hostsidetests/securitybulletin/test-apps/CVE-2022-20475/test-app/src/android/security/cts/CVE_2022_20475/DeviceTest.java - platform/cts - Git at Google

 /*
  * Copyright (C) 2022 The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *      http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package android.security.cts.CVE_2022_20475_test;

 import static androidx.test.core.app.ApplicationProvider.getApplicationContext;

 import static org.junit.Assume.assumeNoException;

 import android.content.BroadcastReceiver;
 import android.content.Context;
 import android.content.Intent;
 import android.content.IntentFilter;

 import androidx.test.runner.AndroidJUnit4;

 import org.junit.Test;
 import org.junit.runner.RunWith;

 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;

 @RunWith(AndroidJUnit4.class)
 public class DeviceTest {
     private static final int WAIT_MS = 5000;

     @Test
     public void testCVE_2022_20475() {
         try {
             // Registering a receiver here to wait for a broadcast from either HijackActivity or
             // TargetActivity
             Context context = getApplicationContext();
             CompletableFuture<Boolean> hijackReturn = new CompletableFuture<>();
             CompletableFuture<Boolean> targetReturn = new CompletableFuture<>();
             final String bcastActionHijack = context.getString(R.string.bcastActionHijack);
             final String bcastActionTarget = context.getString(R.string.bcastActionTarget);
             BroadcastReceiver broadcastReceiver =
                     new BroadcastReceiver() {
                         @Override
                         public void onReceive(Context context, Intent intent) {
                             if (intent.getAction().equals(bcastActionHijack)) {
                                 hijackReturn.complete(true);
                             } else if (intent.getAction().equals(bcastActionTarget)) {
                                 targetReturn.complete(true);
                             }
                         }
                     };
             IntentFilter filter = new IntentFilter();
             filter.addAction(bcastActionHijack);
             filter.addAction(bcastActionTarget);
             context.registerReceiver(broadcastReceiver, filter);

             // Start PocActivity which in turn starts both TargetActivity and HijackActivity
             Intent intent = new Intent(context, PocActivity.class);
             intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
             context.startActivity(intent);

             // Waiting on callback from HijackActivity which is started last by PocActivity
             hijackReturn.get(WAIT_MS, TimeUnit.MILLISECONDS);

             // Start TargetActivity
             Intent targetIntent = new Intent(Intent.ACTION_MAIN);
             final String pkgTarget = context.getString(R.string.pkgTarget);
             targetIntent.setClassName(pkgTarget, context.getString(R.string.activityTarget));
             targetIntent.setFlags(
                     Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_RESET_TASK_IF_NEEDED);
             context.startActivity(targetIntent);

             // Wait on callback from TargetActivity. On vulnerable device, TargetActivity would
             // not start and HijackActivity would remain on screen so the test should fail due
             // to timeout on callback.
             try {
                 targetReturn.get(WAIT_MS, TimeUnit.MILLISECONDS);
             } catch (TimeoutException e) {
                 throw new AssertionError(context.getString(R.string.msgFail));
             }
         } catch (Exception e) {
             assumeNoException(e);
         }
     }
 }
	/*
	* Copyright (C) 2022 The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package android.security.cts.CVE_2022_20475_test;

	import static androidx.test.core.app.ApplicationProvider.getApplicationContext;

	import static org.junit.Assume.assumeNoException;

	import android.content.BroadcastReceiver;
	import android.content.Context;
	import android.content.Intent;
	import android.content.IntentFilter;

	import androidx.test.runner.AndroidJUnit4;

	import org.junit.Test;
	import org.junit.runner.RunWith;

	import java.util.concurrent.CompletableFuture;
	import java.util.concurrent.TimeUnit;
	import java.util.concurrent.TimeoutException;

	@RunWith(AndroidJUnit4.class)
	public class DeviceTest {
	private static final int WAIT_MS = 5000;

	@Test
	public void testCVE_2022_20475() {
	try {
	// Registering a receiver here to wait for a broadcast from either HijackActivity or
	// TargetActivity
	Context context = getApplicationContext();
	CompletableFuture<Boolean> hijackReturn = new CompletableFuture<>();
	CompletableFuture<Boolean> targetReturn = new CompletableFuture<>();
	final String bcastActionHijack = context.getString(R.string.bcastActionHijack);
	final String bcastActionTarget = context.getString(R.string.bcastActionTarget);
	BroadcastReceiver broadcastReceiver =
	new BroadcastReceiver() {
	@Override
	public void onReceive(Context context, Intent intent) {
	if (intent.getAction().equals(bcastActionHijack)) {
	hijackReturn.complete(true);
	} else if (intent.getAction().equals(bcastActionTarget)) {
	targetReturn.complete(true);
	}
	}
	};
	IntentFilter filter = new IntentFilter();
	filter.addAction(bcastActionHijack);
	filter.addAction(bcastActionTarget);
	context.registerReceiver(broadcastReceiver, filter);

	// Start PocActivity which in turn starts both TargetActivity and HijackActivity
	Intent intent = new Intent(context, PocActivity.class);
	intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
	context.startActivity(intent);

	// Waiting on callback from HijackActivity which is started last by PocActivity
	hijackReturn.get(WAIT_MS, TimeUnit.MILLISECONDS);

	// Start TargetActivity
	Intent targetIntent = new Intent(Intent.ACTION_MAIN);
	final String pkgTarget = context.getString(R.string.pkgTarget);
	targetIntent.setClassName(pkgTarget, context.getString(R.string.activityTarget));
	targetIntent.setFlags(
	Intent.FLAG_ACTIVITY_NEW_TASK \| Intent.FLAG_ACTIVITY_RESET_TASK_IF_NEEDED);
	context.startActivity(targetIntent);

	// Wait on callback from TargetActivity. On vulnerable device, TargetActivity would
	// not start and HijackActivity would remain on screen so the test should fail due
	// to timeout on callback.
	try {
	targetReturn.get(WAIT_MS, TimeUnit.MILLISECONDS);
	} catch (TimeoutException e) {
	throw new AssertionError(context.getString(R.string.msgFail));
	}
	} catch (Exception e) {
	assumeNoException(e);
	}
	}
	}