googlearchive/androidtv-Leanback

sql injection vulnerability with content provider

andrewger157 opened this issue · 2 comments

andrewger157 commented

I made my TV app searchable but Google told me that the app has an SQL Injection vulnerability and directed me to this guide to fix it (https://support.google.com/faqs/answer/7668308).

I have tried to select "exported = false" but my app no longer appears in the TV search with this solution. Same result using "android:protectionLevel="signature"".

I have tried this solution:

In Manifest I have setted

<provider android:name=".xx.xxx.contentProvider.Provider" android:authorities="${packageName}" android:exported="true"> <path-permission android:pathPrefix="/search" android:readPermission="android.permission.GLOBAL_SEARCH" />

And in Provider I have setted:
static { sVideosContainingQueryBuilder = new SQLiteQueryBuilder(); sVideosContainingQueryBuilder.setStrict(true); sVideosContainingQueryBuilder.setProjectionMap(sColumnMap);

With this solution I have tested the app with drozer but, if the app is builded in debug mode, drozer show me:
Injection in Projection: No vulnerabilities found. Injection in Selection: No vulnerabilities found.

but when the app is builded in realese i have:
`Injection in Projection:
content://android.media.tv/program/
content://android.media.tv/preview_program/
content://android.media.tv/program
content://android.media.tv/preview_program
content://android.media.tv/recorded_program
content://android.media.tv/recorded_program/
content://android.media.tv/channel
content://android.media.tv/watch_next_program
content://android.media.tv/channel/
content://android.media.tv/watch_next_program/

Injection in Selection:
No vulnerabilities found.`

Do you have any suggestions?

Thanks

andrewger157 commented

I have also tried to scan my app with drozer using the command "run scanner.provider.finduris -a com.org.testapp"
This is the result:

dz> run scanner.provider.finduris -a xx.xxx.myapp
Scanning xx.xxx.myapp...
Unable to Query content://com.facebook.orca.provider.MessengerPlatformProvider/versions
Unable to Query content://xx.xxx.myapp.firebaseinitprovider/
Unable to Query content:// Uri/
Unable to Query content://xx.xxx.playxxx
Unable to Query content:// Uri
Unable to Query content://com.google.android.gms.chimera
Unable to Query content:// or file:// uri
Able to Query content://android.media.tv/channel
Unable to Query content://com.facebook.app.FacebookContentProvider/
Able to Query content://android.media.tv/channel/
Unable to Query content://xx.xxx.myapp.FacebookInitProvider
Able to Query content://android.media.tv/preview_program/
Able to Query content://android.media.tv/program
Unable to Query content:// or file:// uri/
Unable to Query content://com.google.android.gms.chimera/
Able to Query content://android.media.tv/recorded_program/
Unable to Query content://com.facebook.katana.provider.AttributionIdProvider/
Unable to Query content://xx.xxx.myapp.firebaseinitprovider
Unable to Query content://xx.xxx.myapp.MarketingInitProvider
Able to Query content://android.media.tv/watch_next_program/
Unable to Query content://xx.xxx.playxxx/
Unable to Query content://xx.xxx.myapp.crashlyticsinitprovider/
Able to Query content://android.media.tv/program/
Unable to Query content://com.facebook.app.FacebookContentProvider
Able to Query content://android.media.tv/preview_program
Able to Query content://android.media.tv/recorded_program
Unable to Query content://com.facebook.wakizashi.provider.AttributionIdProvider/
Unable to Query content://xx.xxx.myapp.FacebookInitProvider/
Unable to Query content://com.facebook.katana.provider.AttributionIdProvider
Unable to Query content://com.facebook.wakizashi.provider.AttributionIdProvider
Unable to Query content://com.facebook.orca.provider.MessengerPlatformProvider/versions/
Unable to Query content://xx.xxx.myapp.MarketingInitProvider/
Able to Query content://android.media.tv/watch_next_program
Unable to Query content://xx.xxx.myapp.crashlyticsinitprovider

Accessible content URIs:
content://android.media.tv/program/
content://android.media.tv/preview_program/
content://android.media.tv/program
content://android.media.tv/preview_program
content://android.media.tv/recorded_program
content://android.media.tv/recorded_program/
content://android.media.tv/channel
content://android.media.tv/watch_next_program
content://android.media.tv/channel/
content://android.media.tv/watch_next_program/

benbaxter commented

Hey @andrewger157, this was accidentally introduced into the sample. @dmalykhanov-github submitted a fix for this.
6c22e5a