Commit 2ac9100e authored by Chirayu Desai's avatar Chirayu Desai

Merge branch 'network-security-config-force-https' into 'master'

set up whitelist of repo domains to force HTTPS

See merge request !835
parents 3ff70a8b 30d16a88
Pipeline #108438014 passed with stages
in 36 minutes and 8 seconds
......@@ -65,6 +65,7 @@
android:description="@string/app_description"
android:allowBackup="true"
android:fullBackupContent="@xml/backup_rules"
android:networkSecurityConfig="@xml/network_security_config"
android:theme="@style/AppThemeLight"
android:supportsRtl="true">
......
......@@ -7,10 +7,11 @@ import android.text.TextUtils;
import android.util.Log;
import org.fdroid.fdroid.R;
import org.fdroid.fdroid.Utils;
import org.fdroid.fdroid.nearby.peers.WifiPeer;
import org.fdroid.fdroid.nearby.SwapWorkflowActivity;
import org.fdroid.fdroid.nearby.peers.WifiPeer;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
public class NewRepoConfig {
......@@ -164,19 +165,43 @@ public class NewRepoConfig {
return errorMessage;
}
private static final List<String> FORCE_HTTPS_DOMAINS = Arrays.asList(
"amazonaws.com",
"github.com",
"githubusercontent.com",
"github.io",
"gitlab.com",
"gitlab.io"
);
/**
* Sanitize and format an incoming repo URI for function and readability
* Sanitize and format an incoming repo URI for function and readability.
* This also forces URLs listed in {@code app/src/main/res/xml/network_security_config.xml}
* to have "https://" as the scheme.
*
* @see <a href="https://developer.android.com/training/articles/security-config">Network Security Config</a>
*/
public static String sanitizeRepoUri(Uri uri) {
String scheme = uri.getScheme();
String newScheme = scheme.toLowerCase(Locale.ENGLISH);
String host = uri.getHost();
String newHost = host.toLowerCase(Locale.ENGLISH);
String userInfo = uri.getUserInfo();
if ("http".equals(newScheme)) {
for (String httpsDomain : FORCE_HTTPS_DOMAINS) {
if (newHost.endsWith(httpsDomain)) {
scheme = "https";
break;
}
}
}
return uri.toString()
.replaceAll("\\?.*$", "") // remove the whole query
.replaceAll("/*$", "") // remove all trailing slashes
.replace(userInfo + "@", "") // remove user authentication
.replace(host, host.toLowerCase(Locale.ENGLISH))
.replace(scheme, scheme.toLowerCase(Locale.ENGLISH))
.replaceFirst(host, newHost)
.replaceFirst(scheme, newScheme)
.replace("fdroidrepo", "http") // proper repo address
.replace("/FDROID/REPO", "/fdroid/repo"); // for QR FDroid path
}
......
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config cleartextTrafficPermitted="true"/>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">amazonaws.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">f-droid.org</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">github.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">githubusercontent.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">github.io</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">gitlab.com</domain>
</domain-config>
<domain-config cleartextTrafficPermitted="false">
<domain includeSubdomains="true">gitlab.io</domain>
</domain-config>
</network-security-config>
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment