Merge "[RESTRICT AUTOMERGE] Check permission of Autofill icon URIs" into udc-dev

author: Tim Yu <yunicorn@google.com> 2023-11-28 18:36:13 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2023-11-28 18:36:13 +0000
commit: 0d1b6ea77885411533f89dae238c8889b4a526a2 (patch)
tree: 051733181783e2ce32cbb0506366a5dbe89b7758
parent: ea6b195c692347ad5e35c3861f61a91daba1a061 (diff)
parent: df893defcf8cc6e1e223111e79ad3daf0ec7cd8b (diff)
3 files changed, 62 insertions, 19 deletions
diff --git a/services/autofill/java/com/android/server/autofill/Helper.java b/services/autofill/java/com/android/server/autofill/Helper.java
index 7557071d0d4b..b93ee9b96e57 100644
--- a/services/autofill/java/com/android/server/autofill/Helper.java
+++ b/services/autofill/java/com/android/server/autofill/Helper.java
@@ -25,8 +25,11 @@ import android.app.ActivityManager;
 import android.app.assist.AssistStructure;
 import android.app.assist.AssistStructure.ViewNode;
 import android.app.assist.AssistStructure.WindowNode;
+import android.app.slice.Slice;
+import android.app.slice.SliceItem;
 import android.content.ComponentName;
 import android.content.Context;
+import android.graphics.drawable.Icon;
 import android.hardware.display.DisplayManager;
 import android.metrics.LogMaker;
 import android.os.UserManager;
@@ -55,7 +58,6 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-
 public final class Helper {
 
     private static final String TAG = "AutofillHelper";
@@ -93,7 +95,7 @@ public final class Helper {
         final AtomicBoolean permissionsOk = new AtomicBoolean(true);
 
         rView.visitUris(uri -> {
-            int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri);
+            int uriOwnerId = android.content.ContentProvider.getUserIdFromUri(uri, userId);
             boolean allowed = uriOwnerId == userId;
             permissionsOk.set(allowed && permissionsOk.get());
         });
@@ -125,6 +127,48 @@ public final class Helper {
         return (ok ? rView : null);
     }
 
+    /**
+     * Checks the URI permissions of the icon in the slice, to see if the current userId is able to
+     * access it.
+     *
+     * <p>Returns null if slice contains user inaccessible icons
+     *
+     * <p>TODO: instead of returning a null Slice when the current userId cannot access an icon,
+     * return a reconstructed Slice without the icons. This is currently non-trivial since there are
+     * no public methods to generically add SliceItems to Slices
+     */
+    public static @Nullable Slice sanitizeSlice(Slice slice) {
+        if (slice == null) {
+            return null;
+        }
+
+        int userId = ActivityManager.getCurrentUser();
+
+        // Recontruct the Slice, filtering out bad icons
+        for (SliceItem sliceItem : slice.getItems()) {
+            if (!sliceItem.getFormat().equals(SliceItem.FORMAT_IMAGE)) {
+                // Not an image slice
+                continue;
+            }
+
+            Icon icon = sliceItem.getIcon();
+            if (icon.getType() !=  Icon.TYPE_URI
+                    && icon.getType() != Icon.TYPE_URI_ADAPTIVE_BITMAP) {
+                // No URIs to sanitize
+                continue;
+            }
+
+            int iconUriId = android.content.ContentProvider.getUserIdFromUri(icon.getUri(), userId);
+
+            if (iconUriId != userId) {
+                Slog.w(TAG, "sanitizeSlice() user: " + userId + " cannot access icons in Slice");
+                return null;
+            }
+        }
+
+        return slice;
+    }
+
 
     @Nullable
     static AutofillId[] toArray(@Nullable ArraySet<AutofillId> set) {
diff --git a/services/autofill/java/com/android/server/autofill/ui/RemoteInlineSuggestionViewConnector.java b/services/autofill/java/com/android/server/autofill/ui/RemoteInlineSuggestionViewConnector.java
index 70443f9153d1..024de4e825aa 100644
--- a/services/autofill/java/com/android/server/autofill/ui/RemoteInlineSuggestionViewConnector.java
+++ b/services/autofill/java/com/android/server/autofill/ui/RemoteInlineSuggestionViewConnector.java
@@ -27,6 +27,7 @@ import android.service.autofill.InlinePresentation;
 import android.util.Slog;
 
 import com.android.server.LocalServices;
+import com.android.server.autofill.Helper;
 import com.android.server.autofill.RemoteInlineSuggestionRenderService;
 import com.android.server.inputmethod.InputMethodManagerInternal;
 
@@ -39,24 +40,17 @@ import java.util.function.Consumer;
 final class RemoteInlineSuggestionViewConnector {
     private static final String TAG = RemoteInlineSuggestionViewConnector.class.getSimpleName();
 
-    @Nullable
-    private final RemoteInlineSuggestionRenderService mRemoteRenderService;
-    @NonNull
-    private final InlinePresentation mInlinePresentation;
-    @Nullable
-    private final IBinder mHostInputToken;
+    @Nullable private final RemoteInlineSuggestionRenderService mRemoteRenderService;
+    @NonNull private final InlinePresentation mInlinePresentation;
+    @Nullable private final IBinder mHostInputToken;
     private final int mDisplayId;
     private final int mUserId;
     private final int mSessionId;
 
-    @NonNull
-    private final Runnable mOnAutofillCallback;
-    @NonNull
-    private final Runnable mOnErrorCallback;
-    @NonNull
-    private final Runnable mOnInflateCallback;
-    @NonNull
-    private final Consumer<IntentSender> mStartIntentSenderFromClientApp;
+    @NonNull private final Runnable mOnAutofillCallback;
+    @NonNull private final Runnable mOnErrorCallback;
+    @NonNull private final Runnable mOnInflateCallback;
+    @NonNull private final Consumer<IntentSender> mStartIntentSenderFromClientApp;
 
     RemoteInlineSuggestionViewConnector(
             @NonNull InlineFillUi.InlineFillUiInfo inlineFillUiInfo,
@@ -81,8 +75,12 @@ final class RemoteInlineSuggestionViewConnector {
      *
      * @return true if the call is made to the remote renderer service, false otherwise.
      */
-    public boolean renderSuggestion(int width, int height,
-            @NonNull IInlineSuggestionUiCallback callback) {
+    public boolean renderSuggestion(
+            int width, int height, @NonNull IInlineSuggestionUiCallback callback) {
+        if (Helper.sanitizeSlice(mInlinePresentation.getSlice()) == null) {
+            if (sDebug) Slog.d(TAG, "Skipped rendering inline suggestion.");
+            return false;
+        }
         if (mRemoteRenderService != null) {
             if (sDebug) Slog.d(TAG, "Request to recreate the UI");
             mRemoteRenderService.renderSuggestion(callback, mInlinePresentation, width, height,
diff --git a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
index 70382f1d5274..4488d86c60b5 100644
--- a/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
+++ b/services/autofill/java/com/android/server/autofill/ui/SaveUi.java
@@ -443,7 +443,8 @@ final class SaveUi {
                     }
                     final BatchUpdates batchUpdates = pair.second;
                     // First apply the updates...
-                    final RemoteViews templateUpdates = batchUpdates.getUpdates();
+                    final RemoteViews templateUpdates =
+                            Helper.sanitizeRemoteView(batchUpdates.getUpdates());
                     if (templateUpdates != null) {
                         if (sDebug) Slog.d(TAG, "Applying template updates for batch update #" + i);
                         templateUpdates.reapply(context, customSubtitleView);
author	Tim Yu <yunicorn@google.com>	2023-11-28 18:36:13 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2023-11-28 18:36:13 +0000
commit	0d1b6ea77885411533f89dae238c8889b4a526a2 (patch)
tree	051733181783e2ce32cbb0506366a5dbe89b7758
parent	ea6b195c692347ad5e35c3861f61a91daba1a061 (diff)
parent	df893defcf8cc6e1e223111e79ad3daf0ec7cd8b (diff)