From bead808cef1e1711db9003a81419080bc5d3f92a Mon Sep 17 00:00:00 2001
From: techyminati <sinha.aryan03@gmail.com>
Date: Sat, 30 Mar 2024 19:16:09 +0530
Subject: [PATCH] LatinIME: Fix Implicit PendingIntent Vulnerability

* checkTimeAndMaybeSetupUpdateAlarm method created an Implicit PendingIntent vulnerability, which may cause security threats in the form of denial-of-service, private data theft, and privilege escalation.

* PendingIntents are Intents delegated to another app to be delivered at some future time. Creating an implicit intent wrapped under a PendingIntent is a security vulnerability that might lead to denial-of-service, private data theft, and privilege escalation.

* We've used FLAG_IMMUTABLE (added in SDK 23) to create PendingIntents for SDK > 23, This prevents apps that receive the PendingIntent from filling in unpopulated properties & Ensures that PendingIntent is only delivered to trusted components.

Test: m
Google: 3019664
Change-Id: I68a1f3f2d81138e42092cc201d36e5d29853a86e
Signed-off-by: techyminati <sinha.aryan03@gmail.com>
Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
Signed-off-by: Pranav Temkar <pranavtemkar@gmail.com>
---
 .../inputmethod/dictionarypack/DictionaryService.java     | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/java/src/com/android/inputmethod/dictionarypack/DictionaryService.java b/java/src/com/android/inputmethod/dictionarypack/DictionaryService.java
index fe988ac704..5ab55bc444 100644
--- a/java/src/com/android/inputmethod/dictionarypack/DictionaryService.java
+++ b/java/src/com/android/inputmethod/dictionarypack/DictionaryService.java
@@ -229,8 +229,14 @@ private static void checkTimeAndMaybeSetupUpdateAlarm(final Context context) {
         final long now = System.currentTimeMillis();
         final long alarmTime = now + new Random().nextInt(MAX_ALARM_DELAY_MILLIS);
         final Intent updateIntent = new Intent(DictionaryPackConstants.UPDATE_NOW_INTENT_ACTION);
+        // Set the package name to ensure the PendingIntent is only delivered to trusted components
+        updateIntent.setPackage(context.getPackageName());
+        int pendingIntentFlags = PendingIntent.FLAG_CANCEL_CURRENT;
+        if (android.os.Build.VERSION.SDK_INT >= 23) {
+            pendingIntentFlags |= PendingIntent.FLAG_IMMUTABLE;
+        }
         final PendingIntent pendingIntent = PendingIntent.getBroadcast(context, 0,
-                updateIntent, PendingIntent.FLAG_CANCEL_CURRENT);
+                updateIntent, pendingIntentFlags);
 
         // We set the alarm in the type that doesn't forcefully wake the device
         // from sleep, but fires the next time the device actually wakes for any