From 850c8129e650d1bd27102ad5378665e8c7ce39be Mon Sep 17 00:00:00 2001
From: TYM Tsai <tymtsai@google.com>
Date: Wed, 1 Apr 2020 02:26:58 +0800
Subject: [PATCH] Filter the content of the Bundles used as extras and styling
 APIs

Adds filter to prevent passing binder objects in the extras and styling
APIs for inline suggestions. Avoids these to be used to send over remote
objects for Autofill provider and IME to communicate through private APIs
bypassing the OS.

Bug: 152316540
Test: atest CtsAutoFillServiceTestCases
Test: atest InlineSuggestionsRequestTest
Change-Id: I00940a845ed0e2546cbe09fa36e2439869c2f783
---
 .../InlineSuggestionSession.java              |  1 +
 .../service/autofill/AutofillService.java     |  2 ++
 .../InlineSuggestionRenderService.java        |  2 ++
 .../augmented/AugmentedAutofillService.java   |  2 ++
 .../inputmethod/InlineSuggestionsRequest.java | 17 +++++++++++++--
 .../widget/inline/InlinePresentationSpec.java | 12 +++++++++--
 .../widget/InlinePresentationStyleUtils.java  | 21 +++++++++++++++++++
 7 files changed, 53 insertions(+), 4 deletions(-)

diff --git a/core/java/android/inputmethodservice/InlineSuggestionSession.java b/core/java/android/inputmethodservice/InlineSuggestionSession.java
index 98ccbfc8aef47..26197883c32fa 100644
--- a/core/java/android/inputmethodservice/InlineSuggestionSession.java
+++ b/core/java/android/inputmethodservice/InlineSuggestionSession.java
@@ -169,6 +169,7 @@ class InlineSuggestionSession {
                 mCallback.onInlineSuggestionsUnsupported();
             } else {
                 request.setHostInputToken(mHostInputTokenSupplier.get());
+                request.filterContentTypes();
                 mResponseCallback = new InlineSuggestionsResponseCallbackImpl(this);
                 mCallback.onInlineSuggestionsRequest(request, mResponseCallback);
             }
diff --git a/core/java/android/service/autofill/AutofillService.java b/core/java/android/service/autofill/AutofillService.java
index 5a918023fdc36..188670d0df505 100644
--- a/core/java/android/service/autofill/AutofillService.java
+++ b/core/java/android/service/autofill/AutofillService.java
@@ -23,6 +23,7 @@ import android.annotation.Nullable;
 import android.annotation.SdkConstant;
 import android.app.Service;
 import android.content.Intent;
+import android.os.BaseBundle;
 import android.os.CancellationSignal;
 import android.os.Handler;
 import android.os.IBinder;
@@ -611,6 +612,7 @@ public abstract class AutofillService extends Service {
     public void onCreate() {
         super.onCreate();
         mHandler = new Handler(Looper.getMainLooper(), null, true);
+        BaseBundle.setShouldDefuse(true);
     }
 
     @Override
diff --git a/core/java/android/service/autofill/InlineSuggestionRenderService.java b/core/java/android/service/autofill/InlineSuggestionRenderService.java
index e3ed21ff556d7..d3ad1c6b88621 100644
--- a/core/java/android/service/autofill/InlineSuggestionRenderService.java
+++ b/core/java/android/service/autofill/InlineSuggestionRenderService.java
@@ -26,6 +26,7 @@ import android.app.slice.Slice;
 import android.content.Intent;
 import android.content.IntentSender;
 import android.graphics.PixelFormat;
+import android.os.BaseBundle;
 import android.os.Bundle;
 import android.os.Handler;
 import android.os.IBinder;
@@ -146,6 +147,7 @@ public abstract class InlineSuggestionRenderService extends Service {
     @Override
     @Nullable
     public final IBinder onBind(@NonNull Intent intent) {
+        BaseBundle.setShouldDefuse(true);
         if (SERVICE_INTERFACE.equals(intent.getAction())) {
             return new IInlineSuggestionRenderService.Stub() {
                 @Override
diff --git a/core/java/android/service/autofill/augmented/AugmentedAutofillService.java b/core/java/android/service/autofill/augmented/AugmentedAutofillService.java
index b47b2b41bdd90..cca45f5724893 100644
--- a/core/java/android/service/autofill/augmented/AugmentedAutofillService.java
+++ b/core/java/android/service/autofill/augmented/AugmentedAutofillService.java
@@ -30,6 +30,7 @@ import android.app.Service;
 import android.content.ComponentName;
 import android.content.Intent;
 import android.graphics.Rect;
+import android.os.BaseBundle;
 import android.os.Build;
 import android.os.Bundle;
 import android.os.CancellationSignal;
@@ -132,6 +133,7 @@ public abstract class AugmentedAutofillService extends Service {
     public void onCreate() {
         super.onCreate();
         mHandler = new Handler(Looper.getMainLooper(), null, true);
+        BaseBundle.setShouldDefuse(true);
     }
 
     /** @hide */
diff --git a/core/java/android/view/inputmethod/InlineSuggestionsRequest.java b/core/java/android/view/inputmethod/InlineSuggestionsRequest.java
index d282b56aedb6d..4d4faa4ba2a33 100644
--- a/core/java/android/view/inputmethod/InlineSuggestionsRequest.java
+++ b/core/java/android/view/inputmethod/InlineSuggestionsRequest.java
@@ -126,6 +126,19 @@ public final class InlineSuggestionsRequest implements Parcelable {
         Preconditions.checkState(mMaxSuggestionCount >= mInlinePresentationSpecs.size());
     }
 
+    /**
+     * Removes the remote objects from the bundles within the {@Code mExtras} and the
+     * {@code mInlinePresentationSpecs}.
+     *
+     * @hide
+     */
+    public void filterContentTypes() {
+        InlinePresentationStyleUtils.filterContentTypes(mExtras);
+        for (int i = 0; i < mInlinePresentationSpecs.size(); i++) {
+            mInlinePresentationSpecs.get(i).filterContentTypes();
+        }
+    }
+
     private static int defaultMaxSuggestionCount() {
         return SUGGESTION_COUNT_UNLIMITED;
     }
@@ -582,10 +595,10 @@ public final class InlineSuggestionsRequest implements Parcelable {
     }
 
     @DataClass.Generated(
-            time = 1586992395497L,
+            time = 1587537617922L,
             codegenVersion = "1.0.15",
             sourceFile = "frameworks/base/core/java/android/view/inputmethod/InlineSuggestionsRequest.java",
-            inputSignatures = "public static final  int SUGGESTION_COUNT_UNLIMITED\nprivate final  int mMaxSuggestionCount\nprivate final @android.annotation.NonNull java.util.List<android.widget.inline.InlinePresentationSpec> mInlinePresentationSpecs\nprivate @android.annotation.NonNull java.lang.String mHostPackageName\nprivate @android.annotation.NonNull android.os.LocaleList mSupportedLocales\nprivate @android.annotation.NonNull android.os.Bundle mExtras\nprivate @android.annotation.Nullable android.os.IBinder mHostInputToken\nprivate  int mHostDisplayId\npublic  void setHostInputToken(android.os.IBinder)\nprivate  boolean extrasEquals(android.os.Bundle)\nprivate  void parcelHostInputToken(android.os.Parcel,int)\nprivate @android.annotation.Nullable android.os.IBinder unparcelHostInputToken(android.os.Parcel)\npublic  void setHostDisplayId(int)\nprivate  void onConstructed()\nprivate static  int defaultMaxSuggestionCount()\nprivate static  java.lang.String defaultHostPackageName()\nprivate static  android.os.LocaleList defaultSupportedLocales()\nprivate static @android.annotation.Nullable android.os.IBinder defaultHostInputToken()\nprivate static @android.annotation.Nullable int defaultHostDisplayId()\nprivate static @android.annotation.NonNull android.os.Bundle defaultExtras()\nclass InlineSuggestionsRequest extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genToString=true, genBuilder=true)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setInlinePresentationSpecs(java.util.List<android.widget.inline.InlinePresentationSpec>)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostPackageName(java.lang.String)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostInputToken(android.os.IBinder)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostDisplayId(int)\nclass BaseBuilder extends java.lang.Object implements []")
+            inputSignatures = "public static final  int SUGGESTION_COUNT_UNLIMITED\nprivate final  int mMaxSuggestionCount\nprivate final @android.annotation.NonNull java.util.List<android.widget.inline.InlinePresentationSpec> mInlinePresentationSpecs\nprivate @android.annotation.NonNull java.lang.String mHostPackageName\nprivate @android.annotation.NonNull android.os.LocaleList mSupportedLocales\nprivate @android.annotation.NonNull android.os.Bundle mExtras\nprivate @android.annotation.Nullable android.os.IBinder mHostInputToken\nprivate  int mHostDisplayId\npublic  void setHostInputToken(android.os.IBinder)\nprivate  boolean extrasEquals(android.os.Bundle)\nprivate  void parcelHostInputToken(android.os.Parcel,int)\nprivate @android.annotation.Nullable android.os.IBinder unparcelHostInputToken(android.os.Parcel)\npublic  void setHostDisplayId(int)\nprivate  void onConstructed()\npublic  void filterContentTypes()\nprivate static  int defaultMaxSuggestionCount()\nprivate static  java.lang.String defaultHostPackageName()\nprivate static  android.os.LocaleList defaultSupportedLocales()\nprivate static @android.annotation.Nullable android.os.IBinder defaultHostInputToken()\nprivate static @android.annotation.Nullable int defaultHostDisplayId()\nprivate static @android.annotation.NonNull android.os.Bundle defaultExtras()\nclass InlineSuggestionsRequest extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genToString=true, genBuilder=true)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setInlinePresentationSpecs(java.util.List<android.widget.inline.InlinePresentationSpec>)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostPackageName(java.lang.String)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostInputToken(android.os.IBinder)\nabstract  android.view.inputmethod.InlineSuggestionsRequest.Builder setHostDisplayId(int)\nclass BaseBuilder extends java.lang.Object implements []")
     @Deprecated
     private void __metadata() {}
 
diff --git a/core/java/android/widget/inline/InlinePresentationSpec.java b/core/java/android/widget/inline/InlinePresentationSpec.java
index 5635857154dee..9f966d84eb347 100644
--- a/core/java/android/widget/inline/InlinePresentationSpec.java
+++ b/core/java/android/widget/inline/InlinePresentationSpec.java
@@ -57,6 +57,14 @@ public final class InlinePresentationSpec implements Parcelable {
         return InlinePresentationStyleUtils.bundleEquals(mStyle, style);
     }
 
+    /**
+     * Removes the remote objects from the {@code mStyle}.
+     * @hide
+     */
+    public void filterContentTypes() {
+        InlinePresentationStyleUtils.filterContentTypes(mStyle);
+    }
+
     /** @hide */
     @DataClass.Suppress({"setMaxSize", "setMinSize"})
     abstract static class BaseBuilder {
@@ -285,10 +293,10 @@ public final class InlinePresentationSpec implements Parcelable {
     }
 
     @DataClass.Generated(
-            time = 1585768046898L,
+            time = 1586935491105L,
             codegenVersion = "1.0.15",
             sourceFile = "frameworks/base/core/java/android/widget/inline/InlinePresentationSpec.java",
-            inputSignatures = "private final @android.annotation.NonNull android.util.Size mMinSize\nprivate final @android.annotation.NonNull android.util.Size mMaxSize\nprivate final @android.annotation.NonNull android.os.Bundle mStyle\nprivate static @android.annotation.NonNull android.os.Bundle defaultStyle()\nprivate  boolean styleEquals(android.os.Bundle)\nclass InlinePresentationSpec extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genToString=true, genBuilder=true)\nclass BaseBuilder extends java.lang.Object implements []")
+            inputSignatures = "private final @android.annotation.NonNull android.util.Size mMinSize\nprivate final @android.annotation.NonNull android.util.Size mMaxSize\nprivate final @android.annotation.NonNull android.os.Bundle mStyle\nprivate static @android.annotation.NonNull android.os.Bundle defaultStyle()\nprivate  boolean styleEquals(android.os.Bundle)\npublic  void filterContentTypes()\nclass InlinePresentationSpec extends java.lang.Object implements [android.os.Parcelable]\n@com.android.internal.util.DataClass(genEqualsHashCode=true, genToString=true, genBuilder=true)\nclass BaseBuilder extends java.lang.Object implements []")
     @Deprecated
     private void __metadata() {}
 
diff --git a/core/java/com/android/internal/widget/InlinePresentationStyleUtils.java b/core/java/com/android/internal/widget/InlinePresentationStyleUtils.java
index 264c8bd2303a4..db1725ff461cf 100644
--- a/core/java/com/android/internal/widget/InlinePresentationStyleUtils.java
+++ b/core/java/com/android/internal/widget/InlinePresentationStyleUtils.java
@@ -17,7 +17,9 @@
 package com.android.internal.widget;
 
 import android.annotation.NonNull;
+import android.annotation.Nullable;
 import android.os.Bundle;
+import android.os.IBinder;
 
 import java.util.Objects;
 import java.util.Set;
@@ -60,6 +62,25 @@ public final class InlinePresentationStyleUtils {
         return true;
     }
 
+    /**
+     * Removes remote objects from the bundle.
+     */
+    public static void filterContentTypes(@Nullable Bundle bundle) {
+        if (bundle == null) {
+            return;
+        }
+
+        for (String key : bundle.keySet()) {
+            Object o = bundle.get(key);
+
+            if (o instanceof Bundle) {
+                filterContentTypes((Bundle) o);
+            } else if (o instanceof IBinder) {
+                bundle.remove(key);
+            }
+        }
+    }
+
     /**
      * Private ctor to avoid constructing the class.
      */