Add whitelist checks for media loaded in webviews (#347)

* Add whitelist checks for media loaded in webviews * Test * Fix config
urbanairship · Feb 2, 2018 · 9b58559 · 9b58559
1 parent 42d059d
commit 9b58559
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 3 deletions.
diff --git a/urbanairship-sdk/src/main/java/com/urbanairship/AirshipConfigOptions.java b/urbanairship-sdk/src/main/java/com/urbanairship/AirshipConfigOptions.java
@@ -286,6 +286,7 @@ private AirshipConfigOptions(Builder builder) {
         this.notificationAccentColor = builder.notificationAccentColor;
         this.walletUrl = builder.walletUrl;
         this.notificationChannel = builder.notificationChannel;
+        this.enableUrlWhitelisting = builder.enableUrlWhitelisting;
     }
 
     /**

diff --git a/urbanairship-sdk/src/main/java/com/urbanairship/iam/MediaDisplayAdapter.java b/urbanairship-sdk/src/main/java/com/urbanairship/iam/MediaDisplayAdapter.java
@@ -11,6 +11,8 @@
 import android.support.annotation.Nullable;
 
 import com.urbanairship.Logger;
+import com.urbanairship.UAirship;
+import com.urbanairship.js.Whitelist;
 import com.urbanairship.util.FileUtils;
 import com.urbanairship.util.Network;
 import com.urbanairship.util.UAHttpStatusUtil;
@@ -49,9 +51,17 @@ public int onPrepare(@NonNull Context context) {
 
         if (MediaInfo.TYPE_IMAGE.equals(mediaInfo.getType())) {
             return cacheMedia(context, mediaInfo);
-        } else {
-            return Network.isConnected() ? OK : RETRY;
         }
+
+        // Video URLs, check whitelist
+        if (!UAirship.shared().getWhitelist().isWhitelisted(mediaInfo.getUrl(), Whitelist.SCOPE_OPEN_URL)) {
+            Logger.error("URL not whitelisted. Unable to load: " + mediaInfo.getUrl());
+            return CANCEL;
+        }
+
+        // Videos require network
+        return Network.isConnected() ? OK : RETRY;
+
     }
 
     @Override

diff --git a/urbanairship-sdk/src/main/java/com/urbanairship/iam/view/MediaView.java b/urbanairship-sdk/src/main/java/com/urbanairship/iam/view/MediaView.java
@@ -21,7 +21,10 @@
 import android.widget.ImageView;
 import android.widget.ProgressBar;
 
+import com.urbanairship.Logger;
+import com.urbanairship.UAirship;
 import com.urbanairship.iam.MediaInfo;
+import com.urbanairship.js.Whitelist;
 import com.urbanairship.messagecenter.ImageLoader;
 
 import java.lang.ref.WeakReference;
@@ -191,7 +194,11 @@ protected void onPageFinished(WebView webView) {
             }
         });
 
-        webView.loadUrl(mediaInfo.getUrl());
+        if (UAirship.shared().getWhitelist().isWhitelisted(mediaInfo.getUrl(), Whitelist.SCOPE_OPEN_URL)) {
+            webView.loadUrl(mediaInfo.getUrl());
+        } else {
+            Logger.error("URL not whitelisted. Unable to load: " + mediaInfo.getUrl());
+        }
 
         addView(frameLayout);
     }

diff --git a/urbanairship-sdk/src/main/java/com/urbanairship/js/Whitelist.java b/urbanairship-sdk/src/main/java/com/urbanairship/js/Whitelist.java
@@ -292,6 +292,7 @@ private String escapeRegEx(@NonNull String input, boolean escapeWildCards) {
     public static Whitelist createDefaultWhitelist(@NonNull AirshipConfigOptions airshipConfigOptions) {
         Whitelist whitelist = new Whitelist();
         whitelist.addEntry("https://*.urbanairship.com");
+        whitelist.addEntry("https://*.youtube.com", SCOPE_OPEN_URL);
         if (airshipConfigOptions.whitelist != null) {
             for (String entry : airshipConfigOptions.whitelist) {
                 whitelist.addEntry(entry);

diff --git a/urbanairship-sdk/src/test/java/com/urbanairship/js/WhitelistTest.java b/urbanairship-sdk/src/test/java/com/urbanairship/js/WhitelistTest.java
@@ -46,6 +46,7 @@ public void testDefaultWhitelist() {
                 .build();
 
         Whitelist whitelist = Whitelist.createDefaultWhitelist(airshipConfigOptions);
+        whitelist.setOpenUrlWhitelistingEnabled(true);
 
         // Messages
         assertTrue(whitelist.isWhitelisted("https://device-api.urbanairship.com/api/user/", Whitelist.SCOPE_OPEN_URL));
@@ -61,6 +62,11 @@ public void testDefaultWhitelist() {
         assertTrue(whitelist.isWhitelisted("https://dl.urbanairship.com/aaa/message_id", Whitelist.SCOPE_OPEN_URL));
         assertTrue(whitelist.isWhitelisted("https://dl.urbanairship.com/aaa/message_id", Whitelist.SCOPE_JAVASCRIPT_INTERFACE));
         assertTrue(whitelist.isWhitelisted("https://dl.urbanairship.com/aaa/message_id", Whitelist.SCOPE_ALL));
+
+        // Youtube
+        assertTrue(whitelist.isWhitelisted("https://www.youtube.com/embed/wJelEXaPhJ8", Whitelist.SCOPE_OPEN_URL));
+        assertFalse(whitelist.isWhitelisted("https://www.youtube.com/embed/wJelEXaPhJ8", Whitelist.SCOPE_JAVASCRIPT_INTERFACE));
+        assertFalse(whitelist.isWhitelisted("https://www.youtube.com/embed/wJelEXaPhJ8", Whitelist.SCOPE_ALL));
     }
 
     /**