Added autofill test to check apps cannot bypass package name on AssistStructure
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases -t android.autofillservice.cts.VirtualContainerActivityTest#testAppCannotFakePackageName
Bug: 69981710
Change-Id: I3abf999eb6056c1df7982780bae43b58337c0668
Merged-In: I3abf999eb6056c1df7982780bae43b58337c0668
(cherry picked from commit 48f34218c6ec41fd6137ee5a59b69e4b6e2e9cd7)
diff --git a/tests/autofillservice/src/android/autofillservice/cts/Helper.java b/tests/autofillservice/src/android/autofillservice/cts/Helper.java
index c1a70f0..f1d02dd 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/Helper.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/Helper.java
@@ -45,6 +45,7 @@
import com.android.compatibility.common.util.SystemUtil;
+import java.lang.reflect.Field;
import java.util.List;
import java.util.function.Function;
@@ -855,6 +856,50 @@
return InstrumentationRegistry.getInstrumentation().getContext();
}
+ private static Field getField(Class<?> clazz, String fieldName) {
+ final Field[] fields = clazz.getDeclaredFields();
+ final StringBuilder fieldNames = new StringBuilder();
+ for (Field field : fields) {
+ fieldNames.append(field.getName()).append(" ");
+ field.setAccessible(true);
+ if (field.getName().equals(fieldName)) {
+ return field;
+ }
+ }
+ throw new IllegalArgumentException(
+ "no field " + fieldName + " on " + clazz.getName() + ": " + fieldNames);
+ }
+
+ /**
+ * Uses reflection to get a field from an object.
+ */
+ static <T> T getField(Object object, String fieldName) {
+ try {
+ final Class<?> clazz = object.getClass();
+ final Field field = getField(clazz, fieldName);
+ @SuppressWarnings("unchecked")
+ final T value = (T) field.get(object);
+ return value;
+ } catch (Exception e) {
+ throw new IllegalArgumentException(
+ "error getting field " + fieldName + " from object" + object, e);
+ }
+ }
+
+ /**
+ * Uses reflection to set a field in an object.
+ */
+ static void setField(Object object, String fieldName, Object value) {
+ try {
+ final Class<?> clazz = object.getClass();
+ final Field field = getField(clazz, fieldName);
+ field.set(object, value);
+ } catch (Exception e) {
+ throw new IllegalArgumentException("error setting field " + fieldName + " on object "
+ + object, e);
+ }
+ }
+
/**
* Cleans up the autofill state; should be called before pretty much any test.
*/
diff --git a/tests/autofillservice/src/android/autofillservice/cts/InstrumentedAutoFillService.java b/tests/autofillservice/src/android/autofillservice/cts/InstrumentedAutoFillService.java
index 2c234cd..6694e5a 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/InstrumentedAutoFillService.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/InstrumentedAutoFillService.java
@@ -125,7 +125,8 @@
final ComponentName component = contexts.get(contexts.size() - 1).getStructure()
.getActivityComponent();
final String actualPackage = component.getPackageName();
- if (!actualPackage.equals(getPackageName())) {
+ if (!actualPackage.equals(getPackageName())
+ && !actualPackage.equals(sReplier.mAcceptedPackageName)) {
Log.w(TAG, "Got request from package " + actualPackage);
return false;
}
@@ -246,16 +247,22 @@
private final BlockingQueue<SaveRequest> mSaveRequests = new LinkedBlockingQueue<>();
private List<Exception> mExceptions;
+ private String mAcceptedPackageName;
private Replier() {
}
+
private IdMode mIdMode = IdMode.RESOURCE_ID;
public void setIdMode(IdMode mode) {
this.mIdMode = mode;
}
+ public void acceptRequestsFromPackage(String packageName) {
+ mAcceptedPackageName = packageName;
+ }
+
/**
* Gets the exceptions thrown asynchronously, if any.
*/
@@ -356,6 +363,7 @@
mFillRequests.clear();
mSaveRequests.clear();
mExceptions = null;
+ mAcceptedPackageName = null;
}
private void onFillRequest(List<FillContext> contexts, Bundle data,
diff --git a/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerActivityTest.java b/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerActivityTest.java
index 8adbdd7..31eae24 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerActivityTest.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerActivityTest.java
@@ -35,6 +35,7 @@
import android.autofillservice.cts.CannedFillResponse.CannedDataset;
import android.autofillservice.cts.InstrumentedAutoFillService.FillRequest;
import android.autofillservice.cts.VirtualContainerView.Line;
+import android.content.ComponentName;
import android.graphics.Rect;
import android.os.SystemClock;
import android.service.autofill.SaveInfo;
@@ -411,6 +412,30 @@
sUiBot.assertSaveShowing(SAVE_DATA_TYPE_PASSWORD);
}
+ @Test
+ public void testAppCannotFakePackageName() throws Exception {
+ // Set service.
+ enableService();
+
+ // Set expectations.
+ sReplier.acceptRequestsFromPackage("MALICIOUS");
+ mActivity.mCustomView.fakePackageName(new ComponentName("MALICIOUS", "AM.I"));
+ sReplier.addResponse(new CannedDataset.Builder()
+ .setField(ID_USERNAME, "dude")
+ .setField(ID_PASSWORD, "sweet")
+ .setPresentation(createPresentation("The Dude"))
+ .build());
+
+ // Trigger auto-fill.
+ mActivity.mUsername.changeFocus(true);
+ assertDatasetShown(mActivity.mUsername, "The Dude");
+
+ // Make sure package name was sanitized.
+ final FillRequest request = sReplier.getNextFillRequest();
+ assertThat(request.structure.getActivityComponent().getPackageName())
+ .isEqualTo(mPackageName);
+ }
+
/**
* Asserts the dataset picker is properly displayed in a give line.
*/
diff --git a/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerView.java b/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerView.java
index 205fcae..8eecc29 100644
--- a/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerView.java
+++ b/tests/autofillservice/src/android/autofillservice/cts/VirtualContainerView.java
@@ -20,7 +20,9 @@
import static com.google.common.truth.Truth.assertWithMessage;
+import android.app.assist.AssistStructure;
import android.app.assist.AssistStructure.ViewNode;
+import android.content.ComponentName;
import android.content.Context;
import android.graphics.Canvas;
import android.graphics.Color;
@@ -72,6 +74,7 @@
private int mUnfocusedColor;
private boolean mSync = true;
private boolean mOverrideDispatchProvideAutofillStructure = false;
+ private ComponentName mFakedComponentName;
public VirtualContainerView(Context context, AttributeSet attrs) {
super(context, attrs);
@@ -192,6 +195,18 @@
Log.d(TAG, "onProvideAutofillVirtualStructure(): flags = " + flags);
super.onProvideAutofillVirtualStructure(structure, flags);
+ if (mFakedComponentName != null) {
+ Log.d(TAG, "Faking package name to " + mFakedComponentName);
+ try {
+ final AssistStructure assistStructure = Helper.getField(structure, "mAssist");
+ if (assistStructure != null) {
+ Helper.setField(assistStructure, "mActivityComponent", mFakedComponentName);
+ }
+ } catch (Exception e) {
+ Log.e(TAG, "Could not fake package name to " + mFakedComponentName, e);
+ }
+ }
+
final String packageName = getContext().getPackageName();
structure.setClassName(getClass().getName());
final int childrenSize = mItems.size();
@@ -254,6 +269,10 @@
mSync = sync;
}
+ void fakePackageName(ComponentName name) {
+ mFakedComponentName = name;
+ }
+
void setOverrideDispatchProvideAutofillStructure(boolean flag) {
mOverrideDispatchProvideAutofillStructure = flag;
}
