Merge pull request #10544 from nextcloud/fix/upload-external-uri-internal-path

Prevent URI uploads from external apps that target private storage

Author: AlvaroBrey

app/src/androidTest/java/com/owncloud/android/ui/helpers/UriUploaderIT.kt

@@ -0,0 +1,52 @@
+package com.owncloud.android.ui.helpers
+
+import android.net.Uri
+import androidx.test.core.app.launchActivity
+import com.nextcloud.client.TestActivity
+import com.owncloud.android.AbstractIT
+import com.owncloud.android.files.services.FileUploader
+import org.junit.Assert
+import org.junit.Test
+
+class UriUploaderIT : AbstractIT() {
+
+    @Test
+    fun testUploadPrivatePathSharedPreferences() {
+        launchActivity<TestActivity>().use { scenario ->
+            scenario.onActivity { activity ->
+                val packageName = activity.packageName
+                val path = "file:///data/data/$packageName/shared_prefs/com.nextcloud.client_preferences.xml"
+                testPrivatePath(activity, path)
+            }
+        }
+    }
+
+    @Test
+    fun testUploadPrivatePathUserFile() {
+        launchActivity<TestActivity>().use { scenario ->
+            scenario.onActivity { activity ->
+                val packageName = activity.packageName
+                val path = "file:///storage/emulated/0/Android/media/$packageName/nextcloud/test/welcome.txt"
+                testPrivatePath(activity, path)
+            }
+        }
+    }
+
+    private fun testPrivatePath(activity: TestActivity, path: String) {
+        val sut = UriUploader(
+            activity,
+            listOf(Uri.parse(path)),
+            "",
+            activity.user.orElseThrow(::RuntimeException),
+            FileUploader.LOCAL_BEHAVIOUR_MOVE,
+            false,
+            null
+        )
+        val uploadResult = sut.uploadUris()
+        Assert.assertEquals(
+            "Wrong result code",
+            UriUploader.UriUploaderResultCode.ERROR_SENSITIVE_PATH,
+            uploadResult
+        )
+    }
+}

app/src/main/java/com/owncloud/android/files/services/FileUploader.java

@@ -467,11 +467,6 @@ private void startNewUpload(
         OCFile file,
         boolean disableRetries
                                ) {
-        if (file.getStoragePath().startsWith("/data/data/")) {
-            Log_OC.d(TAG, "Upload from sensitive path is not allowed");
-            return;
-        }
-
         OCUpload ocUpload = new OCUpload(file, user);
         ocUpload.setFileSize(file.getFileLength());
         ocUpload.setNameCollisionPolicy(nameCollisionPolicy);

app/src/main/java/com/owncloud/android/ui/activity/ReceiveExternalFilesActivity.java

@@ -47,6 +47,7 @@
 import android.view.MenuInflater;
 import android.view.MenuItem;
 import android.view.View;
+import android.view.ViewGroup;
 import android.view.WindowManager.LayoutParams;
 import android.widget.AdapterView;
 import android.widget.AdapterView.OnItemClickListener;
@@ -164,7 +165,7 @@ public class ReceiveExternalFilesActivity extends FileActivity
 
     private final static Charset FILENAME_ENCODING = Charset.forName("UTF-8");
 
-    private NestedScrollView mEmptyListContainer;
+    private ViewGroup mEmptyListContainer;
     private TextView mEmptyListMessage;
     private TextView mEmptyListHeadline;
     private ImageView mEmptyListIcon;