Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Perform additional URI validation in ShareRepository.
Thanks to Shivasurya <s5sankar@uwaterloo.ca> for reporting this issue!
- Loading branch information
1 parent
ba14031
commit d069d93
Showing
3 changed files
with
93 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
33 changes: 33 additions & 0 deletions
33
app/src/main/java/org/thoughtcrime/securesms/util/UriUtil.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
package org.thoughtcrime.securesms.util; | ||
|
||
import android.content.ContentResolver; | ||
import android.content.Context; | ||
import android.net.Uri; | ||
|
||
import androidx.annotation.NonNull; | ||
|
||
import java.io.File; | ||
import java.io.IOException; | ||
|
||
public final class UriUtil { | ||
|
||
/** | ||
* Ensures that an external URI is valid and doesn't contain any references to internal files or | ||
* any other trickiness. | ||
*/ | ||
public static boolean isValidExternalUri(@NonNull Context context, @NonNull Uri uri) { | ||
if (ContentResolver.SCHEME_FILE.equals(uri.getScheme())) { | ||
try { | ||
File file = new File(uri.getPath()); | ||
|
||
return file.getCanonicalPath().equals(file.getPath()) && | ||
!file.getCanonicalPath().startsWith("/data") && | ||
!file.getCanonicalPath().contains(context.getPackageName()); | ||
} catch (IOException e) { | ||
return false; | ||
} | ||
} else { | ||
return true; | ||
} | ||
} | ||
} |
55 changes: 55 additions & 0 deletions
55
app/src/test/java/org/thoughtcrime/securesms/util/UriUtilTest_isValidExternalUri.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package org.thoughtcrime.securesms.util; | ||
|
||
import android.app.Application; | ||
import android.content.Context; | ||
import android.net.Uri; | ||
|
||
import androidx.test.core.app.ApplicationProvider; | ||
|
||
import org.junit.Test; | ||
import org.junit.runner.RunWith; | ||
import org.robolectric.ParameterizedRobolectricTestRunner; | ||
import org.robolectric.annotation.Config; | ||
|
||
import java.util.Arrays; | ||
import java.util.Collection; | ||
|
||
import static org.junit.Assert.assertEquals; | ||
|
||
@RunWith(ParameterizedRobolectricTestRunner.class) | ||
@Config(manifest = Config.NONE, application = Application.class) | ||
public class UriUtilTest_isValidExternalUri { | ||
|
||
private final String input; | ||
private final boolean output; | ||
|
||
@ParameterizedRobolectricTestRunner.Parameters | ||
public static Collection<Object[]> data() { | ||
return Arrays.asList(new Object[][]{ | ||
{ "content://other.app.package.name.org/path/public.txt", true }, | ||
{ "file:///sdcard/public.txt", true }, | ||
{ "file:///data/data/org.thoughtcrime.securesms/private.txt", false }, | ||
{ "file:///any/path/with/package/name/org.thoughtcrime.securesms", false }, | ||
{ "file:///org.thoughtcrime.securesms/any/path/with/package/name", false }, | ||
{ "file:///any/path/../with/back/references/private.txt", false }, | ||
{ "file:///any/path/with/back/references/../private.txt", false }, | ||
{ "file:///../any/path/with/back/references/private.txt", false }, | ||
{ "file:///encoded/back/reference/%2F..%2F..path%2Fto%2Fprivate.txt", false }, | ||
{ "file:///public/%2E%2E%2Fprivate%2Fprivate.txt", false }, | ||
{ "file:///data/no/paths/in/data", false }, | ||
}); | ||
} | ||
|
||
public UriUtilTest_isValidExternalUri(String input, boolean output) { | ||
this.input = input; | ||
this.output = output; | ||
} | ||
|
||
@Test | ||
public void parse() { | ||
Context context = ApplicationProvider.getApplicationContext(); | ||
Uri uri = Uri.parse(input); | ||
|
||
assertEquals(output, UriUtil.isValidExternalUri(context, uri)); | ||
} | ||
} |