From 4111b91fe293ab397da9b797a2bfa0514312b045 Mon Sep 17 00:00:00 2001 From: androidacy-user Date: Mon, 1 May 2023 14:58:01 -0400 Subject: [PATCH] improve security Signed-off-by: androidacy-user --- .../com/fox2code/mmm/androidacy/AndroidacyWebAPI.java | 9 +++++++++ .../java/com/fox2code/mmm/settings/SettingsActivity.java | 1 + build.gradle.kts | 1 - 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java b/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java index 7dd0e8e..1caf174 100644 --- a/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java +++ b/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java @@ -64,6 +64,12 @@ public class AndroidacyWebAPI { void openNativeModuleDialogRaw(String moduleUrl, String moduleId, String installTitle, String checksum, boolean canInstall) { if (BuildConfig.DEBUG) Timber.d("ModuleDialog, downloadUrl: " + AndroidacyUtil.hideToken(moduleUrl) + ", moduleId: " + moduleId + ", installTitle: " + installTitle + ", checksum: " + checksum + ", canInstall: " + canInstall); + // moduleUrl should be a valid URL, i.e. in the androidacy.com domain + // if it is not, do not proceed + if (!AndroidacyUtil.isAndroidacyFileUrl(moduleUrl)) { + Timber.e("ModuleDialog, invalid URL: %s", moduleUrl); + return; + } this.downloadMode = false; RepoModule repoModule = AndroidacyRepoData.getInstance().moduleHashMap.get(installTitle); String title, description; @@ -381,8 +387,10 @@ public class AndroidacyWebAPI { */ @JavascriptInterface public String getAndroidacyModuleFile(String moduleId, String moduleFile) { + moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", ""); if (moduleFile == null || this.consumedAction || !this.isAndroidacyModule(moduleId)) return ""; + moduleFile = moduleFile.replaceAll("\\.", "").replaceAll("/", ""); File moduleFolder = new File("/data/adb/modules/" + moduleId); File absModuleFile = new File(moduleFolder, moduleFile).getAbsoluteFile(); if (!absModuleFile.getPath().startsWith(moduleFolder.getPath())) @@ -401,6 +409,7 @@ public class AndroidacyWebAPI { */ @JavascriptInterface public boolean setAndroidacyModuleMeta(String moduleId, String content) { + moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", ""); if (content == null || this.consumedAction || !this.isAndroidacyModule(moduleId)) return false; File androidacyMetaFile = new File("/data/adb/modules/" + moduleId + "/.androidacy"); diff --git a/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java b/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java index 0cfe87f..299e1a7 100644 --- a/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java +++ b/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java @@ -1286,6 +1286,7 @@ public class SettingsActivity extends FoxActivity implements LanguageActivity { builder.setView(input); builder.setPositiveButton("OK", (dialog, which) -> { String text = String.valueOf(input.getText()); + text = text.trim(); // string should not be empty, start with https://, and not contain any spaces. http links are not allowed. if (text.matches("^https://.*") && !text.contains(" ") && !text.isEmpty()) { if (customRepoManager.canAddRepo(text)) { diff --git a/build.gradle.kts b/build.gradle.kts index caab022..eb4e76a 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -20,7 +20,6 @@ buildscript { // NOTE: Do not place your application dependencies here; they belong // in the individual module build.gradle files - //noinspection GradleDependency classpath("io.realm:realm-gradle-plugin:10.15.1") classpath("io.sentry:sentry-android-gradle-plugin:3.5.0") }