Java tutorial
/* * Copyright (C) 2011 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package android.security.cts; import android.content.ComponentName; import android.content.Context; import android.content.Intent; import android.content.pm.PackageManager; import android.content.pm.ResolveInfo; import android.net.Uri; import android.test.AndroidTestCase; import android.webkit.cts.CtsTestServer; import java.io.FileOutputStream; import java.io.OutputStreamWriter; import java.io.Writer; import java.util.ArrayList; import java.util.List; import java.util.concurrent.atomic.AtomicInteger; import org.apache.http.HttpEntity; /** * Test file for browser security issues. */ public class BrowserTest extends AndroidTestCase { private CtsTestServer mWebServer; @Override protected void setUp() throws Exception { super.setUp(); mWebServer = new CtsTestServer(mContext); } @Override protected void tearDown() throws Exception { mWebServer.shutdown(); super.tearDown(); } /** * Verify that no state is preserved across multiple intents sent * to the browser when we reuse a browser tab. If such data is preserved, * then browser is vulnerable to a data stealing attack. * * In this test, we send two intents to the Android browser. The first * intent sets document.b2 to 1. The second intent attempts to read * document.b2. If the read is successful, then state was preserved * across the two intents. * * If state is preserved across browser tabs, we ask * the browser to send an HTTP request to our local server. * * See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2357 for * vulnerability information for this test case. * * See commits 096bae248453abe83cbb2e5a2c744bd62cdb620b and * afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e for patches for above vulnerability. */ public void testTabReuse() throws InterruptedException { List<Intent> intents = getAllJavascriptIntents(); for (Intent i : intents) { mContext.startActivity(i); mContext.startActivity(i); /* * Wait 5 seconds for the browser to contact the server, but * fail fast if we detect the bug */ for (int j = 0; j < 5; j++) { assertEquals( "javascript handler preserves state across " + "multiple intents. Vulnerable to CVE-2011-2357?", 0, mWebServer.getRequestCount()); Thread.sleep(1000); } } } /** * Verify that no state is preserved across multiple intents sent * to the browser when we run out of usable browser tabs. If such data is * preserved, then browser is vulnerable to a data stealing attack. * * In this test, we send 20 intents to the Android browser. Each * intent sets the variable "document.b1" equal to 1. If we are able * read document.b1 in subsequent invocations of the intent, then * we know state was preserved. In that case, we send a message * to the local server, recording this fact. * * Our test fails if the local server ever receives an HTTP request. * * See http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2357 for * vulnerability information this test case. * * See commits 096bae248453abe83cbb2e5a2c744bd62cdb620b and * afa4ab1e4c1d645e34bd408ce04cadfd2e5dae1e for patches for above vulnerability. */ public void testTabExhaustion() throws InterruptedException { List<Intent> intents = getAllJavascriptIntents(); for (Intent i : intents) { i.addFlags(Intent.FLAG_ACTIVITY_BROUGHT_TO_FRONT); /* * Send 20 intents. 20 is greater than the maximum number * of tabs allowed by the Android browser. */ for (int j = 0; j < 20; j++) { mContext.startActivity(i); } /* * Wait 5 seconds for the browser to contact the server, but * fail fast if we detect the bug */ for (int j = 0; j < 5; j++) { assertEquals( "javascript handler preserves state across " + "multiple intents. Vulnerable to CVE-2011-2357?", 0, mWebServer.getRequestCount()); Thread.sleep(1000); } } } /** * See Bug 6212665 for detailed information about this issue. */ public void testBrowserPrivateDataAccess() throws Throwable { // Create a list of all intents for http display. This includes all browsers. List<Intent> intents = createAllIntents(Uri.parse("http://www.google.com")); String action = "\"" + mWebServer.getBaseUri() + "/\""; // test each browser for (Intent intent : intents) { // reset state mWebServer.resetRequestState(); // define target file, which is supposedly protected from this app String targetFile = "file://" + getTargetFilePath(); String html = "<html><body>\n" + " <form name=\"myform\" action=" + action + " method=\"post\">\n" + " <input type='text' name='val'/>\n" + " <a href=\"javascript :submitform()\">Search</a></form>\n" + "<script>\n" + " var client = new XMLHttpRequest();\n" + " client.open('GET', '" + targetFile + "');\n" + " client.onreadystatechange = function() {\n" + " if(client.readyState == 4) {\n" + " myform.val.value = client.responseText;\n" + " document.myform.submit(); \n" + " }}\n" + " client.send();\n" + "</script></body></html>\n"; String filename = "jsfileaccess.html"; // create a local HTML to access protected file FileOutputStream out = mContext.openFileOutput(filename, mContext.MODE_WORLD_READABLE); Writer writer = new OutputStreamWriter(out, "UTF-8"); writer.write(html); writer.flush(); writer.close(); String filepath = mContext.getFileStreamPath(filename).getAbsolutePath(); Uri uri = Uri.parse("file://" + filepath); // do a file request intent.setData(uri); mContext.startActivity(intent); /* * Wait 5 seconds for the browser to contact the server, but * fail fast if we detect the bug */ for (int j = 0; j < 5; j++) { // it seems that even when cross-origin policy prevents a file // access, browser is still doing a POST sometimes, but it just // sends the query part and no private data. Make sure this does not // cause a false alarm. if (mWebServer.getRequestEntities().size() > 0) { int len = 0; for (HttpEntity entity : mWebServer.getRequestEntities()) { len += entity.getContentLength(); } final int queryLen = "val=".length(); assertTrue("Failed preventing access to private data", len <= queryLen); } Thread.sleep(1000); } } } private String getTargetFilePath() throws Exception { FileOutputStream out = mContext.openFileOutput("target.txt", mContext.MODE_WORLD_READABLE); Writer writer = new OutputStreamWriter(out, "UTF-8"); writer.write("testing"); writer.flush(); writer.close(); return mContext.getFileStreamPath("target.txt").getAbsolutePath(); } /** * This method returns a List of explicit Intents for all programs * which handle javascript URIs. */ private List<Intent> getAllJavascriptIntents() { String localServerUri = mWebServer.getBaseUri(); String varName = "document.b" + System.currentTimeMillis(); /* * Build a javascript URL containing the following (without spaces and newlines) * <code> * if (document.b12345 == 1) { * document.location = "http://localhost:1234/"; * } * document.b12345 = 1; * </code> */ String javascript = "javascript:if(" + varName + "==1){" + "document.location=\"" + localServerUri + "\"" + "};" + varName + "=1"; return createAllIntents(Uri.parse(javascript)); } /** * Create intents for all activities that can display the given URI. */ private List<Intent> createAllIntents(Uri uri) { Intent implicit = new Intent(Intent.ACTION_VIEW); implicit.setData(uri); /* convert our implicit Intent into multiple explicit Intents */ List<Intent> retval = new ArrayList<Intent>(); PackageManager pm = mContext.getPackageManager(); List<ResolveInfo> list = pm.queryIntentActivities(implicit, PackageManager.GET_META_DATA); for (ResolveInfo i : list) { Intent explicit = new Intent(Intent.ACTION_VIEW); explicit.setClassName(i.activityInfo.packageName, i.activityInfo.name); explicit.setData(uri); explicit.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); retval.add(explicit); } return retval; } }