Set up SRI for Frida binary downloads

pimterry · pimterry · commit 7d75d718900d · 2024-06-10T17:40:14.000+02:00
diff --git a/src/interceptors/frida/frida-android-integration.ts b/src/interceptors/frida/frida-android-integration.ts
@@ -14,6 +14,7 @@ import {
     FRIDA_ALTERNATE_PORT,
     FRIDA_BINARY_NAME,
     FRIDA_DEFAULT_PORT,
+    FRIDA_SRIS,
     FRIDA_VERSION,
     FridaHost,
     killProcess,
@@ -114,7 +115,8 @@ export async function setupAndroidHost(adbClient: AdbClient, hostId: string) {
     const serverStream = await FridaJs.downloadFridaServer({
         version: FRIDA_VERSION,
         platform: 'android',
-        arch: deviceArch
+        arch: deviceArch,
+        sri: FRIDA_SRIS.android[deviceArch]
     });
 
     await deviceClient.push(serverStream, ANDROID_FRIDA_BINARY_PATH, 0o555);
diff --git a/src/interceptors/frida/frida-integration.ts b/src/interceptors/frida/frida-integration.ts
@@ -33,7 +33,16 @@ export const FRIDA_VERSION = '16.1.7';
 export const FRIDA_DEFAULT_PORT = 27042;
 export const FRIDA_ALTERNATE_PORT = 24072; // Reversed to mildly inconvenience detection
 
-export const FRIDA_BINARY_NAME = `adirf-server`; // Reversed to mildly inconvenience detection
+export const FRIDA_BINARY_NAME = 'adirf-server'; // Reversed to mildly inconvenience detection
+
+export const FRIDA_SRIS = {
+    'android': {
+        'arm': 'sha512-6i85XO372G2p18yttN9jTQEZUeZiY72pPuZPoxiDx+732ROLmDQZ7sIkmbrE8c0nrPc6LQ36OgSBAqVmzlMlsg==',
+        'arm64': 'sha512-YGPOSYVl+icmn6jB0ZmdCyHk4hIUg+MShr+OLXhb31c2Cifz2nD4ddrp6yQLMoSSpnWsnecUadEj2rR2IGBohQ==',
+        'x86': 'sha512-OB8bo6RnyBiVPDvheDrBy+CwRblXd/zQT8qGIEEoQlJxSrpRF/hAIZzzYkgTwtCil7lJgWTVFJRegpmntEqpdg==',
+        'x86_64': 'sha512-Fy4jHMagt2sxAF5FY/ogCAy+s96VDTMwL1UtEazoVyvmohgkr/8tTHx4mQoV5mLInGbxRtpb3F0mPYVzMHtPrg=='
+    }
+} as const;
 
 class FridaScriptError extends CustomError {
     constructor(
diff --git a/test/integration/frida-downloads.spec.ts b/test/integration/frida-downloads.spec.ts
@@ -0,0 +1,23 @@
+import { expect } from 'chai';
+import * as FridaJs from 'frida-js';
+
+import { FRIDA_SRIS, FRIDA_VERSION } from '../../src/interceptors/frida/frida-integration';
+
+describe("Frida download SRIs", function () {
+    this.timeout(30000); // Can be slow, since we're doing MB downloads & disk IO
+
+    Object.entries(FRIDA_SRIS).forEach(([target, sriMap]) => {
+        Object.entries(sriMap).forEach(([arch, expectedHash]) => {
+            it(`should have the correct SRI for ${target}-${arch}`, async () => {
+                const correctSriHash = await FridaJs.calculateFridaSRI({
+                    ghToken: process.env.GITHUB_TOKEN,
+                    arch: arch as any,
+                    platform: target as any,
+                    version: FRIDA_VERSION
+                });
+
+                expect(expectedHash).to.equal(correctSriHash[0]);
+            });
+        });
+    });
+});
