feat(android): validate custom protocol response status code (#779)

tauri-apps · Nov 30, 2022 · 7f585c7 · 7f585c7
1 parent a2b9531
commit 7f585c7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 6 deletions.
diff --git a/.changes/validate-android-response.md b/.changes/validate-android-response.md
@@ -0,0 +1,5 @@
+---
+"wry": patch
+---
+
+Validate custom protocol response status code on Android.
diff --git a/src/webview/android/binding.rs b/src/webview/android/binding.rs
@@ -57,14 +57,30 @@ fn handle_request(env: JNIEnv, request: JObject) -> Result<jobject, JniError> {
   if let Some(handler) = REQUEST_HANDLER.get() {
     let final_request = match request_builder.body(Vec::new()) {
       Ok(req) => req,
-      Err(_) => {
+      Err(e) => {
+        log::warn!("Failed to build response: {}", e);
         return Ok(*JObject::null());
       }
     };
     let response = (handler.0)(final_request);
     if let Some(response) = response {
-      let status_code = response.status().as_u16() as i32;
-      let reason_phrase = "OK";
+      let status = response.status();
+      let status_code = status.as_u16();
+      let status_err = if status_code < 100 {
+        Some("Status code can't be less than 100")
+      } else if status_code > 599 {
+        Some("statusCode can't be greater than 599.")
+      } else if status_code > 299 && status_code < 400 {
+        Some("statusCode can't be in the [300, 399] range.")
+      } else {
+        None
+      };
+      if let Some(err) = status_err {
+        log::warn!("{}", err);
+        return Ok(*JObject::null());
+      }
+
+      let reason_phrase = status.canonical_reason().unwrap_or("OK");
       let (mime_type, encoding) = if let Some(content_type) = response.headers().get(CONTENT_TYPE) {
         let content_type = content_type.to_str().unwrap().trim();
         let mut s = content_type.split(';');
@@ -120,7 +136,7 @@ fn handle_request(env: JNIEnv, request: JObject) -> Result<jobject, JniError> {
       let web_resource_response = env.new_object(
         web_resource_response_class,
         "(Ljava/lang/String;Ljava/lang/String;ILjava/lang/String;Ljava/util/Map;Ljava/io/InputStream;)V",
-        &[mime_type, encoding, status_code.into(), env.new_string(reason_phrase)?.into(), response_headers.into(), stream.into()],
+        &[mime_type, encoding, (status_code as i32).into(), env.new_string(reason_phrase)?.into(), response_headers.into(), stream.into()],
       )?;
 
       return Ok(*web_resource_response);
@@ -134,7 +150,7 @@ pub unsafe fn handleRequest(env: JNIEnv, _: JClass, request: JObject) -> jobject
   match handle_request(env, request) {
     Ok(response) => response,
     Err(e) => {
-      log::error!("Failed to handle request: {}", e);
+      log::warn!("Failed to handle request: {}", e);
       *JObject::null()
     }
   }
@@ -148,6 +164,6 @@ pub unsafe fn ipc(env: JNIEnv, _: JClass, arg: JString) {
         (w.0)(&w.1, arg)
       }
     }
-    Err(e) => log::error!("Failed to parse JString: {}", e),
+    Err(e) => log::warn!("Failed to parse JString: {}", e),
   }
 }