Add allowed URL filtering to WXClient requests

DerGoogler · DerGoogler · commit f092a6336690 · 2025-09-05T14:53:39.000+02:00
Introduces a check in WXClient to block web resource requests from unauthorized domains based on allowUrls patterns defined in the configuration. Updates WebUIConfig to support allowUrls as a list of patterns and compiles them for efficient matching.
diff --git a/webui/src/main/kotlin/com/dergoogler/mmrl/webui/client/WXClient.kt b/webui/src/main/kotlin/com/dergoogler/mmrl/webui/client/WXClient.kt
@@ -20,11 +20,13 @@ import com.dergoogler.mmrl.webui.PathHandler
 import com.dergoogler.mmrl.webui.R
 import com.dergoogler.mmrl.webui.WXAssetLoader
 import com.dergoogler.mmrl.webui.component.ErrorScreen
+import com.dergoogler.mmrl.webui.forbiddenResponse
 import com.dergoogler.mmrl.webui.handler.internalPathHandler
 import com.dergoogler.mmrl.webui.handler.suPathHandler
 import com.dergoogler.mmrl.webui.handler.webrootPathHandler
 import com.dergoogler.mmrl.webui.model.Insets
 import com.dergoogler.mmrl.webui.model.WebResourceErrors
+import com.dergoogler.mmrl.webui.model.invoke
 import com.dergoogler.mmrl.webui.util.WebUIOptions
 import com.dergoogler.mmrl.webui.util.drawCompose
 import com.dergoogler.mmrl.webui.view.WXSwipeRefresh
@@ -191,6 +193,13 @@ open class WXClient : WebViewClient {
     ): WebResourceResponse? {
         val urlString = request.url.toString()
 
+        // Check if the request is from an allowed domain
+        if (!isAllowedUrl(urlString)) {
+            Log.d(TAG, "Blocking request from unauthorized domain: $urlString")
+            return forbiddenResponse
+        }
+
+        // Handle favicon requests
         if (urlString.endsWith("/favicon.ico")) {
             Log.d(TAG, "Blocking favicon.ico request for $urlString")
             return WebResourceResponse("image/png", null, null)
@@ -200,6 +209,14 @@ open class WXClient : WebViewClient {
         return mWxAssetsLoader(request.url)
     }
 
+    private fun isAllowedUrl(requestHost: String?): Boolean = mOptions.config {
+        if (requestHost == null) return@config false
+        if (allowUrls.isEmpty()) return@config true
+        return@config allowUrlsPatterns.any { pattern ->
+            pattern.matcher(requestHost).matches()
+        }
+    }
+
     private companion object {
         const val TAG = "WXClient"
     }
diff --git a/webui/src/main/kotlin/com/dergoogler/mmrl/webui/model/Config.kt b/webui/src/main/kotlin/com/dergoogler/mmrl/webui/model/Config.kt
@@ -39,6 +39,7 @@ import dalvik.system.InMemoryDexClassLoader
 import kotlinx.coroutines.flow.StateFlow
 import java.nio.ByteBuffer
 import java.util.concurrent.ConcurrentHashMap
+import java.util.regex.Pattern
 
 
 object WebUIPermissions {
@@ -278,6 +279,8 @@ enum class WebUIConfigAdditionalConfigType {
     SWITCH,
 }
 
+operator fun <T, R> ConfigFile<T>.invoke(block: T.() -> R): R = block(getConfig())
+
 @JsonClass(generateAdapter = true)
 data class WebUIConfig(
     val __module__identifier__: ModId,
@@ -292,6 +295,7 @@ data class WebUIConfig(
     val refreshInterceptor: String? = null,
     val exitConfirm: Boolean = true,
     val pullToRefresh: Boolean = false,
+    val allowUrls: MutableList<String> = mutableListOf(),
     val pullToRefreshHelper: Boolean = true,
     val historyFallbackFile: String = "index.html",
     val autoStatusBarsStyle: Boolean = true,
@@ -313,6 +317,9 @@ data class WebUIConfig(
     override fun getConfigType(): Class<WebUIConfig> = WebUIConfig::class.java
     override fun getDefaultConfigFactory(id: ModId): WebUIConfig = WebUIConfig(id)
 
+    internal val allowUrlsPatterns =
+        allowUrls.mapNotNull { Pattern.compile(it, Pattern.CASE_INSENSITIVE) }
+
     val hasRootPathPermission get() = WebUIPermissions.WX_ROOT_PATH in permissions
 
     val useJavaScriptRefreshInterceptor get() = refreshInterceptor == "javascript"
