[Android] Block access to java.lang.Object.getClass in injected Java objects

content/public/android/javatests/src/org/chromium/content/browser/JavaBridgeBasicsTest.java

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser;
 
+import android.os.Handler;
+import android.os.Looper;
 import android.test.suitebuilder.annotation.SmallTest;
 
 import org.chromium.base.test.util.DisabledTest;
 import org.chromium.base.test.util.Feature;
 import org.chromium.content.browser.test.util.TestCallbackHelperContainer;
 import org.chromium.content_shell_apk.ContentShellActivity;
 
 import java.lang.annotation.Annotation;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
@@ skipping 46 matching lines @@
             return mLongValue;
         }
         public synchronized String waitForStringValue() {
             waitForResult();
             return mStringValue;
         }
         public synchronized boolean waitForBooleanValue() {
             waitForResult();
             return mBooleanValue;
         }
+
+        public synchronized String getStringValue() {
+            return mStringValue;
+        }
     }
 
     private static class ObjectWithStaticMethod {
         public static String staticMethod() {
             return "foo";
         }
     }
 
     TestController mTestController;
 
@@ skipping 745 matching lines @@
             }
         });
 
         injectObjectAndReload(new Test(), nonInspectableObjectName, JavascriptInterface.class);
 
         assertEquals("", executeJavaScriptAndGetStringResult(
                         String.format(jsObjectKeysTestTemplate, nonInspectableObjectName)));
         assertEquals("", executeJavaScriptAndGetStringResult(
                         String.format(jsForInTestTemplate, nonInspectableObjectName)));
     }
+
+    @SmallTest
+    @Feature({"AndroidWebView", "Android-JavaBridge"})
+    public void testAccessToObjectGetClassIsBlocked() throws Throwable {
+        injectObjectAndReload(new Object(), "testObject");
+        assertEquals("function", executeJavaScriptAndGetStringResult("typeof testObject.getClass"));
+        boolean securityExceptionThrown = false;
+        try {
+            final String result = executeJavaScriptAndWaitForExceptionSynchronously(
+                    "typeof testObject.getClass()");
+            fail("A call to java.lang.Object.getClass has been allowed, result: '" + result + "'");
+        } catch (SecurityException exception) {
+            securityExceptionThrown = true;
+        }
+        assertTrue(securityExceptionThrown);
+    }
+
+    // Unlike executeJavaScriptAndGetStringResult, this method is sitting on the UI thread
+    // until a non-null result is obtained or a Java exception has been thrown. This method is
+    // capable of catching Java RuntimeExceptions happening on the UI thread asynchronously.
+    private String executeJavaScriptAndWaitForExceptionSynchronously(final String script)
+            throws Throwable {
+        class ExitLoopException extends RuntimeException {
+        }
+        mTestController.setStringValue(null);
+        runTestOnUiThread(new Runnable() {
+            @Override
+            public void run() {
+                getContentView().loadUrl(new LoadUrlParams("javascript:(function() { " +
+                                "testController.setStringValue(" + script + ") })()"));
+                do {
+                    final Boolean[] deactivateExitLoopTask = new Boolean[1];
+                    deactivateExitLoopTask[0] = false;
+                    // We can't use Loop.quit(), as this is the main looper, so we throw
+                    // an exception to bail out from the loop.
+                    new Handler(Looper.myLooper()).post(new Runnable() {
+                        @Override
+                        public void run() {
+                            if (!deactivateExitLoopTask[0]) {
+                                throw new ExitLoopException();
+                            }
+                        }
+                    });
+                    try {
+                        Looper.loop();
+                    } catch (ExitLoopException e) {
+                        // Intentionally empty.
+                    } catch (RuntimeException e) {
+                        // Prevent the task that throws the ExitLoopException from exploding
+                        // on the main loop outside of this function.
+                        deactivateExitLoopTask[0] = true;
+                        throw e;
+                    }
+                } while (mTestController.getStringValue() == null ||
+                        // When an exception in an injected method happens, the function returns
+                        // null. We ignore this and wait until the exception on the browser side
+                        // will be thrown.
+                        mTestController.getStringValue().equals("null"));
+            }
+        });
+        return mTestController.getStringValue();
+    }
 }