Karl/BobStore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'network-security-config-force-https' into 'master'

Browse Source 
set up whitelist of repo domains to force HTTPS

See merge request fdroid/fdroidclient!835
This commit is contained in:
Chirayu Desai 2020-01-10 15:26:08 +00:00
commit 2ac9100eea
3 changed files with 56 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/src/main/AndroidManifest.xml
View File

@ -65,6 +65,7 @@
android:description="@string/app_description" android:description="@string/app_description"
android:allowBackup="true" android:allowBackup="true"
android:fullBackupContent="@xml/backup_rules" android:fullBackupContent="@xml/backup_rules"
android:networkSecurityConfig="@xml/network_security_config"
android:theme="@style/AppThemeLight" android:theme="@style/AppThemeLight"
android:supportsRtl="true"> android:supportsRtl="true">

33
app/src/main/java/org/fdroid/fdroid/data/NewRepoConfig.java
View File

@ -7,10 +7,11 @@ import android.text.TextUtils;
import android.util.Log; import android.util.Log;
import org.fdroid.fdroid.R; import org.fdroid.fdroid.R;
import org.fdroid.fdroid.Utils; import org.fdroid.fdroid.Utils;
import org.fdroid.fdroid.nearby.peers.WifiPeer;
import org.fdroid.fdroid.nearby.SwapWorkflowActivity; import org.fdroid.fdroid.nearby.SwapWorkflowActivity;
import org.fdroid.fdroid.nearby.peers.WifiPeer;
import java.util.Arrays; import java.util.Arrays;
import java.util.List;
import java.util.Locale; import java.util.Locale;
public class NewRepoConfig { public class NewRepoConfig {
@ -164,19 +165,43 @@ public class NewRepoConfig {
return errorMessage; return errorMessage;
} }
private static final List<String> FORCE_HTTPS_DOMAINS = Arrays.asList(
"amazonaws.com",
"github.com",
"githubusercontent.com",
"github.io",
"gitlab.com",
"gitlab.io"
);
/** /**
* Sanitize and format an incoming repo URI for function and readability * Sanitize and format an incoming repo URI for function and readability.
* This also forces URLs listed in {@code app/src/main/res/xml/network_security_config.xml}
* to have "https://" as the scheme.
*
* @see <a href="https://developer.android.com/training/articles/security-config">Network Security Config</a>
*/ */
public static String sanitizeRepoUri(Uri uri) { public static String sanitizeRepoUri(Uri uri) {
String scheme = uri.getScheme(); String scheme = uri.getScheme();
String newScheme = scheme.toLowerCase(Locale.ENGLISH);
String host = uri.getHost(); String host = uri.getHost();
String newHost = host.toLowerCase(Locale.ENGLISH);
String userInfo = uri.getUserInfo(); String userInfo = uri.getUserInfo();
if ("http".equals(newScheme)) {
for (String httpsDomain : FORCE_HTTPS_DOMAINS) {
if (newHost.endsWith(httpsDomain)) {
scheme = "https";
break;
}
}
}
return uri.toString() return uri.toString()
.replaceAll("\\?.*$", "") // remove the whole query .replaceAll("\\?.*$", "") // remove the whole query
.replaceAll("/*$", "") // remove all trailing slashes .replaceAll("/*$", "") // remove all trailing slashes
.replace(userInfo + "@", "") // remove user authentication .replace(userInfo + "@", "") // remove user authentication
.replace(host, host.toLowerCase(Locale.ENGLISH)) .replaceFirst(host, newHost)
.replace(scheme, scheme.toLowerCase(Locale.ENGLISH)) .replaceFirst(scheme, newScheme)
.replace("fdroidrepo", "http") // proper repo address .replace("fdroidrepo", "http") // proper repo address
.replace("/FDROID/REPO", "/fdroid/repo"); // for QR FDroid path .replace("/FDROID/REPO", "/fdroid/repo"); // for QR FDroid path
} }

26
app/src/main/res/xml/network_security_config.xml Normal file
View File

@ -0,0 +1,26 @@
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true"/>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">amazonaws.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">f-droid.org</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">github.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">githubusercontent.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">github.io</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">gitlab.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">gitlab.io</domain>
</domain-config>
</network-security-config>