Add dexlib2 dependency and block certain DEX imports

Added the dexlib2 library to project dependencies and implemented logic in Config.kt to block loading of DEX files containing references to specific packages (e.g., KsuNative). This enhances security by preventing the import of potentially unsafe classes.

Author: DerGoogler

gradle/libs.versions.toml

@@ -1,4 +1,5 @@
 [versions]
+dexlib2 = "2.5.2"
 mmrl = "f45678111a"
 adaptiveAndroid = "1.1.0-rc01"
 androidGradlePlugin = "8.9.1"
@@ -63,6 +64,7 @@ soraEditor = "0.23.6"
 [libraries]
 composedestinations-ksp = { module = "io.github.raamcosta.compose-destinations:ksp", version.ref = "composedestinations" }
 composedestinations-core = { module = "io.github.raamcosta.compose-destinations:core", version.ref = "composedestinations" }
+dexlib2 = { module = "org.smali:dexlib2", version.ref = "dexlib2" }
 mmrl-platform = { group = "com.github.MMRLApp.MMRL", name = "platform", version.ref = "mmrl" }
 mmrl-hiddenApi = { group = "com.github.MMRLApp.MMRL", name = "hidden-api", version.ref = "mmrl" }
 mmrl-ui = { group = "com.github.MMRLApp.MMRL", name = "ui", version.ref = "mmrl" }

webui/build.gradle.kts

@@ -80,5 +80,6 @@ dependencies {
     implementation(libs.androidx.foundation)
     implementation(libs.androidx.material3.android)
     implementation(libs.androidx.swiperefreshlayout)
+    implementation(libs.dexlib2)
     ksp(libs.square.moshi.kotlin)
 }

webui/src/main/kotlin/com/dergoogler/mmrl/webui/model/Config.kt

@@ -16,6 +16,7 @@ import com.dergoogler.mmrl.ext.toIntOrNull
 import com.dergoogler.mmrl.ext.toStringOrNull
 import com.dergoogler.mmrl.platform.PlatformManager
 import com.dergoogler.mmrl.platform.file.SuFile
+import com.dergoogler.mmrl.platform.file.SuFileInputStream
 import com.dergoogler.mmrl.platform.file.config.ConfigFile
 import com.dergoogler.mmrl.platform.file.config.JSONArray
 import com.dergoogler.mmrl.platform.file.config.JSONCollection
@@ -31,12 +32,17 @@ import com.dergoogler.mmrl.webui.R
 import com.dergoogler.mmrl.webui.__webui__adapters__
 import com.dergoogler.mmrl.webui.activity.WXActivity
 import com.dergoogler.mmrl.webui.interfaces.WXInterface
+import com.dergoogler.mmrl.webui.view.WebUIView
 import com.squareup.moshi.Json
 import com.squareup.moshi.JsonClass
 import dalvik.system.BaseDexClassLoader
 import dalvik.system.DexClassLoader
 import dalvik.system.InMemoryDexClassLoader
 import kotlinx.coroutines.flow.StateFlow
+import org.jf.dexlib2.dexbacked.DexBackedDexFile
+import org.jf.dexlib2.iface.instruction.ReferenceInstruction
+import java.io.InputStream
+import java.lang.System.console
 import java.nio.ByteBuffer
 import java.util.concurrent.ConcurrentHashMap
 import java.util.regex.Pattern
@@ -195,9 +201,42 @@ open class WebUIConfigBaseLoader() {
 
         // Using InMemoryDexClassLoader is efficient if DEX files are not excessively large.
         val dexFileBytes = file.readBytes()
+        val str = SuFileInputStream(file).use { it.buffered() }
+        if (isBlocked(str)) {
+            return null
+        }
+
         return InMemoryDexClassLoader(ByteBuffer.wrap(dexFileBytes), context.classLoader)
     }
 
+    @Throws(Exception::class)
+    fun isBlocked(stream: InputStream): Boolean {
+        val blockedPackages = listOf(
+            "(Lcom/dergoogler/mmrl/platform/)?(.+)?/?KsuNative"
+        )
+
+        val dexFile = DexBackedDexFile.fromInputStream(null, stream)
+
+        for (classDef in dexFile.classes) {
+            for (method in classDef.methods) {
+                if (method.implementation?.instructions == null) return false
+                for (instr in method.implementation!!.instructions) {
+                    if (instr is ReferenceInstruction) {
+                        val ref = instr.reference.toString()
+                        for (pkg in blockedPackages) {
+                            if (Regex(pkg).containsMatchIn(ref)) {
+                                Log.wtf(TAG, "Blocked import detected: $ref")
+                                return true
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        return false
+    }
+
     /**
      * Creates a ClassLoader for a class within an installed APK.
      */