Add trusted intent check before we handle with PaymentHandlerActivity.

Through IntentURI we can create a CCT via PaymentHandlerActivity which
opens the CCT halfway in front of the regular tab. This allows a
malicious CCT to represent itself as the content of the background tab.

This CL adds an extra check to ensure we fire PaymentHandlerActivity
only if the intent was sent from Chrome and not via external navigation.

This CL also adds a browser test.

Bug: 1083972
Change-Id: I136774e23a641fd5feef9e47aaa87ba2d2f94b48
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2205933Reviewed-by: Michael Thiessen <mthiesse@chromium.org>
Reviewed-by: Rohit Agarwal <roagarwal@chromium.org>
Commit-Queue: Rohit Agarwal <roagarwal@chromium.org>
Cr-Commit-Position: refs/heads/master@{#770215}

chrome/android/java/src/org/chromium/chrome/browser/LaunchIntentDispatcher.java

@@ -276,9 +276,12 @@ public class LaunchIntentDispatcher implements IntentHandler.IntentHandlerDelega
             }
         }
 
+        boolean isIntentSenderChrome = IntentHandler.wasIntentSenderChrome(intent);
+
         // Use a custom tab with a unique theme for payment handlers.
         if (intent.getIntExtra(CustomTabIntentDataProvider.EXTRA_UI_TYPE, CustomTabsUiType.DEFAULT)
-                == CustomTabsUiType.PAYMENT_REQUEST) {
+                        == CustomTabsUiType.PAYMENT_REQUEST
+                && isIntentSenderChrome) {
             newIntent.setClassName(context, PaymentHandlerActivity.class.getName());
         }
 
@@ -314,7 +317,7 @@ public class LaunchIntentDispatcher implements IntentHandler.IntentHandlerDelega
         // If the previous caller was not Chrome, but added EXTRA_IS_OPENED_BY_CHROME
         // for malicious purpose, remove it. The new intent will be sent by Chrome, but was not
         // sent by Chrome initially.
-        if (!IntentHandler.wasIntentSenderChrome(intent)) {
+        if (!isIntentSenderChrome) {
             IntentUtils.safeRemoveExtra(
                     newIntent, CustomTabIntentDataProvider.EXTRA_IS_OPENED_BY_CHROME);
         }

chrome/android/javatests/src/org/chromium/chrome/browser/customtabs/CustomTabFromChromeExternalNavigationTest.java

@@ -4,6 +4,7 @@
 
 package org.chromium.chrome.browser.customtabs;
 
+import android.app.Activity;
 import android.content.Intent;
 import android.net.Uri;
 import android.support.test.InstrumentationRegistry;
@@ -23,6 +24,7 @@ import org.chromium.base.ApplicationStatus;
 import org.chromium.base.test.util.CommandLineFlags;
 import org.chromium.base.test.util.Feature;
 import org.chromium.chrome.R;
+import org.chromium.chrome.browser.ChromeTabbedActivity;
 import org.chromium.chrome.browser.LaunchIntentDispatcher;
 import org.chromium.chrome.browser.customtabs.CustomTabDelegateFactory.CustomTabNavigationDelegate;
 import org.chromium.chrome.browser.flags.ChromeSwitches;
@@ -30,14 +32,17 @@ import org.chromium.chrome.browser.tab.InterceptNavigationDelegateTabHelper;
 import org.chromium.chrome.browser.tab.Tab;
 import org.chromium.chrome.browser.tab.TabDelegateFactory;
 import org.chromium.chrome.browser.tab.TabTestUtils;
+import org.chromium.chrome.test.ChromeActivityTestRule;
 import org.chromium.chrome.test.ChromeJUnit4ClassRunner;
 import org.chromium.components.external_intents.ExternalNavigationHandler.OverrideUrlLoadingResult;
 import org.chromium.components.external_intents.InterceptNavigationDelegateImpl;
 import org.chromium.content_public.browser.test.util.Criteria;
 import org.chromium.content_public.browser.test.util.CriteriaHelper;
+import org.chromium.content_public.browser.test.util.DOMUtils;
 import org.chromium.content_public.browser.test.util.TestThreadUtils;
 import org.chromium.net.test.EmbeddedTestServerRule;
 
+import java.util.concurrent.TimeoutException;
 import java.util.concurrent.atomic.AtomicReference;
 
 /**
@@ -50,6 +55,9 @@ public class CustomTabFromChromeExternalNavigationTest {
     public CustomTabActivityTestRule mActivityRule = new CustomTabActivityTestRule();
 
     @Rule
+    public ChromeActivityTestRule mChromeActivityTestRule =
+            new ChromeActivityTestRule(ChromeTabbedActivity.class);
+
     public EmbeddedTestServerRule mServerRule = new EmbeddedTestServerRule();
 
     private Intent getCustomTabFromChromeIntent(final String url, final boolean markFromChrome) {
@@ -169,4 +177,43 @@ public class CustomTabFromChromeExternalNavigationTest {
         Assert.assertFalse(menu.findItem(R.id.add_to_homescreen_id).isVisible());
         Assert.assertFalse(menu.findItem(R.id.open_webapk_id).isVisible());
     }
+
+    /**
+     * This test verifies that untrusted intents are not launched by PaymentHandlerActivity.
+     * The source of untrusted intent for our test is IntentURI.
+     */
+    @Test
+    @LargeTest
+    public void testCCTOpenedFromIntentUriWithPaymentsUI() throws Exception {
+        final String initialUrl =
+                mServerRule.getServer().getURL("/chrome/test/data/android/url_overriding/"
+                        + "navigation_to_cct_via_intent_uri_spoofing.html");
+
+        mChromeActivityTestRule.startMainActivityOnBlankPage();
+        mChromeActivityTestRule.loadUrlInNewTab(initialUrl);
+
+        mChromeActivityTestRule.getActivity().onUserInteraction();
+        // Simulate the click on the link that fires the IntentURI for external navigations.
+        try {
+            DOMUtils.clickNode(mChromeActivityTestRule.getWebContents(), "link");
+        } catch (TimeoutException e) {
+            Assert.fail("Failed to click on the target node.");
+            return;
+        }
+
+        // We poll to check that a CustomTabActivity is fired because of our IntentURI.
+        // We also check that this CustomTabActivity should not be of PaymentHandlerActivity
+        // type as it lacks the trusted extras which can only be added by Chrome.
+        CriteriaHelper.pollUiThread(() -> {
+            boolean isCCTLaunched = false;
+            for (Activity runningActivity : ApplicationStatus.getRunningActivities()) {
+                if (runningActivity instanceof CustomTabActivity) {
+                    isCCTLaunched = true;
+                    CustomTabActivity cta = (CustomTabActivity) runningActivity;
+                    if (PaymentHandlerActivity.class == cta.getClass()) return false;
+                }
+            }
+            return isCCTLaunched;
+        });
+    }
 }

chrome/test/data/android/url_overriding/navigation_to_cct_via_intent_uri_spoofing.html

+<!DOCTYPE html>
+<html>
+<!--
+Intent URI example taken from crbug.com/1056754 with package modification here.
+-->
+<head>
+    <meta name="viewport"
+          content="width=device-width, initial-scale=1.0, maximum-scale=1.0" />
+</head>
+
+<body>
+<a id="link" target='_blank' href='intent://about:blank#Intent;package=org.chromium.chrome.tests;action=android.intent.action.VIEW;scheme=http;S.android.support.customtabs.extra.SESSION=;i.org.chromium.chrome.browser.customtabs.EXTRA_UI_TYPE=2;end;'>
+    Click to open App!!
+</a>
+</body>
+
+</html>
\ No newline at end of file