Validate notification canceled intent before processing

Intent can be sent by a malicious app, so validate it before processing. Test: atest CarrierDefaultAppUnitTests Bug: 300188231 Change-Id: I66659ae8777bc0f2563b7998aa81a9811745cfc5
author: Sarah Chin <sarahchin@google.com> 2024-02-22 01:26:37 -0800
committer: Sarah Chin <sarahchin@google.com> 2024-02-22 01:27:18 -0800
commit: 7b1f2131adfc510edcdd75a0e1eec3140946af32 (patch)
tree: b5cdf86c13ba39421751abb262067559b477b2c4
parent: 00e45419b1dce389a2d1b5f6dd6f834d749eb4f1 (diff)
2 files changed, 8 insertions, 4 deletions
diff --git a/packages/CarrierDefaultApp/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiver.java b/packages/CarrierDefaultApp/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiver.java
index eccf6047b90c..72f67d93383b 100644
--- a/packages/CarrierDefaultApp/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiver.java
+++ b/packages/CarrierDefaultApp/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiver.java
@@ -494,6 +494,10 @@ public class SlicePurchaseBroadcastReceiver extends BroadcastReceiver{
     }
 
     private void onUserCanceled(@NonNull Context context, @NonNull Intent intent) {
+        if (!isIntentValid(intent)) {
+            loge("Ignoring onUserCanceled called with invalid intent.");
+            return;
+        }
         int capability = intent.getIntExtra(SlicePurchaseController.EXTRA_PREMIUM_CAPABILITY,
                 SlicePurchaseController.PREMIUM_CAPABILITY_INVALID);
         logd("onUserCanceled: " + TelephonyManager.convertPremiumCapabilityToString(capability));
diff --git a/packages/CarrierDefaultApp/tests/unit/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiverTest.java b/packages/CarrierDefaultApp/tests/unit/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiverTest.java
index 3c8ef6ed0550..8989aab61f1b 100644
--- a/packages/CarrierDefaultApp/tests/unit/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiverTest.java
+++ b/packages/CarrierDefaultApp/tests/unit/src/com/android/carrierdefaultapp/SlicePurchaseBroadcastReceiverTest.java
@@ -262,10 +262,10 @@ public class SlicePurchaseBroadcastReceiverTest {
 
     @Test
     public void testNotificationCanceled() {
+        displayPerformanceBoostNotification();
+
         // send ACTION_NOTIFICATION_CANCELED
         doReturn("com.android.phone.slice.action.NOTIFICATION_CANCELED").when(mIntent).getAction();
-        doReturn(TelephonyManager.PREMIUM_CAPABILITY_PRIORITIZE_LATENCY).when(mIntent).getIntExtra(
-                eq(SlicePurchaseController.EXTRA_PREMIUM_CAPABILITY), anyInt());
         mSlicePurchaseBroadcastReceiver.onReceive(mContext, mIntent);
 
         // verify notification was canceled
@@ -276,7 +276,7 @@ public class SlicePurchaseBroadcastReceiverTest {
     }
 
     @Test
-    public void testNotificationTimeout() throws Exception {
+    public void testNotificationTimeout() {
         displayPerformanceBoostNotification();
 
         // send ACTION_SLICE_PURCHASE_APP_RESPONSE_TIMEOUT
@@ -353,7 +353,7 @@ public class SlicePurchaseBroadcastReceiverTest {
         verify(mNotificationManager, never()).notifyAsUser(
                 eq(SlicePurchaseBroadcastReceiver.PERFORMANCE_BOOST_NOTIFICATION_TAG),
                 eq(TelephonyManager.PREMIUM_CAPABILITY_PRIORITIZE_LATENCY),
-                any(),
+                any(Notification.class),
                 eq(UserHandle.ALL));
         verify(mNotificationShownIntent, never()).send();
author	Sarah Chin <sarahchin@google.com>	2024-02-22 01:26:37 -0800
committer	Sarah Chin <sarahchin@google.com>	2024-02-22 01:27:18 -0800
commit	7b1f2131adfc510edcdd75a0e1eec3140946af32 (patch)
tree	b5cdf86c13ba39421751abb262067559b477b2c4
parent	00e45419b1dce389a2d1b5f6dd6f834d749eb4f1 (diff)