[Android] Block access to java.lang.Object.getClass in injected Java objects

content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser;
 
+import android.os.Handler;
+import android.os.Looper;
 import android.test.suitebuilder.annotation.SmallTest;
 
 import org.chromium.base.test.util.DisabledTest;
 import org.chromium.base.test.util.Feature;
 import org.chromium.content.browser.test.util.TestCallbackHelperContainer;
 import org.chromium.content_shell_apk.ContentShellActivity;
 
 import java.lang.annotation.Annotation;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ skipping 46 matching lines @@
             return mLongValue;
         }
         public synchronized String waitForStringValue() {
             waitForResult();
             return mStringValue;
         }
         public synchronized boolean waitForBooleanValue() {
             waitForResult();
             return mBooleanValue;
         }
+
+        public synchronized String getStringValue() {
+            return mStringValue;
+        }
     }
 
     private static class ObjectWithStaticMethod {
         public static String staticMethod() {
             return "foo";
         }
     }
 
     TestController mTestController;
 
@@ skipping 476 matching lines @@
                 "for (x in testObject) { result += \" \" + x } " +
                 "testController.setStringValue(result);");
         assertEquals(" equals getClass hashCode method notify notifyAll toString wait",
                 mTestController.waitForStringValue());
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testReflectPublicMethod() throws Throwable {
         injectObjectAndReload(new Object() {
+            public Class<?> myGetClass() { return getClass(); }
             public String method() { return "foo"; }
         }, "testObject");
         assertEquals("foo", executeJavaScriptAndGetStringResult(
-                "testObject.getClass().getMethod('method', null).invoke(testObject, null)" +
+                "testObject.myGetClass().getMethod('method', null).invoke(testObject, null)" +
                 ".toString()"));
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testReflectPublicField() throws Throwable {
         injectObjectAndReload(new Object() {
+            public Class<?> myGetClass() { return getClass(); }
             public String field = "foo";
         }, "testObject");
         assertEquals("foo", executeJavaScriptAndGetStringResult(
-                "testObject.getClass().getField('field').get(testObject).toString()"));
+                "testObject.myGetClass().getField('field').get(testObject).toString()"));
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testReflectPrivateMethodRaisesException() throws Throwable {
         injectObjectAndReload(new Object() {
+            public Class<?> myGetClass() { return getClass(); }
             private void method() {};
         }, "testObject");
-        assertRaisesException("testObject.getClass().getMethod('method', null)");
+        assertRaisesException("testObject.myGetClass().getMethod('method', null)");
         // getDeclaredMethod() is able to access a private method, but invoke()
         // throws a Java exception.
         assertRaisesException(
-                "testObject.getClass().getDeclaredMethod('method', null).invoke(testObject, null)");
+                "testObject.myGetClass().getDeclaredMethod('method', null)." +
+                "invoke(testObject, null)");
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testReflectPrivateFieldRaisesException() throws Throwable {
         injectObjectAndReload(new Object() {
+            public Class<?> myGetClass() { return getClass(); }
             private int field;
         }, "testObject");
-        assertRaisesException("testObject.getClass().getField('field')");
+        assertRaisesException("testObject.myGetClass().getField('field')");
         // getDeclaredField() is able to access a private field, but getInt()
         // throws a Java exception.
         assertRaisesException(
-                "testObject.getClass().getDeclaredField('field').getInt(testObject)");
+                "testObject.myGetClass().getDeclaredField('field').getInt(testObject)");
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testAllowNonAnnotatedMethods() throws Throwable {
         injectObjectAndReload(new Object() {
             public String allowed() { return "foo"; }
         }, "testObject", null);
 
         // Test calling a method of an explicitly inherited class (Base#allowed()).
         assertEquals("foo", executeJavaScriptAndGetStringResult("testObject.allowed()"));
 
-        // Test calling a method of an implicitly inherited class (Object#getClass()).
-        assertEquals("object", executeJavaScriptAndGetStringResult("typeof testObject.getClass()"));
+        // Test calling a method of an implicitly inherited class (Object#toString()).
+        assertEquals("string", executeJavaScriptAndGetStringResult("typeof testObject.toString()"));
     }
 
     @SmallTest
     @Feature({"AndroidWebView", "Android-JavaBridge"})
     public void testAllowOnlyAnnotatedMethods() throws Throwable {
         injectObjectAndReload(new Object() {
             @JavascriptInterface
             public String allowed() { return "foo"; }
 
             public String disallowed() { return "bar"; }
@@ skipping 194 matching lines @@
             }
         });
 
         injectObjectAndReload(new Test(), nonInspectableObjectName, JavascriptInterface.class);
 
         assertEquals("", executeJavaScriptAndGetStringResult(
                         String.format(jsObjectKeysTestTemplate, nonInspectableObjectName)));
         assertEquals("", executeJavaScriptAndGetStringResult(
                         String.format(jsForInTestTemplate, nonInspectableObjectName)));
     }
+
+    @SmallTest
+    @Feature({"AndroidWebView", "Android-JavaBridge"})
+    public void testAccessToObjectGetClassIsBlocked() throws Throwable {
+        injectObjectAndReload(new Object(), "testObject");
+        assertEquals("function", executeJavaScriptAndGetStringResult("typeof testObject.getClass"));
+        boolean securityExceptionThrown = false;
+        try {
+            final String result = executeJavaScriptAndWaitForExceptionSynchronously(
+                    "typeof testObject.getClass()");
+            fail("A call to java.lang.Object.getClass has been allowed, result: '" + result + "'");
+        } catch (SecurityException exception) {
+            securityExceptionThrown = true;
+        }
+        assertTrue(securityExceptionThrown);
+    }
+
+    // Unlike executeJavaScriptAndGetStringResult, this method is sitting on the UI thread
+    // until a non-null result is obtained or a Java exception has been thrown. This method is
+    // capable of catching Java RuntimeExceptions happening on the UI thread asynchronously.
+    private String executeJavaScriptAndWaitForExceptionSynchronously(final String script)
+            throws Throwable {
+        class ExitLoopException extends RuntimeException {
+        }
+        mTestController.setStringValue(null);
+        runTestOnUiThread(new Runnable() {
+            @Override
+            public void run() {
+                getContentView().loadUrl(new LoadUrlParams("javascript:(function() { " +
+                                "testController.setStringValue(" + script + ") })()"));
+                do {
+                    final Boolean[] deactivateExitLoopTask = new Boolean[1];
+                    deactivateExitLoopTask[0] = false;
+                    // We can't use Loop.quit(), as this is the main looper, so we throw
+                    // an exception to bail out from the loop.
+                    new Handler(Looper.myLooper()).post(new Runnable() {
+                        @Override
+                        public void run() {
+                            if (!deactivateExitLoopTask[0]) {
+                                throw new ExitLoopException();
+                            }
+                        }
+                    });
+                    try {
+                        Looper.loop();
+                    } catch (ExitLoopException e) {
+                        // Intentionally empty.
+                    } catch (RuntimeException e) {
+                        // Prevent the task that throws the ExitLoopException from exploding
+                        // on the main loop outside of this function.
+                        deactivateExitLoopTask[0] = true;
+                        throw e;
+                    }
+                } while (mTestController.getStringValue() == null ||
+                        // When an exception in an injected method happens, the function returns
+                        // null. We ignore this and wait until the exception on the browser side
+                        // will be thrown.
+                        mTestController.getStringValue().equals("null"));
+            }
+        });
+        return mTestController.getStringValue();
+    }
 }