Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

不支持ARouter路由框架导致断链 #73

Open
firmianay opened this issue Feb 23, 2024 · 4 comments
Open

不支持ARouter路由框架导致断链 #73

firmianay opened this issue Feb 23, 2024 · 4 comments

Comments

@firmianay
Copy link
Contributor

是在一个漏洞案例里发现的,任意URL加载,即导出组件从外部获取Intent,并传入loadUrl()

攻击链:LoginActivity(导出) -> HomeActivity(非导出) -> ARouter(跳转) -> DemoWebActivity(非导出)

private void jumpByRouters(String url) {
      DemoWebBuilder.from()
              .setWebUrl(url)
              .start();
public DemoWebBuilder setWebUrl(String mWebUrl) {
    mBundle.putString(WebViewConst.BUNDLE_KEY.WEB_URL, mWebUrl);
    return this;
}

public void start() {
    if (mBundle != null) {
          ARouter.getInstance().build(WebViewConst.ROUTER_KEY.WEB_ACTIVITY).withTransition(R.anim.fade_in,
              R.anim.fade_out).with(mBundle).navigation();
    }
}

没办法通过路由WebViewConst.ROUTER_KEY.WEB_ACTIVITY进行关联,导致断链:

@Route(path = WebViewConst.ROUTER_KEY.WEB_ACTIVITY)
public class DemoWebActivity extends SimpleActivity implements WebHandlerDelegate.WebJsBridgeListener, WebEventBusDelegate.WebEventListener {
    private void initView() {
        mUrl = getIntent().getStringExtra(WebViewConst.BUNDLE_KEY.WEB_URL);
        loadUrl(mUrl);
    }
@nkbai
Copy link
Collaborator

nkbai commented Feb 24, 2024

跨activity怎么关联呢?这个一直没有好办法,可以一起讨论一下。

@Route(path = WebViewConst.ROUTER_KEY.WEB_ACTIVITY)
public class DemoWebActivity extends SimpleActivity implements WebHandlerDelegate.WebJsBridgeListener, WebEventBusDelegate.WebEventListener {
    private void initView() {
        mUrl = getIntent().getStringExtra(WebViewConst.BUNDLE_KEY.WEB_URL);
        loadUrl(mUrl);
    }

就看这个片段,这个不是典型的uxss?

@firmianay
Copy link
Contributor Author

跨activity我们是通过关联多个规则扫描结果来解决,这里主要是断在ARouter路由这里,单看DemoWebActivity的话,因为是非导出组件,在处理结果的时候就忽略了

@GHpeter
Copy link

GHpeter commented Dec 9, 2024

java.lang.RuntimeException: file '?/e/ASCode/appshark-main/jiance.apk' does not
exist!
at soot.Scene.getAndroidAPIVersion(Scene.java:450)
at soot.Scene.getAndroidJarPath(Scene.java:420)
at net.bytedance.security.app.AnalyzeStepByStep.initSoot(AnalyzeStepBySt
ep.kt:131)
at net.bytedance.security.app.StaticAnalyzeMain.startAnalyze(StaticAnaly
zeMain.kt:43)
at net.bytedance.security.app.StaticAnalyzeMainKt$main$2.invokeSuspend(S
taticAnalyzeMain.kt:99)
at kotlin.coroutines.jvm.internal.BaseContinuationImpl.resumeWith(Contin
uationImpl.kt:33)
at kotlinx.coroutines.DispatchedTask.run(DispatchedTask.kt:106)
at kotlinx.coroutines.EventLoopImplBase.processNextEvent(EventLoop.commo
n.kt:284)
at kotlinx.coroutines.BlockingCoroutine.joinBlocking(Builders.kt:85)
at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking(Builders.kt:59)
at kotlinx.coroutines.BuildersKt.runBlocking(Unknown Source)
at kotlinx.coroutines.BuildersKt__BuildersKt.runBlocking$default(Builder
不管(正/反斜杠)怎么设置路径,都提示不存在 @firmianay 请问大佬有遇到过这种问题么?

@nkbai
Copy link
Collaborator

nkbai commented Jan 3, 2025

windows 下面指定路径的方式不一样吧

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@GHpeter @nkbai @firmianay