For security reason, disallow HTTP include files if the source asset is
a HTTPS site or an Android app.
Change the include statement field name from "delegate" to "include".
Bug:
20323096
Change-Id: Ifc12b61657c9c89a670b9d7c3220853321c15dea
throws AssociationServiceException {
return AssetFactory.create(assetJson);
}
+
+ /**
+ * If this is the source asset of a statement file, should the retriever follow
+ * any insecure (non-HTTPS) include statements made by the asset.
+ */
+ public abstract boolean followInsecureInclude();
}
return getPackageName().hashCode();
}
+ @Override
+ public boolean followInsecureInclude() {
+ // Non-HTTPS includes are not allowed in Android App assets.
+ return false;
+ }
+
/**
* Checks that the input is a valid Android app asset.
*
}
}
- private Result retrieveStatementFromUrl(String url, int maxIncludeLevel, AbstractAsset source)
+ private Result retrieveStatementFromUrl(String urlString, int maxIncludeLevel,
+ AbstractAsset source)
throws AssociationServiceException {
List<Statement> statements = new ArrayList<Statement>();
if (maxIncludeLevel < 0) {
WebContent webContent;
try {
- webContent = mUrlFetcher.getWebContentFromUrl(new URL(url),
+ URL url = new URL(urlString);
+ if (!source.followInsecureInclude()
+ && !url.getProtocol().toLowerCase().equals("https")) {
+ return Result.create(statements, DO_NOT_CACHE_RESULT);
+ }
+ webContent = mUrlFetcher.getWebContentFromUrl(url,
HTTP_CONTENT_SIZE_LIMIT_IN_BYTES, HTTP_CONNECTION_TIMEOUT_MILLIS);
} catch (IOException e) {
return Result.create(statements, DO_NOT_CACHE_RESULT);
package com.android.statementservice.retriever;
+import android.util.Log;
+
import com.android.volley.Cache;
import com.android.volley.NetworkResponse;
import com.android.volley.toolbox.HttpHeaderParser;
* @hide
*/
public class URLFetcher {
+ private static final String TAG = URLFetcher.class.getSimpleName();
private static final long DO_NOT_CACHE_RESULT = 0L;
private static final int INPUT_BUFFER_SIZE_IN_BYTES = 1024;
connection.setConnectTimeout(connectionTimeoutMillis);
connection.setReadTimeout(connectionTimeoutMillis);
connection.setUseCaches(true);
+ connection.setInstanceFollowRedirects(false);
connection.addRequestProperty("Cache-Control", "max-stale=60");
+ if (connection.getResponseCode() != HttpURLConnection.HTTP_OK) {
+ Log.e(TAG, "The responses code is not 200 but " + connection.getResponseCode());
+ return new WebContent("", DO_NOT_CACHE_RESULT);
+ }
+
if (connection.getContentLength() > fileSizeLimit) {
- throw new AssociationServiceException("The content size of the url is larger than "
- + fileSizeLimit);
+ Log.e(TAG, "The content size of the url is larger than " + fileSizeLimit);
+ return new WebContent("", DO_NOT_CACHE_RESULT);
}
Long expireTimeMillis = getExpirationTimeMillisFromHTTPHeader(connection.getHeaderFields());
*/
public static final String ASSET_DESCRIPTOR_FIELD_RELATION = "relation";
public static final String ASSET_DESCRIPTOR_FIELD_TARGET = "target";
- public static final String DELEGATE_FIELD_DELEGATE = "delegate";
+ public static final String DELEGATE_FIELD_DELEGATE = "include";
private static final char[] HEX_DIGITS = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
'A', 'B', 'C', 'D', 'E', 'F' };
/* package private */ final class WebAsset extends AbstractAsset {
private static final String MISSING_FIELD_FORMAT_STRING = "Expected %s to be set.";
+ private static final String SCHEME_HTTP = "http";
private final URL mUrl;
return toJson().hashCode();
}
+ @Override
+ public boolean followInsecureInclude() {
+ // Only allow insecure include file if the asset scheme is http.
+ return SCHEME_HTTP.equals(getScheme());
+ }
+
/**
* Checks that the input is a valid web asset.
*