";
+        mFragment.mLaunchClass = "com.android.settings.bluetooth.BluetoothPermissionActivity";
+        mFragment.mCallingAppPackageName = "com.android.settings";
+
+        mFragment.onDeviceBondStateChanged(cachedDevice, BluetoothDevice.BOND_BONDED);
+
+        verify(mContext).sendBroadcast(intentCaptor.capture(),
+                eq("android.permission.BLUETOOTH_ADMIN"));
+        assertThat(intentCaptor.getValue().getComponent().getPackageName())
+                .isEqualTo(mFragment.mLaunchPackage);
+    }
+
+    @Test
+    public void callingPackageIsNotEqualToLaunchPackage_broadcastNotSend() {
+        final CachedBluetoothDevice cachedDevice = mock(CachedBluetoothDevice.class);
+        final BluetoothDevice bluetoothDevice = mock(BluetoothDevice.class);
+        final ArgumentCaptor<Intent> intentCaptor = ArgumentCaptor.forClass(Intent.class);
+        when(cachedDevice.getDevice()).thenReturn(bluetoothDevice);
+        mFragment.mSelectedDevice = bluetoothDevice;
+        mFragment.mLaunchPackage = "com.fake.settings";
+        mFragment.mLaunchClass = "com.android.settings.bluetooth.BluetoothPermissionActivity";
+        mFragment.mCallingAppPackageName = "com.android.settings";
+
+        mFragment.onDeviceBondStateChanged(cachedDevice, BluetoothDevice.BOND_BONDED);
+
+        verify(mContext, never()).sendBroadcast(intentCaptor.capture(),
+                eq("android.permission.BLUETOOTH_ADMIN"));
+    }
 }