Prevent external intents triggering file sharing (#6734)

CDRussell · web-flow · commit b3b5530deaf6 · 2025-09-04T16:09:51.000+01:00
Task/Issue URL: https://app.asana.com/1/137249556945/project/608920331025315/task/1211244379062806?focus=true ### Steps to test this PR See linked task Co-authored-by: Craig Russell <1336281+CDRussell@users.noreply.github.com>
diff --git a/app/src/androidTest/java/com/duckduckgo/app/browser/BrowserTabViewModelTest.kt b/app/src/androidTest/java/com/duckduckgo/app/browser/BrowserTabViewModelTest.kt
@@ -118,6 +118,7 @@ import com.duckduckgo.app.browser.omnibar.model.OmnibarPosition.BOTTOM
 import com.duckduckgo.app.browser.omnibar.model.OmnibarPosition.TOP
 import com.duckduckgo.app.browser.refreshpixels.RefreshPixelSender
 import com.duckduckgo.app.browser.remotemessage.RemoteMessagingModel
+import com.duckduckgo.app.browser.santize.NonHttpAppLinkChecker
 import com.duckduckgo.app.browser.senseofprotection.SenseOfProtectionExperiment
 import com.duckduckgo.app.browser.session.WebViewSessionStorage
 import com.duckduckgo.app.browser.tabs.TabManager
@@ -584,6 +585,8 @@ class BrowserTabViewModelTest {
     private val mockOnboardingDesignExperimentManager: OnboardingDesignExperimentManager = mock()
     private val mockSerpEasterEggLogoToggles: SerpEasterEggLogosToggles = mock()
 
+    private val nonHttpAppLinkChecker: NonHttpAppLinkChecker = mock()
+
     private val EXAMPLE_URL = "http://example.com"
     private val SHORT_EXAMPLE_URL = "example.com"
 
@@ -652,7 +655,7 @@ class BrowserTabViewModelTest {
         whenever(mockOnboardingDesignExperimentManager.isBuckEnrolledAndEnabled()).thenReturn(false)
         whenever(mockOnboardingDesignExperimentManager.isBbEnrolledAndEnabled()).thenReturn(false)
         whenever(mockSerpEasterEggLogoToggles.feature()).thenReturn(mockDisabledToggle)
-
+        whenever(nonHttpAppLinkChecker.isPermitted(anyOrNull())).thenReturn(true)
         remoteMessagingModel = givenRemoteMessagingModel(mockRemoteMessagingRepository, mockPixel, coroutineRule.testDispatcherProvider)
 
         ctaViewModel = CtaViewModel(
@@ -798,6 +801,7 @@ class BrowserTabViewModelTest {
             addressDisplayFormatter = mockAddressDisplayFormatter,
             autoCompleteSettings = mockAutoCompleteSettings,
             serpEasterEggLogosToggles = mockSerpEasterEggLogoToggles,
+            nonHttpAppLinkChecker = nonHttpAppLinkChecker,
         )
 
         testee.loadData("abc", null, false, false)
@@ -3767,6 +3771,14 @@ class BrowserTabViewModelTest {
         assertCommandIssued<Command.HandleNonHttpAppLink>()
     }
 
+    @Test
+    fun whenHandleNonHttpAppLinkCalledWithUnpermittedIntentThenDoNotHandleNonHttpAppLink() {
+        whenever(nonHttpAppLinkChecker.isPermitted(any())).thenReturn(false)
+        val urlType = SpecialUrlDetector.UrlType.NonHttpAppLink("market://details?id=com.example", Intent(), EXAMPLE_URL)
+        assertTrue(testee.handleNonHttpAppLink(urlType))
+        assertCommandNotIssued<Command.HandleNonHttpAppLink>()
+    }
+
     @Test
     fun whenUserSubmittedQueryIsAppLinkAndShouldShowPromptThenOpenAppLinkInBrowserAndSetPreviousUrlToNull() {
         whenever(mockOmnibarConverter.convertQueryToUrl("foo", null)).thenReturn("foo.com")
diff --git a/app/src/main/java/com/duckduckgo/app/browser/BrowserTabViewModel.kt b/app/src/main/java/com/duckduckgo/app/browser/BrowserTabViewModel.kt
@@ -193,6 +193,7 @@ import com.duckduckgo.app.browser.omnibar.QueryOrigin.FromAutocomplete
 import com.duckduckgo.app.browser.omnibar.model.OmnibarPosition
 import com.duckduckgo.app.browser.omnibar.model.OmnibarPosition.TOP
 import com.duckduckgo.app.browser.refreshpixels.RefreshPixelSender
+import com.duckduckgo.app.browser.santize.NonHttpAppLinkChecker
 import com.duckduckgo.app.browser.senseofprotection.SenseOfProtectionExperiment
 import com.duckduckgo.app.browser.session.WebViewSessionStorage
 import com.duckduckgo.app.browser.tabs.TabManager
@@ -479,6 +480,7 @@ class BrowserTabViewModel @Inject constructor(
     private val addressDisplayFormatter: AddressDisplayFormatter,
     private val onboardingDesignExperimentManager: OnboardingDesignExperimentManager,
     private val serpEasterEggLogosToggles: SerpEasterEggLogosToggles,
+    private val nonHttpAppLinkChecker: NonHttpAppLinkChecker,
 ) : WebViewClientListener,
     EditSavedSiteListener,
     DeleteBookmarkListener,
@@ -3051,7 +3053,9 @@ class BrowserTabViewModel @Inject constructor(
     }
 
     fun nonHttpAppLinkClicked(appLink: NonHttpAppLink) {
-        command.value = HandleNonHttpAppLink(appLink, getUrlHeaders(appLink.fallbackUrl))
+        if (nonHttpAppLinkChecker.isPermitted(appLink.intent)) {
+            command.value = HandleNonHttpAppLink(appLink, getUrlHeaders(appLink.fallbackUrl))
+        }
     }
 
     fun onPrintSelected() {
diff --git a/app/src/main/java/com/duckduckgo/app/browser/santize/NonHttpAppLinkChecker.kt b/app/src/main/java/com/duckduckgo/app/browser/santize/NonHttpAppLinkChecker.kt
@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2025 DuckDuckGo
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.duckduckgo.app.browser.santize
+
+import android.content.Intent
+import com.duckduckgo.appbuildconfig.api.AppBuildConfig
+import com.duckduckgo.di.scopes.FragmentScope
+import com.squareup.anvil.annotations.ContributesBinding
+import javax.inject.Inject
+import logcat.LogPriority.WARN
+import logcat.logcat
+
+interface NonHttpAppLinkChecker {
+    fun isPermitted(intent: Intent): Boolean
+}
+
+@ContributesBinding(FragmentScope::class)
+class RealNonHttpAppLinkChecker @Inject constructor(
+    private val appBuildConfig: AppBuildConfig,
+) : NonHttpAppLinkChecker {
+
+    override fun isPermitted(intent: Intent): Boolean {
+        val internalContentFileProvider = CONTENT_PREFIX + appBuildConfig.applicationId + CONTENT_SUFFIX
+
+        // check main data URI
+        if (intent.dataString?.contains(internalContentFileProvider, ignoreCase = true) == true) {
+            logcat(WARN) { "Refusing to open an internal content URI from external app" }
+            return false
+        }
+
+        // Check clipData URIs
+        intent.clipData?.let { clipData ->
+            for (i in 0 until clipData.itemCount) {
+                clipData.getItemAt(i).uri?.toString()?.let { uriString ->
+                    if (uriString.contains(internalContentFileProvider, ignoreCase = true)) {
+                        logcat(WARN) { "Refusing to open an internal content URI in clipData from external app" }
+                        return false
+                    }
+                }
+            }
+        }
+
+        return true
+    }
+
+    companion object {
+        private const val CONTENT_PREFIX = "content://"
+        private const val CONTENT_SUFFIX = ".provider"
+    }
+}
diff --git a/app/src/test/java/com/duckduckgo/app/browser/santize/RealNonHttpAppLinkCheckerTest.kt b/app/src/test/java/com/duckduckgo/app/browser/santize/RealNonHttpAppLinkCheckerTest.kt
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 2025 DuckDuckGo
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.duckduckgo.app.browser.santize
+
+import android.content.ClipData
+import android.content.Intent
+import android.net.Uri
+import androidx.test.ext.junit.runners.AndroidJUnit4
+import com.duckduckgo.appbuildconfig.api.AppBuildConfig
+import org.junit.Assert.assertFalse
+import org.junit.Assert.assertTrue
+import org.junit.Before
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.mockito.Mock
+import org.mockito.Mockito.mock
+import org.mockito.kotlin.whenever
+
+@RunWith(AndroidJUnit4::class)
+class RealNonHttpAppLinkCheckerTest {
+
+    @Mock
+    private val appBuildConfig: AppBuildConfig = mock()
+
+    private lateinit var testee: RealNonHttpAppLinkChecker
+
+    @Before
+    fun setUp() {
+        whenever(appBuildConfig.applicationId).thenReturn("com.duckduckgo.mobile.android")
+        testee = RealNonHttpAppLinkChecker(appBuildConfig)
+    }
+
+    @Test
+    fun whenIntentDataStringContainsInternalContentFileProviderThenReturnFalse() {
+        val intent = Intent().apply {
+            data = Uri.parse("content://com.duckduckgo.mobile.android.provider/path/to/file")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertFalse(result)
+    }
+
+    @Test
+    fun whenIntentDataStringContainsInternalContentFileProviderWithSubpathThenReturnFalse() {
+        val intent = Intent().apply {
+            data = Uri.parse("content://com.duckduckgo.mobile.android.provider/external_files/documents/test.pdf")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertFalse(result)
+    }
+
+    @Test
+    fun whenIntentDataStringContainsExternalContentProviderThenReturnTrue() {
+        val intent = Intent().apply {
+            data = Uri.parse("content://com.other.app.provider/path/to/file")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentDataStringIsHttpsUrlThenReturnTrue() {
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/page")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentDataStringIsCustomSchemeThenReturnTrue() {
+        val intent = Intent().apply {
+            data = Uri.parse("myapp://action/data")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentDataIsNullThenReturnTrue() {
+        val intent = Intent().apply {
+            data = null
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentDataStringIsNullThenReturnTrue() {
+        val intent = Intent().apply {
+            data = Uri.parse("")
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentDataStringContainsInternalProviderInUpperCaseThenReturnFalse() {
+        val intent = Intent().apply {
+            data = Uri.parse("CONTENT://COM.DUCKDUCKGO.MOBILE.ANDROID.PROVIDER/file")
+        }
+
+        assertFalse(testee.isPermitted(intent))
+    }
+
+    @Test
+    fun whenIntentClipDataContainsInternalContentFileProviderThenReturnFalse() {
+        val clipData = ClipData.newRawUri("test", Uri.parse("content://com.duckduckgo.mobile.android.provider/file"))
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/safe")
+            setClipData(clipData)
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertFalse(result)
+    }
+
+    @Test
+    fun whenIntentClipDataContainsMultipleUrisWithInternalProviderThenReturnFalse() {
+        val clipData = ClipData.newRawUri("test", Uri.parse("https://example.com/safe"))
+        clipData.addItem(ClipData.Item(Uri.parse("content://com.duckduckgo.mobile.android.provider/file")))
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/safe")
+            setClipData(clipData)
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertFalse(result)
+    }
+
+    @Test
+    fun whenIntentClipDataContainsOnlyExternalProvidersThenReturnTrue() {
+        val clipData = ClipData.newRawUri("test", Uri.parse("content://com.other.app.provider/file"))
+        clipData.addItem(ClipData.Item(Uri.parse("https://example.com/safe")))
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/safe")
+            setClipData(clipData)
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentClipDataIsNullThenReturnTrue() {
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/safe")
+            clipData = null
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+
+    @Test
+    fun whenIntentClipDataHasItemWithNullUriThenReturnTrue() {
+        val clipData = ClipData.newPlainText("test", "some text")
+        val intent = Intent().apply {
+            data = Uri.parse("https://example.com/safe")
+            setClipData(clipData)
+        }
+
+        val result = testee.isPermitted(intent)
+
+        assertTrue(result)
+    }
+}
