Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Domain exception to be made on local IP address 10.0.2.2 #49

Closed
MaRuifeng opened this issue Mar 2, 2019 · 3 comments
Closed

Domain exception to be made on local IP address 10.0.2.2 #49

MaRuifeng opened this issue Mar 2, 2019 · 3 comments
Labels
bug to-release

Comments

@MaRuifeng
Copy link

MaRuifeng commented Mar 2, 2019
edited

Describe the bug
From React Native version 0.58 onwards, with Android API version 28, no clear text traffic is allowed by default. But currently the React Native packager and debugger connects to the device or emulator via HTTP taking either localhost or 10.0.0.2. These values are hardcoded in RN's codebase.

We tried to make an exception to them by putting below config block in the network_security_config.xml file which is further referenced in the AndroidManifest.xml file.

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

This SO entry explains this approach in detail.

But this config is not acknowledge by the TrustKit module with below exception, hence causing the app to crash upon launch.

03-02 16:18:56.826 19455 19455 E AndroidRuntime: java.lang.RuntimeException: Unable to create application ***.***.MainApplication: com.datatheorem.android.trustkit.config.ConfigurationException: Tried to pin an invalid domain: 10.0.3.2
...
03-02 16:18:56.826 19455 19455 E AndroidRuntime: Caused by: com.datatheorem.android.trustkit.config.ConfigurationException: Tried to pin an invalid domain: 10.0.3.2
03-02 16:18:56.826 19455 19455 E AndroidRuntime: 	at com.datatheorem.android.trustkit.config.DomainPinningPolicy.<init>(DomainPinningPolicy.java:48)

This problem is very similar to #25 for which only localhost was exempted.

To Reproduce
Put above XML config block for clear text traffic in an RN (version >= 0.58) app with TrustKit module installed, run react-native run-android to install and launch it in an Android emulator. The app will crash upon launch and the above exception messages can be read via logcat.

Expected behavior
Certain local IP addresses like 10.0.2.2 used by the RN packager and debugger should be considered as valid domain.

TrustKit configuration

<domain-config cleartextTrafficPermitted="true">
    <domain includeSubdomains="false">localhost</domain>
    <domain includeSubdomains="false">10.0.2.2</domain>
    <domain includeSubdomains="false">10.0.3.2</domain>
    <trustkit-config enforcePinning="false"/>
</domain-config>

App details:

  • App target SDK: 28.0.3
  • App language: JS/React Native
  • Android version to reproduce the bug: Andorid 9.0.
@MaRuifeng MaRuifeng changed the title Domain exception to be made on local IP address 10.0.0.2 Domain exception to be made on local IP address 10.0.2.2 Mar 2, 2019
@nabla-c0d3 nabla-c0d3 added the bug label Mar 12, 2019
nabla-c0d3 added a commit that referenced this issue Mar 13, 2019
@nabla-c0d3
Ignore domain-config entry if it doesn't have a pin-set (#49)
5759dbc
@nabla-c0d3
Copy link
Member

The next release will ignore domain-config entries that don't have a pin-set (ie. entries that are not configuring pinning).

@nabla-c0d3
Copy link
Member

Released with v1.1.1.

@MaRuifeng MaRuifeng mentioned this issue Apr 2, 2019
Closed
@MaRuifeng
Copy link
Author

The fix seemed causing another problem as documented in #53 .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug to-release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MaRuifeng @nabla-c0d3