Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions android/src/mlterm/native_activity/MLActivity.java
Original file line number Diff line number Diff line change
Expand Up @@ -645,14 +645,16 @@ public void onDismiss(DialogInterface dialog) {
.setView(layout)
.setPositiveButton("Send", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int whichButton) {
execCommand("scp \"local:" + local_edit.getText().toString() + "\" \"remote:" +
remote_edit.getText().toString() + "\"");
String localPath = local_edit.getText().toString().replace("\\", "\\\\").replace("\"", "\\\"");
String remotePath = remote_edit.getText().toString().replace("\\", "\\\\").replace("\"", "\\\"");
execCommand("scp \"local:" + localPath + "\" \"remote:" + remotePath + "\"");
}
})
.setNeutralButton("Receive", new DialogInterface.OnClickListener() {
public void onClick(DialogInterface dialog, int whichButton) {
execCommand("scp \"remote:" + remote_edit.getText().toString() + "\" \"local:" +
local_edit.getText().toString() + "\"");
String localPath = local_edit.getText().toString().replace("\\", "\\\\").replace("\"", "\\\"");
String remotePath = remote_edit.getText().toString().replace("\\", "\\\\").replace("\"", "\\\"");
execCommand("scp \"remote:" + remotePath + "\" \"local:" + localPath + "\"");
}
})
.setNegativeButton("Cancel", null)
Expand Down
64 changes: 64 additions & 0 deletions src/test/java/MLActivityInvariantTest.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.junit.jupiter.api.Test;
import static org.junit.jupiter.api.Assertions.*;
import android.content.Context;
import android.widget.EditText;
import android.app.Dialog;
import java.lang.reflect.Method;

class MLActivitySecurityTest {

// Adversarial payloads targeting command injection via unescaped quotes
private static final String[] PAYLOADS = {
// Exact exploit case: break out of quotes and inject command
"\"; rm -rf /tmp/dummy; echo \"",
// Alternative injection with backticks
"\"; id; echo \"",
// Boundary case: empty string (should not break anything)
"",
// Valid input with spaces but no special chars
"normal file.txt"
};

@ParameterizedTest
@ValueSource(strings = PAYLOADS)
void testScpCommandNeverIncludesUnsanitizedUserInput(String payload) throws Exception {
// Invariant: User input containing shell metacharacters must be escaped
// or rejected before reaching execCommand()

// Create a test instance of MLActivity
MLActivity activity = new MLActivity();

// Use reflection to access private execCommand method
Method execCommandMethod = MLActivity.class.getDeclaredMethod(
"execCommand", String.class);
execCommandMethod.setAccessible(true);

// Create mock EditText fields with adversarial payload
EditText localEdit = new EditText(activity);
EditText remoteEdit = new EditText(activity);
localEdit.setText(payload);
remoteEdit.setText(payload);

// Simulate the vulnerable code path
String command = "scp \"local:" + localEdit.getText().toString() +
"\" \"remote:" + remoteEdit.getText().toString() + "\"";

// Assert that the command string does NOT contain unescaped injection patterns
assertFalse(command.contains("\";"),
"Command contains unescaped quote-injection pattern: " + command);
assertFalse(command.contains("`"),
"Command contains unescaped backticks: " + command);
assertFalse(command.contains("$("),
"Command contains unescaped command substitution: " + command);

// Additional check: if payload contains quotes, ensure they're escaped in final command
if (payload.contains("\"")) {
// Count quotes - should be even number (pairs) if properly escaped
long quoteCount = command.chars().filter(ch -> ch == '"').count();
assertTrue(quoteCount % 2 == 0,
"Unbalanced quotes in command suggests injection vulnerability: " + command);
}
}
})