Google Git
Sign in
android / platform / cts / e83b3b96633^! / .
commite83b3b9663310b7985edc8301be9b981c16349b5[log] [tgz]
authorAishwarya Mallampati <amallampati@google.com>Wed Aug 10 17:31:13 2022 +0000
committerAishwarya Mallampati <amallampati@google.com>Fri Aug 19 22:13:20 2022 +0000
tree7f365c4ba082bbd4299d808f9eb1905d925383f7
parentc3d65cab73b81e22900164843d700fb37d99a885 [diff]
Check msg_id and thread_type value before
concatenating.

msg_id and thread_type parameters are used for sql injection in MmsSmsProvider#query.
This is solved by checking the value of msg_id and thread_type before concetenating it
to extraSelection.

Bug: 224770183, 224770203
Test: atest android.telephonyprovider.cts.SmsTest
      atest CtsTelephonyTestCases
      Sanity check - sending and receiving sms and mms manually
Change-Id: Id3fd2bc00bdfff95fc922418d8faedcc8d10618e

diff --git a/tests/tests/telephonyprovider/src/android/telephonyprovider/cts/SmsTest.java b/tests/tests/telephonyprovider/src/android/telephonyprovider/cts/SmsTest.java
index dba15dc..87b08b9c 100644
--- a/tests/tests/telephonyprovider/src/android/telephonyprovider/cts/SmsTest.java
+++ b/tests/tests/telephonyprovider/src/android/telephonyprovider/cts/SmsTest.java

@@ -22,16 +22,20 @@
 
 import static com.google.common.truth.Truth.assertThat;
 
+import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 
 import android.content.ContentResolver;
 import android.content.ContentValues;
 import android.database.Cursor;
 import android.net.Uri;
+
 import android.provider.Telephony;
 
 import androidx.test.filters.SmallTest;
 
+import com.android.compatibility.common.util.ApiTest;
+
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
@@ -327,5 +331,55 @@
 
         DefaultSmsAppHelper.ensureDefaultSmsApp();
     }
-}
 
+    /**
+     * Verifies sql injection is not allowed within a URI.
+     */
+    @Test
+    @ApiTest(apis = "com.android.providers.telephony.MmsSmsProvider#query")
+    public void query_msgParameter_sqlInjection() {
+        Uri uriWithSqlInjection = Uri.parse("content://mms-sms/pending?protocol=sms&message=1 "
+                + "union select type,name,tbl_name,rootpage,sql,1,1,1,1,1 FROM SQLITE_MASTER; --");
+        Cursor uriWithSqlInjectionCur = mContentResolver.query(uriWithSqlInjection, null,
+                null, null, null);
+        assertNull(uriWithSqlInjectionCur);
+    }
+
+    /**
+     * Verifies query() returns non-null cursor when valid URI is passed to it.
+     */
+    @Test
+    @ApiTest(apis = "com.android.providers.telephony.MmsSmsProvider#query")
+    public void query_msgParameter_withoutSqlInjection() {
+        Uri uriWithoutSqlInjection = Uri.parse("content://mms-sms/pending?protocol=sms&message=1");
+        Cursor uriWithoutSqlInjectionCur = mContentResolver.query(uriWithoutSqlInjection,
+                null, null, null, null);
+        assertNotNull(uriWithoutSqlInjectionCur);
+    }
+
+    /**
+     * Verifies sql injection is not allowed within a URI.
+     */
+    @Test
+    @ApiTest(apis = "com.android.providers.telephony.MmsSmsProvider#query")
+    public void query_threadIdParameter_sqlInjection() {
+        Uri uriWithSqlInjection = Uri.parse("content://mms-sms/conversations?simple=true&"
+                + "thread_type=1 union select type,name,tbl_name,rootpage,sql FROM SQLITE_MASTER;; --");
+        Cursor uriWithSqlInjectionCur = mContentResolver.query(uriWithSqlInjection,
+                new String[]{"1","2","3","4","5"}, null, null, null);
+        assertNull(uriWithSqlInjectionCur);
+    }
+
+    /**
+     * Verifies query() returns non-null cursor when valid URI is passed to it.
+     */
+    @Test
+    @ApiTest(apis = "com.android.providers.telephony.MmsSmsProvider#query")
+    public void query_threadIdParameter_withoutSqlInjection() {
+        Uri uriWithoutSqlInjection = Uri.parse(
+                "content://mms-sms/conversations?simple=true&thread_type=1");
+        Cursor uriWithoutSqlInjectionCur = mContentResolver.query(uriWithoutSqlInjection,
+                new String[]{"1","2","3","4","5"}, null, null, null);
+        assertNotNull(uriWithoutSqlInjectionCur);
+    }
+}
\ No newline at end of file