[RESTRICT AUTOMERGE] CTS test for Android Security b/139186193
Bug: 139186193
Bug: 141500815
Test: Ran the new testcase on android-8.1.0_r38 to test with/without patch
Change-Id: Ib3c613a3be474488f49bf02e05c343096e16c306
(cherry picked from commit 4f2ff92097f488f930ce8a3f488ac42753543bcd)
diff --git a/tests/tests/security/src/android/security/cts/SQLiteTest.java b/tests/tests/security/src/android/security/cts/SQLiteTest.java
new file mode 100644
index 0000000..988cc78
--- /dev/null
+++ b/tests/tests/security/src/android/security/cts/SQLiteTest.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.cts;
+
+import android.content.Context;
+import android.content.ContentResolver;
+import android.content.Intent;
+import android.content.pm.PackageManager.NameNotFoundException;
+import android.net.Uri;
+import android.platform.test.annotations.SecurityTest;
+import android.provider.VoicemailContract;
+import android.support.test.InstrumentationRegistry;
+import android.test.AndroidTestCase;
+import static org.junit.Assert.*;
+
+@SecurityTest
+public class SQLiteTest extends AndroidTestCase {
+
+ private ContentResolver mResolver;
+ private String mPackageName;
+ private Context mContext;
+
+ @Override
+ protected void setUp() throws Exception {
+ super.setUp();
+ mResolver = getContext().getContentResolver();
+ mContext = InstrumentationRegistry.getTargetContext();
+ mPackageName = mContext.getPackageName();
+ }
+
+ /**
+ * b/139186193
+ */
+ @SecurityTest(minPatchLevel = "2019-11")
+ public void test_android_cve_2019_2195() {
+ Uri uri = VoicemailContract.Voicemails.CONTENT_URI;
+ uri = uri.buildUpon().appendQueryParameter("source_package", mPackageName).build();
+
+ try {
+ mContext.grantUriPermission(mPackageName, uri,
+ Intent.FLAG_GRANT_READ_URI_PERMISSION | Intent.FLAG_GRANT_WRITE_URI_PERMISSION
+ | Intent.FLAG_GRANT_PERSISTABLE_URI_PERMISSION);
+ } catch (Exception e) {
+ if (e instanceof java.lang.SecurityException) {
+ // this suggests com.android.providers.contacts.VoicemailContentProvider
+ // does not allow granting of Uri permissions, hence return.
+ return;
+ }
+ }
+
+ try {
+ String fileToDump = mContext.createPackageContext("com.android.providers.contacts", 0)
+ .getDatabasePath("contacts2.db").getAbsolutePath();
+ try {
+ mResolver.query(uri, null, null, null,
+ "_id ASC LIMIT _TOKENIZE('calls(_data,_data,_data,source_package,type) VALUES(''"
+ + fileToDump + "'',?,?,''" + mPackageName + "'',4);',0,'','Z')")
+ .close();
+ fail("Vulnerable function exists");
+ } catch (android.database.sqlite.SQLiteException e) {
+ // do nothing
+ }
+ } catch (NameNotFoundException n) {
+ // do nothing
+ }
+ }
+}
