Introduce allowlist for Intent URI launchFlags

This is just a precautionary change, as most launchFlags are not useful for launching apps from Chrome, and present an attack surface by allowing app launches to do interesting things like manipulate task stacks, prevent transition animations, etc. Bug: 1054826 Change-Id: I744e48476f7d2a88f7802cefc553b5c12748a470 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128232Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Michael Thiessen <mthiesse@chromium.org> Cr-Commit-Position: refs/heads/master@{#756414}

Introduce allowlist for Intent URI launchFlags
This is just a precautionary change, as most launchFlags are not useful for launching apps from Chrome, and present an attack surface by allowing app launches to do interesting things like manipulate task stacks, prevent transition animations, etc. Bug: 1054826 Change-Id: I744e48476f7d2a88f7802cefc553b5c12748a470 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2128232Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Michael Thiessen <mthiesse@chromium.org> Cr-Commit-Position: refs/heads/master@{#756414}
20ab05ad · Michael Thiessen · Commit Bot · bd896631 · 20ab05ad · 20ab05ad
Commit 20ab05ad authored Apr 03, 2020 by Michael Thiessen Committed by Commit Bot Apr 03, 2020
2 changed files
--- a/chrome/android/javatests/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandlerTest.java
+++ b/chrome/android/javatests/src/org/chromium/chrome/browser/externalnav/ExternalNavigationHandlerTest.java
@@ -1216,6 +1216,16 @@ public class ExternalNavigationHandlerTest {
                        START_OTHER_ACTIVITY);
    }

+    @Test
+    @SmallTest
+    public void testUsafeIntentFlagsFiltered() {
+        checkUrl("intent://#Intent;package=com.test.package;launchFlags=0x7FFFFFFF;end;")
+                .expecting(OverrideUrlLoadingResult.OVERRIDE_WITH_EXTERNAL_INTENT,
+                        START_OTHER_ACTIVITY);
+        Assert.assertEquals(ExternalNavigationHandler.ALLOWED_INTENT_FLAGS,
+                mDelegate.startActivityIntent.getFlags());
+    }
+
    @Test
    @SmallTest
    public void testIntentWithMissingReferrer() {

--- a/components/external_intents/android/java/src/org/chromium/components/external_intents/ExternalNavigationHandler.java
+++ b/components/external_intents/android/java/src/org/chromium/components/external_intents/ExternalNavigationHandler.java
@@ -66,6 +66,15 @@ public class ExternalNavigationHandler {
    @VisibleForTesting
    public static final String EXTRA_MARKET_REFERRER = "market_referrer";

+    // A mask of flags that are safe for untrusted content to use when starting an Activity.
+    // This list is not exhaustive and flags not listed here are not necessarily unsafe.
+    @VisibleForTesting
+    public static final int ALLOWED_INTENT_FLAGS = Intent.FLAG_EXCLUDE_STOPPED_PACKAGES
+            | Intent.FLAG_ACTIVITY_CLEAR_TOP | Intent.FLAG_ACTIVITY_SINGLE_TOP
+            | Intent.FLAG_ACTIVITY_MATCH_EXTERNAL | Intent.FLAG_ACTIVITY_NEW_TASK
+            | Intent.FLAG_ACTIVITY_MULTIPLE_TASK | Intent.FLAG_ACTIVITY_NEW_DOCUMENT
+            | Intent.FLAG_ACTIVITY_RETAIN_IN_RECENTS | Intent.FLAG_ACTIVITY_LAUNCH_ADJACENT;
+
    // These values are persisted in histograms. Please do not renumber. Append only.
    @IntDef({AiaIntent.FALLBACK_USED, AiaIntent.SERP, AiaIntent.OTHER})
    @Retention(RetentionPolicy.SOURCE)
@@ -915,6 +924,7 @@ public class ExternalNavigationHandler {
     * ensuring that web pages cannot bypass browser security.
     */
    private void sanitizeQueryIntentActivitiesIntent(Intent intent) {
+        intent.setFlags(intent.getFlags() & ALLOWED_INTENT_FLAGS);
        intent.addCategory(Intent.CATEGORY_BROWSABLE);
        intent.setComponent(null);
        Intent selector = intent.getSelector();