fix: pre-resolve HuggingFace redirects to fix 0-byte downloads on Android

[alichherawalla]

Summary

Fixes downloads stuck at 0 bytes on certain Android devices (Samsung S25 Ultra, OnePlus 11, Xiaomi). HuggingFace download URLs return a 302 redirect to a ~1350-char signed CDN URL (cas-bridge.xethub.hf.co). Some OEM DownloadManager implementations silently fail to follow this redirect.

Fix: Pre-resolve the redirect via a HEAD request before calling DownloadManager.enqueue(), so the system DownloadManager receives the final CDN URL directly with no redirects needed. Falls back to the original URL on any resolution error, so this change is safe for devices where downloads already work.

Also surfaces the DownloadManager reason string in the download UI for future diagnostics.

Type of Change

• Bug fix (non-breaking change that fixes an issue)

Screenshots / Screen Recordings

N/A — this is a backend/native fix. The only visible UI change is that the download status line now shows the DownloadManager reason when a download is stuck (e.g. "Queued · Waiting for WiFi").

Checklist

General

• My code follows the project's coding style and conventions
• I have performed a self-review of my code
• I have added/updated comments where the logic isn't self-evident
• My changes generate no new warnings or errors

Testing

• I have tested on Android (physical device or emulator)
• I have tested on iOS (physical device or simulator)
• Existing tests pass locally (npm test)

React Native Specific

• No new native module without corresponding platform implementation (Android + iOS)

Security

• No secrets, API keys, or credentials are included in the code

Related Issues

Closes #107

Additional Notes

• The resolveRedirects function uses HttpURLConnection (available on all Android versions) rather than OkHttp to avoid adding dependencies
• The signed CDN URLs expire after 1 hour; since resolution happens immediately before enqueue(), this is not a concern for starting downloads
• Pre-existing llama.rn lint failure in CI is unrelated to this change

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug on specific Android devices where downloads from HuggingFace would get stuck at 0 bytes. The issue stemmed from the Android DownloadManager's inability to properly handle 302 redirects to lengthy CDN URLs. The solution involves proactively resolving these redirects to provide the DownloadManager with the direct content URL. Additionally, the changes enhance the user experience by exposing the underlying reason for download stalls or failures directly within the application's download interface.

Highlights

• Fixes 0-byte downloads on Android: Implemented a mechanism to pre-resolve HuggingFace download URLs that issue 302 redirects to long CDN URLs. This prevents certain OEM Android DownloadManager implementations from silently failing to follow these redirects, which resulted in 0-byte downloads.
• Manual Redirect Resolution: A new resolveRedirects function was added to manually follow HTTP 302 redirects using HttpURLConnection before passing the final URL to the Android DownloadManager. This function includes a fallback to the original URL if resolution fails.
• Improved Download Status Visibility: The DownloadManager's internal reason string (e.g., 'Waiting for WiFi') is now surfaced and displayed in the download UI, providing better diagnostics for users when downloads are stuck or fail.
• Background Thread for Download Initiation: The startDownload method now executes the download initiation logic, including redirect resolution, on a background thread to prevent blocking the main UI thread.

Changelog

• android/app/src/main/java/ai/offgridmobile/download/DownloadManagerModule.kt
  • Added HttpURLConnection and URL imports for manual redirect resolution.
  • Wrapped the startDownload method's core logic in a new Thread to perform network I/O (redirect resolution) off the main thread.
  • Introduced a resolveRedirects function that performs HEAD requests to follow HTTP 302 redirects and returns the final URL, or the original URL on error.
  • Modified the DownloadManager.Request to use the resolvedUrl instead of the original URL.
  • Updated the persisted download information to include the reason string from the DownloadManager status.
• src/screens/DownloadManagerScreen/items.tsx
  • Extended the DownloadItem and DownloadItemsData types to include an optional reason property.
  • Modified the buildDownloadItems function to pass the reason from the download progress to the DownloadItem.
  • Updated the ActiveDownloadCard component to conditionally display the reason alongside the download status text.
• src/screens/DownloadManagerScreen/useDownloadManager.ts
  • Adjusted the condition for updating download progress to ensure updates only occur if bytesDownloaded has increased, preventing redundant state changes.
  • Included the reason property when updating the downloadProgress state.
• src/services/backgroundDownloadService.ts
  • Added an optional reason field to the DownloadProgressEvent interface to accommodate the new diagnostic information.
• src/stores/appStore.ts
  • Updated the DownloadProgressInfo type to include an optional reason property.

Activity

• The pull request was created by alichherawalla to address a bug related to 0-byte downloads on Android.
• The changes include a bug fix, as indicated by the [x] Bug fix checkbox.
• The author performed a self-review and confirmed adherence to coding style and conventions.
• Testing was conducted on Android (physical device or emulator), and existing tests passed locally.
• The pull request closes issue feat: MNN GPU acceleration with OpenCL #107, indicating it resolves a reported problem.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a solid fix for an issue where downloads fail on certain Android devices due to improper handling of HTTP redirects. The approach of pre-resolving the final URL before enqueuing the download is well-implemented, including performing network operations on a background thread and safely falling back to the original URL on errors. Additionally, surfacing the DownloadManager's reason string in the UI is a nice improvement for diagnostics. However, it introduces two security vulnerabilities: a high-severity Path Traversal vulnerability via the fileName parameter and a medium-severity SSRF vulnerability via the url parameter. Both issues stem from insufficient validation of user-supplied input before sensitive operations. I also have a couple of suggestions for the Android native module to further improve robustness and resource management.

[gemini-code-assist]

The fileName parameter is used to construct file paths without sanitization. An attacker can provide a fileName containing path traversal sequences (e.g., ../) to manipulate file paths, potentially leading to arbitrary file deletion (line 143) or arbitrary file write (line 165) within the app's accessible directories.

Suggested change

	val fileName = params.getString("fileName") ?: run {
	promise.reject("DOWNLOAD_ERROR", "fileName is required")
	return
	}
	val fileName = params.getString("fileName")?.let { java.io.File(it).name } ?: run {
	promise.reject("DOWNLOAD_ERROR", "fileName is required")
	return
	}

[alichherawalla]

Fixed — fileName is now sanitized with File(it).name to strip any path traversal sequences. Good catch.

[gemini-code-assist]

When the for loop completes, it means the maxRedirects limit has been reached. Returning currentUrl here might still pass a redirect URL to DownloadManager, which could cause the same issue this change aims to fix if that URL is also a redirect. It would be safer to treat this as a resolution failure, log a warning, and fall back to the originalUrl as you do in the catch block. This aligns with the goal of providing a safe fallback.

        android.util.Log.w("DownloadManager", "Redirect resolution failed: Exceeded max redirects ($maxRedirects). Using original URL.")
        return originalUrl

[alichherawalla]

Fixed — now logs a warning and returns originalUrl when max redirects is exceeded, consistent with the error fallback behavior.

[gemini-code-assist]

The url parameter is passed to resolveRedirects, which performs a network request using HttpURLConnection. Since the URL is not validated against an allow-list of trusted domains, an attacker can use this to perform SSRF attacks, probing internal network resources or local services on the device.

[alichherawalla]

Fixed — added an allowlist of trusted HuggingFace download hosts (huggingface.co, cdn-lfs.huggingface.co, cas-bridge.xethub.hf.co). URLs with unrecognized hosts are now rejected before any network request.

[gemini-code-assist]

While creating a new Thread for each download is functional, it's generally better practice to use an ExecutorService to manage background threads. This provides better control over thread lifecycle and resource usage, preventing potential issues from creating an unbounded number of threads if downloads are initiated in quick succession.

Consider defining a class-level executor, for example:
private val executor = java.util.concurrent.Executors.newSingleThreadExecutor()

And then using it here:
executor.execute { ... }

This would serialize download initiations, which is often desirable.

[alichherawalla]

Fixed — replaced raw Thread with a class-level Executors.newSingleThreadExecutor() to serialize download initiations and manage thread lifecycle properly.

[alichherawalla]

/gemini review

[gemini-code-assist]

Code Review

This pull request addresses the 0-byte download issue on certain Android devices by pre-resolving HuggingFace redirects. While it correctly adds an initial whitelist for allowed download hosts to prevent Server-Side Request Forgery (SSRF), a critical bypass is introduced in the manual redirect resolution logic by failing to re-validate the host after following a redirect. Additionally, the PR improves security by sanitizing the fileName parameter to prevent path traversal, moves network operations to a background thread to prevent ANRs, and enhances diagnostic capabilities by surfacing DownloadManager reason strings in the UI.

[gemini-code-assist]

The introduction of allowedDownloadHosts is a critical security enhancement. It helps prevent Server-Side Request Forgery (SSRF) attacks by ensuring that the application only attempts to download from trusted domains. This is a highly recommended security practice.

[gemini-code-assist]

This URL validation against allowedDownloadHosts is a crucial security check. It directly leverages the allowedDownloadHosts set to prevent the application from making requests to arbitrary external URLs, which could be exploited for SSRF. This is an excellent addition.

[gemini-code-assist]

Moving the network-intensive resolveRedirects call and subsequent DownloadManager.enqueue operation to a background thread using executor.execute is a significant improvement. This prevents potential Application Not Responding (ANR) errors and keeps the UI responsive, adhering to Android's best practices for network operations.

[gemini-code-assist]

The resolveRedirects function, while efficiently using HEAD requests and reasonable connectTimeout/readTimeout values (10 seconds), introduces a critical Server-Side Request Forgery (SSRF) vulnerability. It manually follows HTTP redirects without re-validating the host of the redirected URLs against the allowedDownloadHosts whitelist. This allows an attacker to bypass the initial SSRF protection by redirecting to internal or restricted resources. To remediate this, the host of the redirected URL should be validated against the allowedDownloadHosts whitelist inside the resolveRedirects loop before making the next request.

    internal fun resolveRedirects(originalUrl: String, maxRedirects: Int = 5): String {
        var currentUrl = originalUrl
        for (i in 0 until maxRedirects) {
            val connection = URL(currentUrl).openConnection() as HttpURLConnection
            try {
                connection.instanceFollowRedirects = false
                connection.requestMethod = "HEAD"
                connection.connectTimeout = 10_000
                connection.readTimeout = 10_000
                val responseCode = connection.responseCode
                if (responseCode in 300..399) {
                    val location = connection.getHeaderField("Location")
                    if (location.isNullOrEmpty()) return currentUrl
                    val nextUrl = if (location.startsWith("http")) {
                        location
                    } else {
                        URL(URL(currentUrl), location).toString()
                    }
                    
                    // Validate the redirected host against the whitelist
                    val nextHost = try { URL(nextUrl).host } catch (_: Exception) { null }
                    if (nextHost == null || !allowedDownloadHosts.any { nextHost == it || nextHost.endsWith(".$it") }) {
                        android.util.Log.w("DownloadManager", "Redirect to unauthorized host blocked: $nextHost")
                        return currentUrl
                    }
                    currentUrl = nextUrl
                } else {
                    return currentUrl
                }
            } catch (e: Exception) {
                android.util.Log.w("DownloadManager", "Redirect resolution failed, using original URL", e)
                return originalUrl
            } finally {
                connection.disconnect()
            }
        }
        android.util.Log.w("DownloadManager", "Redirect resolution exceeded max redirects ($maxRedirects), using original URL")
        return originalUrl
    }

[gemini-code-assist]

The logic for handling the Location header, specifically distinguishing between absolute and relative URLs, is well-implemented. This ensures that redirects are followed correctly regardless of the format of the Location header, which is a common source of bugs in manual redirect handling.

[gemini-code-assist]

The try-catch block around the network operations in resolveRedirects with a fallback to the originalUrl ensures resilience. If any error occurs during redirect resolution, the download can still proceed with the initial URL, preventing complete failure and improving user experience.

[gemini-code-assist]

Adding the reason string to the download progress event is a valuable diagnostic improvement. This allows the UI to display more specific information about why a download might be paused or failed, enhancing the user's understanding of the download status.

[gemini-code-assist]

The change to if ((useAppStore.getState().downloadProgress[key]?.bytesDownloaded ?? -1) >= event.bytesDownloaded) return; makes the progress update logic more robust. By using the null-safe operator ?. and providing a default value of -1, it correctly handles cases where downloadProgress[key] might be undefined or null, preventing potential issues with missed or incorrect progress updates.

[alichherawalla]

/gemini review

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request effectively addresses a bug with HuggingFace downloads on certain Android devices by pre-resolving redirects. The implementation is robust, using HttpURLConnection to manually follow redirects and re-validating hosts at each step to prevent security vulnerabilities like SSRF. The networking and file operations are correctly moved to a background thread using an ExecutorService, preventing ANRs. Additionally, the changes improve diagnostics by surfacing the DownloadManager reason string in the UI. My review includes one high-severity suggestion to prevent a potential thread leak by ensuring the ExecutorService is properly shut down.

[gemini-code-assist]

The ExecutorService created here is not shut down when the module is destroyed. This can lead to a thread leak, as the executor's thread may keep the application process alive unnecessarily. It's important to manage the lifecycle of the executor to ensure resources are released correctly.

You should shut down the executor in the onCatalystInstanceDestroy method, which is called when the React Native bridge is torn down.

Example:

    override fun onCatalystInstanceDestroy() {
        super.onCatalystInstanceDestroy()
        if (!executor.isShutdown) {
            executor.shutdown()
        }
    }

This method needs to be added to the DownloadManagerModule class.

[alichherawalla]

Addressed the executor lifecycle comment — added onCatalystInstanceDestroy to shut down the executor when the RN bridge is torn down. All Gemini feedback has been addressed.