improve security

Signed-off-by: androidacy-user <opensource@androidacy.com>
1 year ago · 4111b91fe2
parent ec9da3adf8
commit 4111b91fe2
3 changed files with 10 additions and 1 deletions
--- a/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java
+++ b/app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java
@ -64,6 +64,12 @@ public class AndroidacyWebAPI {
    void openNativeModuleDialogRaw(String moduleUrl, String moduleId, String installTitle, String checksum, boolean canInstall) {
        if (BuildConfig.DEBUG)
            Timber.d("ModuleDialog, downloadUrl: " + AndroidacyUtil.hideToken(moduleUrl) + ", moduleId: " + moduleId + ", installTitle: " + installTitle + ", checksum: " + checksum + ", canInstall: " + canInstall);
+        // moduleUrl should be a valid URL, i.e. in the androidacy.com domain
+        // if it is not, do not proceed
+        if (!AndroidacyUtil.isAndroidacyFileUrl(moduleUrl)) {
+            Timber.e("ModuleDialog, invalid URL: %s", moduleUrl);
+            return;
+        }
        this.downloadMode = false;
        RepoModule repoModule = AndroidacyRepoData.getInstance().moduleHashMap.get(installTitle);
        String title, description;
@ -381,8 +387,10 @@ public class AndroidacyWebAPI {
     */
    @JavascriptInterface
    public String getAndroidacyModuleFile(String moduleId, String moduleFile) {
+        moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", "");
        if (moduleFile == null || this.consumedAction || !this.isAndroidacyModule(moduleId))
            return "";
+        moduleFile = moduleFile.replaceAll("\\.", "").replaceAll("/", "");
        File moduleFolder = new File("/data/adb/modules/" + moduleId);
        File absModuleFile = new File(moduleFolder, moduleFile).getAbsoluteFile();
        if (!absModuleFile.getPath().startsWith(moduleFolder.getPath()))
@ -401,6 +409,7 @@ public class AndroidacyWebAPI {
     */
    @JavascriptInterface
    public boolean setAndroidacyModuleMeta(String moduleId, String content) {
+        moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", "");
        if (content == null || this.consumedAction || !this.isAndroidacyModule(moduleId))
            return false;
        File androidacyMetaFile = new File("/data/adb/modules/" + moduleId + "/.androidacy");
--- a/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java
+++ b/app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java
@ -1286,6 +1286,7 @@ public class SettingsActivity extends FoxActivity implements LanguageActivity {
                    builder.setView(input);
                    builder.setPositiveButton("OK", (dialog, which) -> {
                        String text = String.valueOf(input.getText());
+                        text = text.trim();
                        // string should not be empty, start with https://, and not contain any spaces. http links are not allowed.
                        if (text.matches("^https://.*") && !text.contains(" ") && !text.isEmpty()) {
                            if (customRepoManager.canAddRepo(text)) {
--- a/build.gradle.kts
+++ b/build.gradle.kts
@ -20,7 +20,6 @@ buildscript {

        // NOTE: Do not place your application dependencies here; they belong
        // in the individual module build.gradle files
-        //noinspection GradleDependency
        classpath("io.realm:realm-gradle-plugin:10.15.1")
        classpath("io.sentry:sentry-android-gradle-plugin:3.5.0")
    }