AND-9449 [Security] Add validation of external urls for WebView

Signed-off-by: Mama1emon <andrew.khokhlove@gmail.com>
tangem · Dec 25, 2024 · f3e5e87 · f3e5e87
1 parent 548ba7c
commit f3e5e87
Show file tree

Hide file tree

Showing 5 changed files with 90 additions and 1 deletion.
diff --git a/common/build.gradle.kts b/common/build.gradle.kts
@@ -1,4 +1,26 @@
 plugins {
-    alias(deps.plugins.kotlin.jvm)
+    alias(deps.plugins.android.library)
+    alias(deps.plugins.kotlin.android)
     id("configuration")
 }
+
+android {
+    namespace = "com.tangem.common"
+}
+
+dependencies {
+
+    // region Firebase libraries
+    implementation(platform(deps.firebase.bom))
+    implementation(deps.firebase.analytics)
+    implementation(deps.firebase.crashlytics)
+    implementation(deps.firebase.messaging)
+    // end
+
+    implementation(deps.timber)
+
+    implementation(deps.arrow.core)
+
+    implementation(deps.test.junit)
+    implementation(deps.test.truth)
+}
diff --git a/...m/tangem/common/module/ModuleErrorCode.kt → ...m/tangem/common/module/ModuleErrorCode.kt b/...m/tangem/common/module/ModuleErrorCode.kt → ...m/tangem/common/module/ModuleErrorCode.kt
diff --git a/...com/tangem/common/module/ModuleMessage.kt → ...com/tangem/common/module/ModuleMessage.kt b/...com/tangem/common/module/ModuleMessage.kt → ...com/tangem/common/module/ModuleMessage.kt
diff --git a/common/src/main/kotlin/com/tangem/common/uri/ExternalUrlValidator.kt b/common/src/main/kotlin/com/tangem/common/uri/ExternalUrlValidator.kt
@@ -0,0 +1,31 @@
+package com.tangem.common.uri
+
+import com.google.firebase.crashlytics.FirebaseCrashlytics
+import timber.log.Timber
+import java.net.URI
+
+/**
+ * External url validator
+ *
+ * @author Andrew Khokhlov on 23/12/2024
+ */
+object ExternalUrlValidator {
+
+    private val trustedHost: List<String> = listOf("tangem.com")
+
+    /** Check if [externalUri] is trusted */
+    fun isUriTrusted(externalUri: String): Boolean {
+        return try {
+            val uri = URI.create(externalUri)
+
+            uri.scheme == "https" && uri.host in trustedHost
+        } catch (e: Exception) {
+            val exception = IllegalStateException("Failed to validate URI: $externalUri", e)
+
+            Timber.e(exception)
+            FirebaseCrashlytics.getInstance().recordException(exception)
+
+            false
+        }
+    }
+}
diff --git a/common/src/testDebug/kotlin/com/tangem/common/uri/ExternalUrlValidatorTest.kt b/common/src/testDebug/kotlin/com/tangem/common/uri/ExternalUrlValidatorTest.kt
@@ -0,0 +1,36 @@
+package com.tangem.common.uri
+
+import com.google.common.truth.Truth
+import org.junit.Test
+import org.junit.runner.RunWith
+import org.junit.runners.Parameterized
+
+/**
+ * @author Andrew Khokhlov on 23/12/2024
+ */
+@RunWith(Parameterized::class)
+class ExternalUrlValidatorTest(private val model: Model) {
+
+    @Test
+    fun test() {
+        val actual = ExternalUrlValidator.isUriTrusted(externalUri = model.url)
+
+        Truth.assertThat(actual).isEqualTo(model.expected)
+    }
+
+    companion object {
+
+        @JvmStatic
+        @Parameterized.Parameters
+        fun data(): Collection<Model> = listOf(
+            Model(url = "https://tangem.com", expected = true),
+            Model(url = "https://tange.com", expected = false),
+            Model(url = "https://fake.tangem.com", expected = false),
+            Model(url = "http://tangem.com", expected = false),
+            Model(url = "http://tandem.com", expected = false),
+            Model(url = "adawdawdassdw", expected = false),
+        )
+
+        data class Model(val url: String, val expected: Boolean)
+    }
+}