Upstream: Add WebAPK security check in WebappLauncherActivity.

chrome/android/java/src/org/chromium/chrome/browser/webapps/WebappLauncherActivity.java

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.chrome.browser.webapps;
 
 import android.app.Activity;
 import android.content.Intent;
 import android.net.Uri;
 import android.os.Build;
 import android.os.Bundle;
 import android.util.Base64;
 
 import org.chromium.base.ApiCompatibilityUtils;
 import org.chromium.base.ApplicationStatus;
 import org.chromium.base.CommandLine;
 import org.chromium.base.ContextUtils;
 import org.chromium.base.Log;
 import org.chromium.chrome.browser.ChromeSwitches;
 import org.chromium.chrome.browser.IntentHandler;
 import org.chromium.chrome.browser.ShortcutHelper;
 import org.chromium.chrome.browser.document.ChromeLauncherActivity;
 import org.chromium.chrome.browser.metrics.LaunchMetrics;
 import org.chromium.chrome.browser.tab.Tab;
 import org.chromium.chrome.browser.util.IntentUtils;
-import org.chromium.webapk.lib.common.WebApkConstants;
+import org.chromium.webapk.lib.client.WebApkValidator;
 
 import java.lang.ref.WeakReference;
 
 /**
  * Launches web apps.  This was separated from the ChromeLauncherActivity because the
  * ChromeLauncherActivity is not allowed to be excluded from Android's Recents: crbug.com/517426.
  */
 public class WebappLauncherActivity extends Activity {
     /**
      * Action fired when an Intent is trying to launch a WebappActivity.
@@ skipping 14 matching lines @@
         }
 
         super.onCreate(savedInstanceState);
         Intent intent = getIntent();
         String webappId = webappInfo.id();
         String webappUrl = webappInfo.uri().toString();
         String webApkPackageName = webappInfo.webApkPackageName();
         int webappSource = webappInfo.source();
 
         if (webappId != null && webappUrl != null) {
-            String webappMacString = IntentUtils.safeGetStringExtra(
-                    intent, ShortcutHelper.EXTRA_MAC);
-            byte[] webappMac =
-                    webappMacString == null ? null : Base64.decode(webappMacString, Base64.DEFAULT);
-
             Intent launchIntent = null;
 
-            // Permit the launch to a standalone web app frame if the intent was sent by Chrome, or
-            // if the MAC is present and valid for the URL to be opened.
-            boolean isTrusted = IntentHandler.wasIntentSenderChrome(intent,
-                    ContextUtils.getApplicationContext());
-            boolean isUrlValid = (webappMac != null
-                    && WebappAuthenticator.isUrlValid(this, webappUrl, webappMac));
-            boolean isValidWebApk = isValidWebApk(webApkPackageName);
-            if (webApkPackageName != null && !isValidWebApk) {
-                isUrlValid = false;
-            }
+            // Permit the launch to a standalone web app frame if any of the following are true:
+            // - the request was for a WebAPK that is valid;
+            // - the MAC is present and valid for the homescreen shortcut to be opened;
+            // - the intent was sent by Chrome.
+            boolean isValidWebApk = isValidWebApk(webApkPackageName, webappUrl);
 
-            if (isTrusted || isUrlValid) {
+            if (isValidWebApk
+                    || isValidMacForUrl(webappUrl, IntentUtils.safeGetStringExtra(
+                            intent, ShortcutHelper.EXTRA_MAC))
+                    || wasIntentFromChrome(intent)) {
                 LaunchMetrics.recordHomeScreenLaunchIntoStandaloneActivity(webappUrl, webappSource);
                 launchIntent = createWebappLaunchIntent(webappInfo, isValidWebApk);
             } else {
                 Log.e(TAG, "Shortcut (%s) opened in Chrome.", webappUrl);
 
                 // The shortcut data doesn't match the current encoding.  Change the intent action
                 // launch the URL with a VIEW Intent in the regular browser.
                 launchIntent = new Intent(Intent.ACTION_VIEW, Uri.parse(webappUrl));
                 launchIntent.setClassName(getPackageName(), ChromeLauncherActivity.class.getName());
                 launchIntent.putExtra(ShortcutHelper.REUSE_URL_MATCHING_TAB_ELSE_NEW_TAB, true);
                 launchIntent.putExtra(ShortcutHelper.EXTRA_SOURCE, webappSource);
                 launchIntent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK
                         | ApiCompatibilityUtils.getActivityNewDocumentFlag());
             }
 
             startActivity(launchIntent);
         }
 
         ApiCompatibilityUtils.finishAndRemoveTask(this);
     }
 
     /**
+     * Checks whether or not the MAC is present and valid for the web app shortcut.
+     *
+     * The MAC is used to prevent malicious apps from launching Chrome into a full screen
+     * Activity for phishing attacks (among other reasons).
+     *
+     * @param url The URL for the web app.
+     * @param mac MAC to compare the URL against.  See {@link WebappAuthenticator}.
+     * @return Whether the MAC is valid for the URL.
+     */
+    private boolean isValidMacForUrl(String url, String mac) {
+        return mac != null
+                && WebappAuthenticator.isUrlValid(this, url, Base64.decode(mac, Base64.DEFAULT));
+    }
+
+    private boolean wasIntentFromChrome(Intent intent) {
+        return IntentHandler.wasIntentSenderChrome(intent, ContextUtils.getApplicationContext());
+    }
+
+    /**
      * Creates an Intent to launch the web app.
      * @param info     Information about the web app.
      * @param isWebApk If true, launch the app as a WebApkActivity.  If false, launch the app as
      *                 a WebappActivity.
      */
     private Intent createWebappLaunchIntent(WebappInfo info, boolean isWebApk) {
         String activityName = isWebApk ? WebApkActivity.class.getName()
                 : WebappActivity.class.getName();
         if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
             // Specifically assign the app to a particular WebappActivity instance.
@@ skipping 38 matching lines @@
                 Tab tab = webappActivity.getActivityTab();
                 tab.getTabWebContentsDelegateAndroid().activateContents();
                 return true;
             }
         }
 
         return false;
     }
 
     /**
-     * Checks whether the package being targeted is a valid WebAPK.
-     * @param webapkPackageName The package name of the requested WebAPK.
+     * Checks whether the package being targeted is a valid WebAPK and whether the url supplied
+     * can be fulfilled by that WebAPK.
+     *
+     * @param webApkPackage The package name of the requested WebAPK.
+     * @param url The url to navigate to.
      * @return true iff all validation criteria are met.
      */
-    private boolean isValidWebApk(String webapkPackageName) {
-        // TODO(hanxi): Adds more validation checks. For example, whether the WebAPK is signed
-        // by the WebAPK Minting Server.
-        return CommandLine.getInstance().hasSwitch(ChromeSwitches.ENABLE_WEBAPK)
-                && webapkPackageName != null
-                && webapkPackageName.startsWith(WebApkConstants.WEBAPK_PACKAGE_PREFIX);
+    private boolean isValidWebApk(String webApkPackage, String url) {
+        if (!CommandLine.getInstance().hasSwitch(ChromeSwitches.ENABLE_WEBAPK)
+                || webApkPackage == null) {
+            return false;
+        }
+        if (!WebApkValidator.isValidWebApk(this, webApkPackage)) {
+            Log.d(TAG, "%s is not valid WebAPK", webApkPackage);
+            return false;
+        }
+        if (!webApkPackage.equals(WebApkValidator.queryWebApkPackage(this, url))) {
+            Log.d(TAG, "%s is not within scope of %s WebAPK", url, webApkPackage);
+            return false;
+        }
+        return true;
     }
 }