Increase test coverage for handling EXTRA_HEADERS from Intents

Bug: 873178 Change-Id: I58082258d173cd90281500c5ae5499c1e7df20f9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2031111Reviewed-by: Ted Choc <tedchoc@chromium.org> Commit-Queue: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#738059}

Increase test coverage for handling EXTRA_HEADERS from Intents
Bug: 873178 Change-Id: I58082258d173cd90281500c5ae5499c1e7df20f9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2031111Reviewed-by: Ted Choc <tedchoc@chromium.org> Commit-Queue: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#738059}
84fb2637 · Jochen Eisinger · Commit Bot · f3257c1d · 84fb2637 · 84fb2637
Commit 84fb2637 authored Feb 04, 2020 by Jochen Eisinger Committed by Commit Bot Feb 04, 2020
2 changed files
--- a/chrome/android/java/src/org/chromium/chrome/browser/IntentHandler.java
+++ b/chrome/android/java/src/org/chromium/chrome/browser/IntentHandler.java
@@ -722,17 +722,22 @@ public class IntentHandler {
     */
    public static void addTrustedIntentExtras(Intent intent) {
        if (ExternalNavigationDelegateImpl.willChromeHandleIntent(intent, true)) {
-            // It is crucial that we never leak the authentication token to other packages, because
-            // then the other package could be used to impersonate us/do things as us. Therefore,
-            // scope the real Intent to our package.
-            intent.setPackage(ContextUtils.getApplicationContext().getPackageName());
-            // The PendingIntent functions as an authentication token --- it could only have come
-            // from us. Stash it in the real Intent as an extra. shouldIgnoreIntent will retrieve it
-            // and check it with isIntentChromeInternal.
-            intent.putExtra(TRUSTED_APPLICATION_CODE_EXTRA, getAuthenticationToken());
+            addTrustedIntentExtrasInternal(intent);
        }
    }

+    @VisibleForTesting
+    static void addTrustedIntentExtrasInternal(Intent intent) {
+        // It is crucial that we never leak the authentication token to other packages, because
+        // then the other package could be used to impersonate us/do things as us. Therefore,
+        // scope the real Intent to our package.
+        intent.setPackage(ContextUtils.getApplicationContext().getPackageName());
+        // The PendingIntent functions as an authentication token --- it could only have come
+        // from us. Stash it in the real Intent as an extra. shouldIgnoreIntent will retrieve it
+        // and check it with isIntentChromeInternal.
+        intent.putExtra(TRUSTED_APPLICATION_CODE_EXTRA, getAuthenticationToken());
+    }
+
    /**
     * Sets the Extra field 'EXTRA_HEADERS' on intent. If |extraHeaders| is empty or null,
     * removes 'EXTRA_HEADERS' from intent.

--- a/chrome/android/javatests/src/org/chromium/chrome/browser/IntentHandlerTest.java
+++ b/chrome/android/javatests/src/org/chromium/chrome/browser/IntentHandlerTest.java
@@ -28,11 +28,15 @@ import org.chromium.base.CollectionUtil;
 import org.chromium.base.metrics.RecordHistogram;
 import org.chromium.base.test.BaseJUnit4ClassRunner;
 import org.chromium.base.test.util.Feature;
+import org.chromium.chrome.browser.flags.ChromeFeatureList;
 import org.chromium.chrome.browser.test.CommandLineInitRule;
 import org.chromium.chrome.browser.util.UrlConstants;
 import org.chromium.chrome.browser.webapps.WebappInfo;
 import org.chromium.chrome.browser.webapps.WebappLauncherActivity;
 import org.chromium.chrome.test.ChromeBrowserTestRule;
+import org.chromium.chrome.test.util.browser.Features;
+import org.chromium.chrome.test.util.browser.Features.DisableFeatures;
+import org.chromium.chrome.test.util.browser.Features.EnableFeatures;
 import org.chromium.chrome.test.util.browser.webapps.WebappTestHelper;

 import java.util.ArrayList;
@@ -43,9 +47,11 @@ import java.util.List;
 * TODO(nileshagrawal): Add tests for onNewIntent.
 */
 @RunWith(BaseJUnit4ClassRunner.class)
+@DisableFeatures({ChromeFeatureList.ANDROID_BLOCK_INTENT_NON_SAFELISTED_HEADERS})
 public class IntentHandlerTest {
    @Rule
-    public final RuleChain mChain = RuleChain.outerRule(new CommandLineInitRule(null))
+    public final RuleChain mChain = RuleChain.outerRule(new Features.JUnitProcessor())
+                                            .around(new CommandLineInitRule(null))
                                            .around(new ChromeBrowserTestRule())
                                            .around(new UiThreadTestRule());

@@ -302,11 +308,11 @@ public class IntentHandlerTest {
    public void testRefererUrl_extraHeadersInclReferer() {
        // Check that invalid header specified in EXTRA_HEADERS isn't used.
        Bundle bundle = new Bundle();
-        bundle.putString("X-custom-header", "X-custom-value");
+        bundle.putString("Accept", "application/xhtml+xml");
        bundle.putString("Referer", GOOGLE_URL);
        Intent headersIntent = new Intent(Intent.ACTION_VIEW);
        headersIntent.putExtra(Browser.EXTRA_HEADERS, bundle);
-        Assert.assertEquals("X-custom-header: X-custom-value",
+        Assert.assertEquals("Accept: application/xhtml+xml",
                IntentHandler.getExtraHeadersFromIntent(headersIntent));
        Assert.assertNull(IntentHandler.getReferrerUrlIncludingExtraHeaders(headersIntent));
    }
@@ -318,12 +324,12 @@ public class IntentHandlerTest {
    public void testRefererUrl_extraHeadersInclRefererMultiple() {
        // Check that invalid header specified in EXTRA_HEADERS isn't used.
        Bundle bundle = new Bundle();
-        bundle.putString("X-custom-header", "X-custom-value");
-        bundle.putString("X-custom-header-2", "X-custom-value-2");
+        bundle.putString("Accept", "application/xhtml+xml");
+        bundle.putString("Content-Language", "de-DE, en-CA");
        bundle.putString("Referer", GOOGLE_URL);
        Intent headersIntent = new Intent(Intent.ACTION_VIEW);
        headersIntent.putExtra(Browser.EXTRA_HEADERS, bundle);
-        Assert.assertEquals("X-custom-header-2: X-custom-value-2\nX-custom-header: X-custom-value",
+        Assert.assertEquals("Content-Language: de-DE, en-CA\nAccept: application/xhtml+xml",
                IntentHandler.getExtraHeadersFromIntent(headersIntent));
        Assert.assertNull(IntentHandler.getReferrerUrlIncludingExtraHeaders(headersIntent));
    }
@@ -411,6 +417,33 @@ public class IntentHandlerTest {
        Assert.assertNull(IntentHandler.getExtraHeadersFromIntent(headersIntent));
    }

+    @Test
+    @SmallTest
+    @UiThreadTest
+    @Feature({"Android-AppBase"})
+    public void testKeepCustomHeaderFromInternalIntents() {
+        Bundle bundle = new Bundle();
+        bundle.putString("X-Some-Header", "1");
+        Intent headersIntent = new Intent(Intent.ACTION_VIEW);
+        headersIntent.putExtra(Browser.EXTRA_HEADERS, bundle);
+        IntentHandler.addTrustedIntentExtrasInternal(headersIntent);
+        Assert.assertEquals(
+                "X-Some-Header: 1", IntentHandler.getExtraHeadersFromIntent(headersIntent));
+    }
+
+    @Test
+    @SmallTest
+    @UiThreadTest
+    @Feature({"Android-AppBase"})
+    @EnableFeatures({ChromeFeatureList.ANDROID_BLOCK_INTENT_NON_SAFELISTED_HEADERS})
+    public void testStripNonCorsSafelistedCustomHeader() {
+        Bundle bundle = new Bundle();
+        bundle.putString("X-Some-Header", "1");
+        Intent headersIntent = new Intent(Intent.ACTION_VIEW);
+        headersIntent.putExtra(Browser.EXTRA_HEADERS, bundle);
+        Assert.assertNull(IntentHandler.getExtraHeadersFromIntent(headersIntent));
+    }
+
    @Test
    @SmallTest
    @UiThreadTest