FileContentProvider: prevent injection through selection parameters (where)

For this, I've backported the SQLiteTokenizer class from AOSP, use it to get tokens from the query,
and filter out invalid tokens.

Signed-off-by: Álvaro Brey Vilas <alvaro.brey@nextcloud.com>

src/androidTest/java/com/owncloud/android/providers/FileContentProviderVerificationIT.kt

@@ -90,29 +90,26 @@ class FileContentProviderVerificationIT {
         FileContentProvider.VerificationUtils.verifySortOrder("${ProviderMeta.ProviderTableMeta._ID} ;--foo")
     }
 
-    // @Test
-    // fun verifyColumn_Uri() {
-    //     val sut = FileContentProvider()
-    //     sut.verifyColumnSql("path = ? AND file_owner=?")
-    // }
-    //
-    // @Test
-    // fun verifyColumn_StringArray() {
-    //     val sut = FileContentProvider()
-    //     val nullArray: Array<String>? = null
-    //     val emptyArray = arrayOf<String>()
-    //     val array = arrayOf(
-    //         ProviderMeta.ProviderTableMeta.FILE_PATH,
-    //         ProviderMeta.ProviderTableMeta.FILE_CONTENT_LENGTH
-    //     )
-    //     sut.verifyColumns(nullArray)
-    //     sut.verifyColumns(emptyArray)
-    //     sut.verifyColumns(array)
-    // }
-    // @Test
-    // fun parameterizedSelection() {
-    //     val sut = FileContentProvider()
-    //     TestCase.assertEquals("test =?", sut.buildParameterizedSelection("test"))
-    //     TestCase.assertEquals("column1 =?, column2 =?", sut.buildParameterizedSelection("column1, column2"))
-    // }
+    @Test
+    fun verifyWhere_OK() {
+        FileContentProvider.VerificationUtils.verifyWhere(null)
+        FileContentProvider.VerificationUtils.verifyWhere(
+            "${ProviderMeta.ProviderTableMeta._ID}=? AND ${ProviderMeta.ProviderTableMeta.FILE_ACCOUNT_OWNER}=?"
+        )
+        FileContentProvider.VerificationUtils.verifyWhere(
+            "${ProviderMeta.ProviderTableMeta._ID} = 1" +
+                " AND (1 = 1)" +
+                " AND ${ProviderMeta.ProviderTableMeta.FILE_ACCOUNT_OWNER} LIKE ?"
+        )
+    }
+
+    @Test(expected = IllegalArgumentException::class)
+    fun verifyWhere_InvalidColumnName() {
+        FileContentProvider.VerificationUtils.verifyWhere("$INVALID_COLUMN= ?")
+    }
+
+    @Test(expected = IllegalArgumentException::class)
+    fun verifyWhere_InvalidGrammar() {
+        FileContentProvider.VerificationUtils.verifyWhere("1=1 -- SELECT * FROM")
+    }
 }

src/main/java/com/owncloud/android/providers/FileContentProvider.java

@@ -33,12 +33,10 @@ import android.content.Context;
 import android.content.OperationApplicationException;
 import android.content.UriMatcher;
 import android.database.Cursor;
-import android.database.DatabaseUtils;
 import android.database.SQLException;
 import android.database.sqlite.SQLiteDatabase;
 import android.database.sqlite.SQLiteException;
 import android.database.sqlite.SQLiteOpenHelper;
-import android.database.sqlite.SQLiteQuery;
 import android.database.sqlite.SQLiteQueryBuilder;
 import android.net.Uri;
 import android.os.Binder;
@@ -69,6 +67,7 @@ import androidx.annotation.NonNull;
 import androidx.annotation.Nullable;
 import androidx.annotation.VisibleForTesting;
 import dagger.android.AndroidInjection;
+import third_parties.aosp.SQLiteTokenizer;
 
 
 /**
@@ -126,14 +125,18 @@ public class FileContentProvider extends ContentProvider {
     }
 
     private int delete(SQLiteDatabase db, Uri uri, String where, String... whereArgs) {
-        // TODO check every where: must be in allowed key set and then we concenate " =? " to each key value to have
-        //  a proper sanitized where clause
-//        verifyColumnsSQL(where);
-
         if (isCallerNotAllowed(uri)) {
             return -1;
         }
 
+        // verify where for public paths
+        switch (mUriMatcher.match(uri)) {
+            case ROOT_DIRECTORY:
+            case SINGLE_FILE:
+            case DIRECTORY:
+                VerificationUtils.verifyWhere(where);
+        }
+
         int count;
         switch (mUriMatcher.match(uri)) {
             case SINGLE_FILE:
@@ -178,7 +181,6 @@ public class FileContentProvider extends ContentProvider {
 
     private int deleteDirectory(SQLiteDatabase db, Uri uri, String where, String... whereArgs) {
         int count = 0;
-
         Cursor children = query(uri, null, null, null, null);
         if (children != null) {
             if (children.moveToFirst()) {
@@ -203,10 +205,7 @@ public class FileContentProvider extends ContentProvider {
         }
 
         if (uri.getPathSegments().size() > MINIMUM_PATH_SEGMENTS_SIZE) {
-            final String[] argsWithUri = VerificationUtils.prependUriFirstSegmentToSelectionArgs(whereArgs, uri);
-            count += db.delete(ProviderTableMeta.FILE_TABLE_NAME,
-                               ProviderTableMeta._ID + "=?"
-                                   + (!TextUtils.isEmpty(where) ? " AND (" + where + ")" : ""), argsWithUri);
+            count += deleteWithuri(db, uri, where, whereArgs);
         }
 
         return count;
@@ -225,10 +224,7 @@ public class FileContentProvider extends ContentProvider {
             if (remoteId == null) {
                 return 0;
             } else {
-                final String[] argsWithUri = VerificationUtils.prependUriFirstSegmentToSelectionArgs(whereArgs, uri);
-                count = db.delete(ProviderTableMeta.FILE_TABLE_NAME,
-                                  ProviderTableMeta._ID + "=?"
-                                      + (!TextUtils.isEmpty(where) ? " AND (" + where + ")" : ""), argsWithUri);
+                count = deleteWithuri(db, uri, where, whereArgs);
             }
         } catch (Exception e) {
             Log_OC.d(TAG, "DB-Error removing file!", e);
@@ -241,6 +237,13 @@ public class FileContentProvider extends ContentProvider {
         return count;
     }
 
+    private int deleteWithuri(SQLiteDatabase db, Uri uri, String where, String[] whereArgs) {
+        final String[] argsWithUri = VerificationUtils.prependUriFirstSegmentToSelectionArgs(whereArgs, uri);
+        return db.delete(ProviderTableMeta.FILE_TABLE_NAME,
+                         ProviderTableMeta._ID + "=?"
+                             + (!TextUtils.isEmpty(where) ? " AND (" + where + ")" : ""), argsWithUri);
+    }
+
     @Override
     public String getType(@NonNull Uri uri) {
         switch (mUriMatcher.match(uri)) {
@@ -521,6 +524,7 @@ public class FileContentProvider extends ContentProvider {
             case ROOT_DIRECTORY:
             case DIRECTORY:
             case SINGLE_FILE:
+                VerificationUtils.verifyWhere(selection); // prevent injection in public paths
                 sqlQuery.setTables(ProviderTableMeta.FILE_TABLE_NAME);
                 break;
             case SHARES:
@@ -630,17 +634,6 @@ public class FileContentProvider extends ContentProvider {
         if (isCallerNotAllowed(uri)) {
             return -1;
         }
-        // verify only for those requests that are not internal
-        switch (mUriMatcher.match(uri)) {
-            case ROOT_DIRECTORY:
-            case SINGLE_FILE:
-            case DIRECTORY:
-//                verifyColumnsSQL(selection);
-                VerificationUtils.verifyColumns(values);
-
-            default:
-                // do nothing
-        }
 
         int count;
         SQLiteDatabase db = mDbHelper.getWritableDatabase();
@@ -656,9 +649,14 @@ public class FileContentProvider extends ContentProvider {
     }
 
     private int update(SQLiteDatabase db, Uri uri, ContentValues values, String selection, String... selectionArgs) {
-        // TODO check every key of contentValues and match via our allowed list -> ProviderMeta:85
-        // TODO check all other insert and update methods
-        // for selection: same like delete > only pass string array of keys and we build a sql where clause here
+        // verify contentValues and selection for public paths to prevent injection
+        switch (mUriMatcher.match(uri)) {
+            case ROOT_DIRECTORY:
+            case SINGLE_FILE:
+            case DIRECTORY:
+                VerificationUtils.verifyColumns(values);
+                VerificationUtils.verifyWhere(selection);
+        }
 
         switch (mUriMatcher.match(uri)) {
             case DIRECTORY:
@@ -1059,6 +1057,11 @@ public class FileContentProvider extends ContentProvider {
 
 
     static class VerificationUtils {
+
+        private static boolean isValidColumnName(@NonNull String columnName) {
+            return ProviderTableMeta.FILE_ALL_COLUMNS.contains(columnName);
+        }
+
         @VisibleForTesting
         public static void verifyColumns(@Nullable ContentValues contentValues) {
             if (contentValues == null || contentValues.keySet().size() == 0) {
@@ -1070,30 +1073,13 @@ public class FileContentProvider extends ContentProvider {
             }
         }
 
-        /**
-         * matches against ProviderMeta, to verify that only allowed columns are used
-         */
-        @VisibleForTesting
-        public static void verifyColumnsSQL(@Nullable String sql) {
-            if (sql == null) {
-                return;
-            }
-
-            for (String parameter : Uri.parse(sql).getQueryParameterNames()) {
-                String sanitized = parameter.replaceAll("AND", "").replaceAll("OR", "").replaceAll("\\s+", "");
-
-                verifyColumnName(sanitized);
-            }// check plain name
-        }
-
         @VisibleForTesting
         public static void verifyColumnName(@NonNull String columnName) {
-            if (!ProviderTableMeta.FILE_ALL_COLUMNS.contains(columnName)) {
+            if (!isValidColumnName(columnName)) {
                 throw new IllegalArgumentException(String.format("Column name \"%s\" is not allowed", columnName));
             }
         }
 
-
         public static String[] prependUriFirstSegmentToSelectionArgs(@Nullable final String[] originalArgs, final Uri uri) {
             String[] args;
             if (originalArgs == null) {
@@ -1121,7 +1107,42 @@ public class FileContentProvider extends ContentProvider {
                         verifyColumnName(segment);
                 }
             }
+        }
+
+        public static void verifyWhere(@Nullable String where) {
+            if (where == null) {
+                return;
+            }
+            SQLiteTokenizer.tokenize(where, SQLiteTokenizer.OPTION_NONE, VerificationUtils::verifyToken);
+        }
+
+        private static void verifyToken(String token) {
+            // allow empty, valid column names, functions (min,max,count) and types
+            if (TextUtils.isEmpty(token) || isValidColumnName(token)
+                || SQLiteTokenizer.isFunction(token) || SQLiteTokenizer.isType(token)) {
+                return;
+            }
+
+            // Disallow dangerous keywords, allow others
+            if (SQLiteTokenizer.isKeyword(token)) {
+                switch (token.toUpperCase(Locale.US)) {
+                    case "SELECT":
+                    case "FROM":
+                    case "WHERE":
+                    case "GROUP":
+                    case "HAVING":
+                    case "WINDOW":
+                    case "VALUES":
+                    case "ORDER":
+                    case "LIMIT":
+                        throw new IllegalArgumentException("Invalid token " + token);
+                    default:
+                        return;
+                }
+            }
 
+            // if none of the above: invalid token
+            throw new IllegalArgumentException("Invalid token " + token);
         }
     }
 

src/main/java/third_parties/aosp/SQLiteTokenizer.java

@@ -0,0 +1,292 @@
+package third_parties.aosp;
+
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+import androidx.core.util.Consumer;
+
+/**
+ * SQL Tokenizer specialized to extract tokens from SQL (snippets).
+ *
+ * Originally from AOSP: https://github.com/aosp-mirror/platform_frameworks_base/blob/0e66ea6f3221aa8ccbb78ce38fbcaa67d8ea94f9/core/java/android/database/sqlite/SQLiteQueryBuilder.java
+ * Backported to be usable with AndroidX under api 24.
+ */
+public class SQLiteTokenizer {
+    private static boolean isAlpha(char ch) {
+        return ('a' <= ch && ch <= 'z') || ('A' <= ch && ch <= 'Z') || (ch == '_');
+    }
+
+    private static boolean isNum(char ch) {
+        return ('0' <= ch && ch <= '9');
+    }
+
+    private static boolean isAlNum(char ch) {
+        return isAlpha(ch) || isNum(ch);
+    }
+
+    private static boolean isAnyOf(char ch, String set) {
+        return set.indexOf(ch) >= 0;
+    }
+
+    private static IllegalArgumentException genException(String message, String sql) {
+        throw new IllegalArgumentException(message + " in '" + sql + "'");
+    }
+
+    private static char peek(String s, int index) {
+        return index < s.length() ? s.charAt(index) : '\0';
+    }
+
+    public static final int OPTION_NONE = 0;
+
+    /**
+     * Require that SQL contains only tokens; any comments or values will result
+     * in an exception.
+     */
+    public static final int OPTION_TOKEN_ONLY = 1 << 0;
+
+    /**
+     * Tokenize the given SQL, returning the list of each encountered token.
+     *
+     * @throws IllegalArgumentException if invalid SQL is encountered.
+     */
+    public static List<String> tokenize(@Nullable String sql, int options) {
+        final ArrayList<String> res = new ArrayList<>();
+        tokenize(sql, options, res::add);
+        return res;
+    }
+
+    /**
+     * Tokenize the given SQL, sending each encountered token to the given
+     * {@link Consumer}.
+     *
+     * @throws IllegalArgumentException if invalid SQL is encountered.
+     */
+    public static void tokenize(@Nullable String sql, int options, Consumer<String> checker) {
+        if (sql == null) {
+            return;
+        }
+        int pos = 0;
+        final int len = sql.length();
+        while (pos < len) {
+            final char ch = peek(sql, pos);
+
+            // Regular token.
+            if (isAlpha(ch)) {
+                final int start = pos;
+                pos++;
+                while (isAlNum(peek(sql, pos))) {
+                    pos++;
+                }
+                final int end = pos;
+
+                final String token = sql.substring(start, end);
+                checker.accept(token);
+
+                continue;
+            }
+
+            // Handle quoted tokens
+            if (isAnyOf(ch, "'\"`")) {
+                final int quoteStart = pos;
+                pos++;
+
+                for (;;) {
+                    pos = sql.indexOf(ch, pos);
+                    if (pos < 0) {
+                        throw genException("Unterminated quote", sql);
+                    }
+                    if (peek(sql, pos + 1) != ch) {
+                        break;
+                    }
+                    // Quoted quote char -- e.g. "abc""def" is a single string.
+                    pos += 2;
+                }
+                final int quoteEnd = pos;
+                pos++;
+
+                if (ch != '\'') {
+                    // Extract the token
+                    final String tokenUnquoted = sql.substring(quoteStart + 1, quoteEnd);
+
+                    final String token;
+
+                    // Unquote if needed. i.e. "aa""bb" -> aa"bb
+                    if (tokenUnquoted.indexOf(ch) >= 0) {
+                        token = tokenUnquoted.replaceAll(
+                            String.valueOf(ch) + ch, String.valueOf(ch));
+                    } else {
+                        token = tokenUnquoted;
+                    }
+                    checker.accept(token);
+                } else {
+                    if ((options &= OPTION_TOKEN_ONLY) != 0) {
+                        throw genException("Non-token detected", sql);
+                    }
+                }
+                continue;
+            }
+            // Handle tokens enclosed in [...]
+            if (ch == '[') {
+                final int quoteStart = pos;
+                pos++;
+
+                pos = sql.indexOf(']', pos);
+                if (pos < 0) {
+                    throw genException("Unterminated quote", sql);
+                }
+                final int quoteEnd = pos;
+                pos++;
+
+                final String token = sql.substring(quoteStart + 1, quoteEnd);
+
+                checker.accept(token);
+                continue;
+            }
+            if ((options &= OPTION_TOKEN_ONLY) != 0) {
+                throw genException("Non-token detected", sql);
+            }
+
+            // Detect comments.
+            if (ch == '-' && peek(sql, pos + 1) == '-') {
+                pos += 2;
+                pos = sql.indexOf('\n', pos);
+                if (pos < 0) {
+                    // We disallow strings ending in an inline comment.
+                    throw genException("Unterminated comment", sql);
+                }
+                pos++;
+
+                continue;
+            }
+            if (ch == '/' && peek(sql, pos + 1) == '*') {
+                pos += 2;
+                pos = sql.indexOf("*/", pos);
+                if (pos < 0) {
+                    throw genException("Unterminated comment", sql);
+                }
+                pos += 2;
+
+                continue;
+            }
+
+            // Semicolon is never allowed.
+            if (ch == ';') {
+                throw genException("Semicolon is not allowed", sql);
+            }
+
+            // For this purpose, we can simply ignore other characters.
+            // (Note it doesn't handle the X'' literal properly and reports this X as a token,
+            // but that should be fine...)
+            pos++;
+        }
+    }
+
+    /**
+     * Test if given token is a
+     * <a href="https://www.sqlite.org/lang_keywords.html">SQLite reserved
+     * keyword</a>.
+     */
+    public static boolean isKeyword(@NonNull String token) {
+        switch (token.toUpperCase(Locale.US)) {
+            case "ABORT": case "ACTION": case "ADD": case "AFTER":
+            case "ALL": case "ALTER": case "ANALYZE": case "AND":
+            case "AS": case "ASC": case "ATTACH": case "AUTOINCREMENT":
+            case "BEFORE": case "BEGIN": case "BETWEEN": case "BINARY":
+            case "BY": case "CASCADE": case "CASE": case "CAST":
+            case "CHECK": case "COLLATE": case "COLUMN": case "COMMIT":
+            case "CONFLICT": case "CONSTRAINT": case "CREATE": case "CROSS":
+            case "CURRENT": case "CURRENT_DATE": case "CURRENT_TIME": case "CURRENT_TIMESTAMP":
+            case "DATABASE": case "DEFAULT": case "DEFERRABLE": case "DEFERRED":
+            case "DELETE": case "DESC": case "DETACH": case "DISTINCT":
+            case "DO": case "DROP": case "EACH": case "ELSE":
+            case "END": case "ESCAPE": case "EXCEPT": case "EXCLUDE":
+            case "EXCLUSIVE": case "EXISTS": case "EXPLAIN": case "FAIL":
+            case "FILTER": case "FOLLOWING": case "FOR": case "FOREIGN":
+            case "FROM": case "FULL": case "GLOB": case "GROUP":
+            case "GROUPS": case "HAVING": case "IF": case "IGNORE":
+            case "IMMEDIATE": case "IN": case "INDEX": case "INDEXED":
+            case "INITIALLY": case "INNER": case "INSERT": case "INSTEAD":
+            case "INTERSECT": case "INTO": case "IS": case "ISNULL":
+            case "JOIN": case "KEY": case "LEFT": case "LIKE":
+            case "LIMIT": case "MATCH": case "NATURAL": case "NO":
+            case "NOCASE": case "NOT": case "NOTHING": case "NOTNULL":
+            case "NULL": case "OF": case "OFFSET": case "ON":
+            case "OR": case "ORDER": case "OTHERS": case "OUTER":
+            case "OVER": case "PARTITION": case "PLAN": case "PRAGMA":
+            case "PRECEDING": case "PRIMARY": case "QUERY": case "RAISE":
+            case "RANGE": case "RECURSIVE": case "REFERENCES": case "REGEXP":
+            case "REINDEX": case "RELEASE": case "RENAME": case "REPLACE":
+            case "RESTRICT": case "RIGHT": case "ROLLBACK": case "ROW":
+            case "ROWS": case "RTRIM": case "SAVEPOINT": case "SELECT":
+            case "SET": case "TABLE": case "TEMP": case "TEMPORARY":
+            case "THEN": case "TIES": case "TO": case "TRANSACTION":
+            case "TRIGGER": case "UNBOUNDED": case "UNION": case "UNIQUE":
+            case "UPDATE": case "USING": case "VACUUM": case "VALUES":
+            case "VIEW": case "VIRTUAL": case "WHEN": case "WHERE":
+            case "WINDOW": case "WITH": case "WITHOUT":
+                return true;
+            default:
+                return false;
+        }
+    }
+
+    /**
+     * Test if given token is a
+     * <a href="https://www.sqlite.org/lang_corefunc.html">SQLite reserved
+     * function</a>.
+     */
+    public static boolean isFunction(@NonNull String token) {
+        switch (token.toLowerCase(Locale.US)) {
+            case "abs": case "avg": case "char": case "coalesce":
+            case "count": case "glob": case "group_concat": case "hex":
+            case "ifnull": case "instr": case "length": case "like":
+            case "likelihood": case "likely": case "lower": case "ltrim":
+            case "max": case "min": case "nullif": case "random":
+            case "randomblob": case "replace": case "round": case "rtrim":
+            case "substr": case "sum": case "total": case "trim":
+            case "typeof": case "unicode": case "unlikely": case "upper":
+            case "zeroblob":
+                return true;
+            default:
+                return false;
+        }
+    }
+
+    /**
+     * Test if given token is a
+     * <a href="https://www.sqlite.org/datatype3.html">SQLite reserved type</a>.
+     */
+    public static boolean isType(@NonNull String token) {
+        switch (token.toUpperCase(Locale.US)) {
+            case "INT": case "INTEGER": case "TINYINT": case "SMALLINT":
+            case "MEDIUMINT": case "BIGINT": case "INT2": case "INT8":
+            case "CHARACTER": case "VARCHAR": case "NCHAR": case "NVARCHAR":
+            case "TEXT": case "CLOB": case "BLOB": case "REAL":
+            case "DOUBLE": case "FLOAT": case "NUMERIC": case "DECIMAL":
+            case "BOOLEAN": case "DATE": case "DATETIME":
+                return true;
+            default:
+                return false;
+        }
+    }
+}