Merge pull request #404 from Countly/intentfix

feat: add intent package check

Author: turtledreams

CHANGELOG.md

@@ -1,9 +1,9 @@
-## XX.XX.XX
+## 24.7.5-RC1
 * ! Minor breaking change ! All active views will now automatically stop when consent for "views" is revoked.
 
 * The Android SDK now supports Android 15 (API level 35)
 * The views will be stopped and restarted now while going to the background or foreground instead of resuming and pausing.
-
+* Added further intent redirection vulnarability checks.
 * Added new functions to ease the presenting the feedback widgets. Functions present the first matching feedback widget from the list.
   * presentNPS(Context)
   * presentNPS(Context, String)

gradle.properties

@@ -22,7 +22,7 @@ org.gradle.configureondemand=true
 android.useAndroidX=true
 android.enableJetifier=true
 # RELEASE FIELD SECTION
-VERSION_NAME=24.7.4
+VERSION_NAME=24.7.5-RC1
 GROUP=ly.count.android
 POM_URL=https://github.com/Countly/countly-sdk-android
 POM_SCM_URL=https://github.com/Countly/countly-sdk-android

sdk/src/androidTest/java/ly/count/android/sdk/TestUtils.java

@@ -44,7 +44,7 @@ public class TestUtils {
     public final static String commonAppKey = "appkey";
     public final static String commonDeviceId = "1234";
     public final static String SDK_NAME = "java-native-android";
-    public final static String SDK_VERSION = "24.7.4";
+    public final static String SDK_VERSION = "24.7.5-RC1";
     public static final int MAX_THREAD_COUNT_PER_STACK_TRACE = 50;
 
     public static class Activity2 extends Activity {

sdk/src/main/java/ly/count/android/sdk/Countly.java

@@ -47,7 +47,7 @@ of this software and associated documentation files (the "Software"), to deal
  */
 public class Countly {
 
-    private final String DEFAULT_COUNTLY_SDK_VERSION_STRING = "24.7.4";
+    private final String DEFAULT_COUNTLY_SDK_VERSION_STRING = "24.7.5-RC1";
 
     /**
      * Used as request meta data on every request

sdk/src/main/java/ly/count/android/sdk/messaging/CountlyPushActivity.java

@@ -10,11 +10,11 @@
 import java.util.ArrayList;
 import ly.count.android.sdk.Countly;
 
+import static ly.count.android.sdk.messaging.CountlyPush.ALLOWED_CLASS_NAMES;
+import static ly.count.android.sdk.messaging.CountlyPush.ALLOWED_PACKAGE_NAMES;
 import static ly.count.android.sdk.messaging.CountlyPush.EXTRA_ACTION_INDEX;
 import static ly.count.android.sdk.messaging.CountlyPush.EXTRA_INTENT;
 import static ly.count.android.sdk.messaging.CountlyPush.EXTRA_MESSAGE;
-import static ly.count.android.sdk.messaging.CountlyPush.ALLOWED_CLASS_NAMES;
-import static ly.count.android.sdk.messaging.CountlyPush.ALLOWED_PACKAGE_NAMES;
 import static ly.count.android.sdk.messaging.CountlyPush.useAdditionalIntentRedirectionChecks;
 
 public class CountlyPushActivity extends Activity {
@@ -42,11 +42,35 @@ private void performPushAction(Intent activityIntent) {
         int flags = intent.getFlags();
         if (((flags & Intent.FLAG_GRANT_READ_URI_PERMISSION) != 0) || ((flags & Intent.FLAG_GRANT_WRITE_URI_PERMISSION) != 0)) {
             Countly.sharedInstance().L.w("[CountlyPush, CountlyPushActivity] Attempt to get URI permissions");
+            // Remove not trusted URI flags
+            if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.O) {
+                Countly.sharedInstance().L.d("[CountlyPush, CountlyPushActivity] Removed URI permissions");
+                intent.removeFlags(Intent.FLAG_GRANT_READ_URI_PERMISSION);
+                intent.removeFlags(Intent.FLAG_GRANT_WRITE_URI_PERMISSION);
+            } else {
+                Countly.sharedInstance().L.d("[CountlyPush, CountlyPushActivity] Can not remove URI permissions. Aborting");
+                return;
+            }
+        }
+
+        ComponentName componentName = getCallingActivity();
+        String packageNameCurrent = getPackageName();
+        if (componentName != null) {
+            String callingPackage = componentName.getPackageName();
+            if (!callingPackage.startsWith(packageNameCurrent) || !packageNameCurrent.equals(callingPackage)) {
+                Countly.sharedInstance().L.w("[CountlyPushActivity] performPushAction, Untrusted intent package");
+                return;
+            }
+        }
+
+        ComponentName targetComponent = intent.resolveActivity(context.getPackageManager());
+        if (targetComponent == null || !targetComponent.getPackageName().startsWith(packageNameCurrent) || !targetComponent.getPackageName().equals(packageNameCurrent)) {
+            Countly.sharedInstance().L.w("[CountlyPushActivity] performPushAction, Untrusted target component");
             return;
         }
 
         if (useAdditionalIntentRedirectionChecks) {
-            ComponentName componentName = intent.getComponent();
+            componentName = intent.getComponent();
             String intentPackageName = componentName.getPackageName();
             String intentClassName = componentName.getClassName();
             String contextPackageName = context.getPackageName();
@@ -123,7 +147,7 @@ private void performPushAction(Intent activityIntent) {
 
         try {
             //try/catch required due to Android 12
-            if (android.os.Build.VERSION.SDK_INT < Build.VERSION_CODES.S) {
+            if (Build.VERSION.SDK_INT < Build.VERSION_CODES.S) {
                 //this needs to be called before Android 12
                 Intent closeNotificationsPanel = new Intent(Intent.ACTION_CLOSE_SYSTEM_DIALOGS);
                 context.sendBroadcast(closeNotificationsPanel);
@@ -165,4 +189,4 @@ private void performPushAction(Intent activityIntent) {
             }
         }
     }
-}
+}