tests/src/com/android/providers/contacts/SqlInjectionDetectionTest.java


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113

/*
 * Copyright (C) 2011 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

package com.android.providers.contacts;

import static com.android.providers.contacts.EvenMoreAsserts.assertThrows;

import android.database.Cursor;
import android.database.sqlite.SQLiteException;
import android.net.Uri;
import android.net.Uri.Builder;
import android.provider.ContactsContract;
import android.provider.ContactsContract.CommonDataKinds.Phone;
import android.provider.ContactsContract.Contacts;
import android.test.suitebuilder.annotation.MediumTest;

import junit.framework.Assert;

/**
 * Unit tests for {@link ContactsProvider2}, to make sure the queries don't allow sql injection.
 *
 * Run the test like this:
 * <code>
 * adb shell am instrument -e class com.android.providers.contacts.SqlInjectionDetectionTest -w \
 *         com.android.providers.contacts.tests/android.test.InstrumentationTestRunner
 * </code>
 */
@MediumTest
public class SqlInjectionDetectionTest extends BaseContactsProvider2Test {
    private static final String[] PHONE_ID_PROJECTION = new String[] { Phone._ID };

    public void testPhoneQueryValid() {
        long rawContactId = createRawContactWithName("Hot", "Tamale");
        insertPhoneNumber(rawContactId, "555-123-4567");

        assertQueryValid(Phone.CONTENT_URI, PHONE_ID_PROJECTION,
                Phone.NUMBER + "='555-123-4567'", null);
    }

    public void testPhoneQueryBadProjection() {
        long rawContactId = createRawContactWithName("Hot", "Tamale");
        insertPhoneNumber(rawContactId, "555-123-4567");

        assertQueryThrows(IllegalArgumentException.class, Phone.CONTENT_URI,
                new String[] { "0 UNION SELECT _id FROM view_data--" }, null, null);
    }

    public void testPhoneQueryBadSelection() {
        long rawContactId = createRawContactWithName("Hot", "Tamale");
        insertPhoneNumber(rawContactId, "555-123-4567");

        assertQueryThrows(SQLiteException.class, Phone.CONTENT_URI, PHONE_ID_PROJECTION,
                "0=1) UNION SELECT _id FROM view_data--", null);
    }

    public void testPhoneQueryBadSortOrder() {
        long rawContactId = createRawContactWithName("Hot", "Tamale");
        insertPhoneNumber(rawContactId, "555-123-4567");

        assertQueryThrows(SQLiteException.class, Phone.CONTENT_URI,
                PHONE_ID_PROJECTION, null, "_id UNION SELECT _id FROM view_data--");
    }

    public void testPhoneQueryBadLimit() {
        // Non-numeric query parameters are ignored by the provider
        long rawContactId = createRawContactWithName("Hot", "Tamale");
        insertPhoneNumber(rawContactId, "555-123-4567");

        Builder builder = Contacts.CONTENT_FILTER_URI.buildUpon();
        builder.appendQueryParameter(ContactsContract.LIMIT_PARAM_KEY,
                "0 UNION SELECT -50");
        assertQueryValid(Phone.CONTENT_URI,
                PHONE_ID_PROJECTION, null, null);

        final Cursor c = mResolver.query(Phone.CONTENT_URI, PHONE_ID_PROJECTION, null, null, null);
        // the current implementation ignores every non-numeric limit. so we should see the
        // contact as the only result
        assertEquals(1, c.getCount());
        c.moveToFirst();
        assertNotSame(-50, c.getLong(0));
        c.close();
    }

    private void assertQueryValid(final Uri uri, final String[] projection,
            final String selection, final String sortOrder) {
        final Cursor c = mResolver.query(uri, projection, selection, null, sortOrder);
        c.close();
    }

    private <T extends Exception> void assertQueryThrows(Class<T> exception, final Uri uri,
            final String[] projection, final String selection, final String sortOrder) {
        assertThrows(exception, new Runnable() {
            @Override
            public void run() {
                final Cursor c = mResolver.query(uri, projection, selection, null, sortOrder);
                c.close();
            }
        });
    }
}