improve security

Signed-off-by: androidacy-user <opensource@androidacy.com>

Author: androidacy-user

app/src/main/java/com/fox2code/mmm/androidacy/AndroidacyWebAPI.java

@@ -64,6 +64,12 @@ void forceQuitRaw(String error) {
     void openNativeModuleDialogRaw(String moduleUrl, String moduleId, String installTitle, String checksum, boolean canInstall) {
         if (BuildConfig.DEBUG)
             Timber.d("ModuleDialog, downloadUrl: " + AndroidacyUtil.hideToken(moduleUrl) + ", moduleId: " + moduleId + ", installTitle: " + installTitle + ", checksum: " + checksum + ", canInstall: " + canInstall);
+        // moduleUrl should be a valid URL, i.e. in the androidacy.com domain
+        // if it is not, do not proceed
+        if (!AndroidacyUtil.isAndroidacyFileUrl(moduleUrl)) {
+            Timber.e("ModuleDialog, invalid URL: %s", moduleUrl);
+            return;
+        }
         this.downloadMode = false;
         RepoModule repoModule = AndroidacyRepoData.getInstance().moduleHashMap.get(installTitle);
         String title, description;
@@ -381,8 +387,10 @@ public boolean isAndroidacyModule(String moduleId) {
      */
     @JavascriptInterface
     public String getAndroidacyModuleFile(String moduleId, String moduleFile) {
+        moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", "");
         if (moduleFile == null || this.consumedAction || !this.isAndroidacyModule(moduleId))
             return "";
+        moduleFile = moduleFile.replaceAll("\\.", "").replaceAll("/", "");
         File moduleFolder = new File("/data/adb/modules/" + moduleId);
         File absModuleFile = new File(moduleFolder, moduleFile).getAbsoluteFile();
         if (!absModuleFile.getPath().startsWith(moduleFolder.getPath()))
@@ -401,6 +409,7 @@ public String getAndroidacyModuleFile(String moduleId, String moduleFile) {
      */
     @JavascriptInterface
     public boolean setAndroidacyModuleMeta(String moduleId, String content) {
+        moduleId = moduleId.replaceAll("\\.", "").replaceAll("/", "");
         if (content == null || this.consumedAction || !this.isAndroidacyModule(moduleId))
             return false;
         File androidacyMetaFile = new File("/data/adb/modules/" + moduleId + "/.androidacy");

app/src/main/java/com/fox2code/mmm/settings/SettingsActivity.java

@@ -1286,6 +1286,7 @@ public void updateCustomRepoList(boolean initial) {
                     builder.setView(input);
                     builder.setPositiveButton("OK", (dialog, which) -> {
                         String text = String.valueOf(input.getText());
+                        text = text.trim();
                         // string should not be empty, start with https://, and not contain any spaces. http links are not allowed.
                         if (text.matches("^https://.*") && !text.contains(" ") && !text.isEmpty()) {
                             if (customRepoManager.canAddRepo(text)) {

build.gradle.kts

@@ -20,7 +20,6 @@ buildscript {
 
         // NOTE: Do not place your application dependencies here; they belong
         // in the individual module build.gradle files
-        //noinspection GradleDependency
         classpath("io.realm:realm-gradle-plugin:10.15.1")
         classpath("io.sentry:sentry-android-gradle-plugin:3.5.0")
     }