feat(android): don't allow server.androidScheme to be set to schemes handled by WebView

theproducer · web-flow · commit 01285ba253d6 · 2022-04-05T10:56:41.000-05:00
diff --git a/android/capacitor/src/main/java/com/getcapacitor/CapConfig.java b/android/capacitor/src/main/java/com/getcapacitor/CapConfig.java
@@ -9,8 +9,10 @@
 import androidx.annotation.Nullable;
 import com.getcapacitor.util.JSONUtils;
 import java.io.IOException;
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import org.json.JSONException;
@@ -105,7 +107,11 @@ private CapConfig(Builder builder) {
         this.html5mode = builder.html5mode;
         this.serverUrl = builder.serverUrl;
         this.hostname = builder.hostname;
-        this.androidScheme = builder.androidScheme;
+
+        if (this.validateScheme(builder.androidScheme)) {
+            this.androidScheme = builder.androidScheme;
+        }
+
         this.allowNavigation = builder.allowNavigation;
 
         // Android Config
@@ -148,7 +154,12 @@ private void deserializeConfig(@Nullable Context context) {
         html5mode = JSONUtils.getBoolean(configJSON, "server.html5mode", html5mode);
         serverUrl = JSONUtils.getString(configJSON, "server.url", null);
         hostname = JSONUtils.getString(configJSON, "server.hostname", hostname);
-        androidScheme = JSONUtils.getString(configJSON, "server.androidScheme", androidScheme);
+
+        String configSchema = JSONUtils.getString(configJSON, "server.androidScheme", androidScheme);
+        if (this.validateScheme(configSchema)) {
+            androidScheme = configSchema;
+        }
+
         allowNavigation = JSONUtils.getArray(configJSON, "server.allowNavigation", null);
 
         // Android
@@ -191,6 +202,16 @@ private void deserializeConfig(@Nullable Context context) {
         pluginsConfiguration = deserializePluginsConfig(JSONUtils.getObject(configJSON, "plugins"));
     }
 
+    private boolean validateScheme(String scheme) {
+        List<String> invalidSchemes = Arrays.asList("file", "ftp", "ftps", "ws", "wss", "about", "blob", "data");
+        if (invalidSchemes.contains(scheme)) {
+            Logger.warn(scheme + " is not an allowed scheme.  Defaulting to http.");
+            return false;
+        }
+
+        return true;
+    }
+
     public boolean isHTML5Mode() {
         return html5mode;
     }
