security: fix all review findings, bump to 1.0.19 (build 20)
CRITICAL - SftpProvider: replace PromiscuousVerifier with TofuHostKeyVerifier (trust-on-first-use; stores SHA-256 fingerprints in EncryptedSharedPreferences; rejects key changes on subsequent connections) HIGH - GoogleDriveProvider: replace raw string interpolation with buildJsonObject in uploadFile, createDirectory, and moveFile to prevent JSON injection - DropboxProvider: replace all raw JSON strings and Dropbox-API-Arg headers with buildJsonObject for the same reason - OAuthHelper: add cryptographically random state parameter to Dropbox and OneDrive authorization URLs (stored alongside the PKCE verifier) - OAuthRedirectActivity: validate returned state against stored value before exchanging the authorization code (CSRF protection) MEDIUM - WebDavProvider: block cross-host redirects in the manual redirect interceptor so Authorization headers are never forwarded to a different server - AccountSetupScreen: set FLAG_SECURE on the window while credential fields are visible to prevent screenshots and screen-recording capture - libs.versions.toml: security-crypto alpha06 → stable 1.0.0; biometric-ktx alpha05 → biometric 1.1.0 (stable, non-ktx artifact matches the BiometricManager/BiometricPrompt API actually used in MainActivity) - CredentialStore: migrate to security-crypto 1.0.0 API (MasterKeys.getOrCreate + positional create() args); add saveHostKey/getHostFingerprint for SFTP TOFU Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -7,19 +7,20 @@ import com.syncflow.data.providers.owncloud.OwnCloudProvider
|
||||
import com.syncflow.data.providers.onedrive.OneDriveProvider
|
||||
import com.syncflow.data.providers.sftp.SftpProvider
|
||||
import com.syncflow.data.providers.webdav.WebDavProvider
|
||||
import com.syncflow.data.security.CredentialStore
|
||||
import com.syncflow.domain.model.CloudAccount
|
||||
import com.syncflow.domain.model.ProviderType
|
||||
import javax.inject.Inject
|
||||
import javax.inject.Singleton
|
||||
|
||||
@Singleton
|
||||
class ProviderFactory @Inject constructor() {
|
||||
class ProviderFactory @Inject constructor(private val credentialStore: CredentialStore) {
|
||||
fun create(account: CloudAccount): CloudProvider = when (account.providerType) {
|
||||
ProviderType.GOOGLE_DRIVE -> GoogleDriveProvider(account)
|
||||
ProviderType.DROPBOX -> DropboxProvider(account)
|
||||
ProviderType.ONEDRIVE -> OneDriveProvider(account)
|
||||
ProviderType.WEBDAV -> WebDavProvider(account)
|
||||
ProviderType.SFTP -> SftpProvider(account)
|
||||
ProviderType.SFTP -> SftpProvider(account, credentialStore)
|
||||
ProviderType.NEXTCLOUD -> NextcloudProvider(account)
|
||||
ProviderType.OWNCLOUD -> OwnCloudProvider(account)
|
||||
ProviderType.SFTPGO -> WebDavProvider(account) // SFTPGo exposes WebDAV
|
||||
|
||||
@@ -18,9 +18,9 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
}
|
||||
private val client = OkHttpClient()
|
||||
|
||||
private fun apiReq(url: String, bodyJson: String): Request =
|
||||
private fun apiReq(url: String, argJson: JsonObject): Request =
|
||||
Request.Builder().url(url)
|
||||
.post(bodyJson.toRequestBody("application/json".toMediaType()))
|
||||
.post(argJson.toString().toRequestBody("application/json".toMediaType()))
|
||||
.header("Authorization", "Bearer $token")
|
||||
.build()
|
||||
|
||||
@@ -33,7 +33,8 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
|
||||
override suspend fun listFiles(remotePath: String): Result<List<RemoteFile>> = runCatching {
|
||||
val path = if (remotePath == "/" || remotePath.isBlank()) "" else remotePath
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/list_folder", """{"path":"$path","recursive":false}""")
|
||||
val arg = buildJsonObject { put("path", path); put("recursive", false) }
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/list_folder", arg)
|
||||
client.newCall(req).execute().use { resp ->
|
||||
val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
|
||||
if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}: $body")
|
||||
@@ -44,11 +45,15 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
|
||||
override suspend fun uploadFile(localStream: InputStream, remotePath: String, sizeBytes: Long, onProgress: (Long) -> Unit): Result<RemoteFile> = runCatching {
|
||||
val bytes = localStream.readBytes()
|
||||
val argHeader = """{"path":"${remotePath.normalizeDropbox()}","mode":"overwrite","autorename":false}"""
|
||||
val arg = buildJsonObject {
|
||||
put("path", remotePath.normalizeDropbox())
|
||||
put("mode", "overwrite")
|
||||
put("autorename", false)
|
||||
}
|
||||
val req = Request.Builder().url("https://content.dropboxapi.com/2/files/upload")
|
||||
.post(bytes.toRequestBody("application/octet-stream".toMediaType()))
|
||||
.header("Authorization", "Bearer $token")
|
||||
.header("Dropbox-API-Arg", argHeader).build()
|
||||
.header("Dropbox-API-Arg", arg.toString()).build()
|
||||
client.newCall(req).execute().use { resp ->
|
||||
val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
|
||||
if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}: $body")
|
||||
@@ -58,11 +63,11 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
}
|
||||
|
||||
override suspend fun downloadFile(remotePath: String, destination: OutputStream, onProgress: (Long) -> Unit): Result<Unit> = runCatching {
|
||||
val argHeader = """{"path":"${remotePath.normalizeDropbox()}"}"""
|
||||
val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
|
||||
val req = Request.Builder().url("https://content.dropboxapi.com/2/files/download")
|
||||
.post("".toRequestBody())
|
||||
.header("Authorization", "Bearer $token")
|
||||
.header("Dropbox-API-Arg", argHeader).build()
|
||||
.header("Dropbox-API-Arg", arg.toString()).build()
|
||||
client.newCall(req).execute().use { resp ->
|
||||
if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}")
|
||||
var total = 0L
|
||||
@@ -75,17 +80,20 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
}
|
||||
|
||||
override suspend fun deleteFile(remotePath: String): Result<Unit> = runCatching {
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/delete_v2", """{"path":"${remotePath.normalizeDropbox()}"}""")
|
||||
val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/delete_v2", arg)
|
||||
client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
|
||||
}
|
||||
|
||||
override suspend fun createDirectory(remotePath: String): Result<Unit> = runCatching {
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/create_folder_v2", """{"path":"${remotePath.normalizeDropbox()}"}""")
|
||||
val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/create_folder_v2", arg)
|
||||
client.newCall(req).execute().use { resp -> if (!resp.isSuccessful && resp.code != 409) throw Exception("HTTP ${resp.code}") }
|
||||
}
|
||||
|
||||
override suspend fun getFileMetadata(remotePath: String): Result<RemoteFile> = runCatching {
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/get_metadata", """{"path":"${remotePath.normalizeDropbox()}"}""")
|
||||
val arg = buildJsonObject { put("path", remotePath.normalizeDropbox()) }
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/get_metadata", arg)
|
||||
client.newCall(req).execute().use { resp ->
|
||||
val body = resp.body?.string() ?: throw Exception("HTTP ${resp.code}")
|
||||
Json.parseToJsonElement(body).jsonObject.toRemoteFile()
|
||||
@@ -93,8 +101,11 @@ class DropboxProvider(private val account: CloudAccount) : CloudProvider {
|
||||
}
|
||||
|
||||
override suspend fun moveFile(fromPath: String, toPath: String): Result<Unit> = runCatching {
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/move_v2",
|
||||
"""{"from_path":"${fromPath.normalizeDropbox()}","to_path":"${toPath.normalizeDropbox()}"}""")
|
||||
val arg = buildJsonObject {
|
||||
put("from_path", fromPath.normalizeDropbox())
|
||||
put("to_path", toPath.normalizeDropbox())
|
||||
}
|
||||
val req = apiReq("https://api.dropboxapi.com/2/files/move_v2", arg)
|
||||
client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
|
||||
}
|
||||
|
||||
|
||||
@@ -44,9 +44,11 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
|
||||
val name = remotePath.substringAfterLast('/')
|
||||
val parentId = if ('/' in remotePath.dropLast(1)) remotePath.substringBeforeLast('/') else "root"
|
||||
|
||||
// Multipart upload
|
||||
val metaPart = """{"name":"$name","parents":["$parentId"]}"""
|
||||
.toRequestBody("application/json".toMediaType())
|
||||
// Multipart upload — use JSON builder to avoid injection via filenames with special chars
|
||||
val metaPart = buildJsonObject {
|
||||
put("name", name)
|
||||
put("parents", buildJsonArray { add(parentId) })
|
||||
}.toString().toRequestBody("application/json".toMediaType())
|
||||
val dataPart = bytes.toRequestBody("application/octet-stream".toMediaType())
|
||||
val multipart = MultipartBody.Builder()
|
||||
.setType(MultipartBody.FORM)
|
||||
@@ -86,8 +88,11 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
|
||||
override suspend fun createDirectory(remotePath: String): Result<Unit> = runCatching {
|
||||
val name = remotePath.substringAfterLast('/')
|
||||
val parentId = if ('/' in remotePath.dropLast(1)) remotePath.substringBeforeLast('/') else "root"
|
||||
val body = """{"name":"$name","mimeType":"application/vnd.google-apps.folder","parents":["$parentId"]}"""
|
||||
.toRequestBody("application/json".toMediaType())
|
||||
val body = buildJsonObject {
|
||||
put("name", name)
|
||||
put("mimeType", "application/vnd.google-apps.folder")
|
||||
put("parents", buildJsonArray { add(parentId) })
|
||||
}.toString().toRequestBody("application/json".toMediaType())
|
||||
val req = auth(Request.Builder().url("https://www.googleapis.com/drive/v3/files").post(body)).build()
|
||||
client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
|
||||
}
|
||||
@@ -102,7 +107,8 @@ class GoogleDriveProvider(private val account: CloudAccount) : CloudProvider {
|
||||
|
||||
override suspend fun moveFile(fromPath: String, toPath: String): Result<Unit> = runCatching {
|
||||
val newName = toPath.substringAfterLast('/')
|
||||
val body = """{"name":"$newName"}""".toRequestBody("application/json".toMediaType())
|
||||
val body = buildJsonObject { put("name", newName) }.toString()
|
||||
.toRequestBody("application/json".toMediaType())
|
||||
val req = auth(Request.Builder().url("https://www.googleapis.com/drive/v3/files/$fromPath").patch(body)).build()
|
||||
client.newCall(req).execute().use { resp -> if (!resp.isSuccessful) throw Exception("HTTP ${resp.code}") }
|
||||
}
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
package com.syncflow.data.providers.sftp
|
||||
|
||||
import com.syncflow.data.providers.CloudProvider
|
||||
import com.syncflow.data.security.CredentialStore
|
||||
import com.syncflow.domain.model.CloudAccount
|
||||
import com.syncflow.domain.model.RemoteFile
|
||||
import kotlinx.serialization.json.Json
|
||||
@@ -8,13 +9,12 @@ import kotlinx.serialization.json.jsonObject
|
||||
import kotlinx.serialization.json.jsonPrimitive
|
||||
import net.schmizz.sshj.SSHClient
|
||||
import net.schmizz.sshj.sftp.SFTPClient
|
||||
import net.schmizz.sshj.transport.verification.PromiscuousVerifier
|
||||
import net.schmizz.sshj.xfer.InMemorySourceFile
|
||||
import java.io.InputStream
|
||||
import java.io.OutputStream
|
||||
import java.time.Instant
|
||||
|
||||
class SftpProvider(private val account: CloudAccount) : CloudProvider {
|
||||
class SftpProvider(private val account: CloudAccount, private val credentialStore: CredentialStore) : CloudProvider {
|
||||
|
||||
private val creds = Json.parseToJsonElement(account.credentialJson).jsonObject
|
||||
private val host = account.serverUrl ?: "localhost"
|
||||
@@ -25,7 +25,7 @@ class SftpProvider(private val account: CloudAccount) : CloudProvider {
|
||||
|
||||
private fun <T> withSftp(block: (SFTPClient) -> T): T {
|
||||
val ssh = SSHClient()
|
||||
ssh.addHostKeyVerifier(PromiscuousVerifier()) // TODO: replace with proper key pinning
|
||||
ssh.addHostKeyVerifier(TofuHostKeyVerifier(credentialStore))
|
||||
ssh.connect(host, port)
|
||||
try {
|
||||
if (!privateKey.isNullOrBlank()) {
|
||||
|
||||
@@ -0,0 +1,31 @@
|
||||
package com.syncflow.data.providers.sftp
|
||||
|
||||
import com.syncflow.data.security.CredentialStore
|
||||
import net.schmizz.sshj.transport.verification.HostKeyVerifier
|
||||
import java.security.MessageDigest
|
||||
import java.security.PublicKey
|
||||
|
||||
/**
|
||||
* Trust-On-First-Use SSH host key verifier.
|
||||
*
|
||||
* First connection to a host: fingerprint is stored in EncryptedSharedPreferences and accepted.
|
||||
* Subsequent connections: stored fingerprint must match — mismatch aborts (possible MITM).
|
||||
*/
|
||||
class TofuHostKeyVerifier(private val credentialStore: CredentialStore) : HostKeyVerifier {
|
||||
|
||||
override fun verify(hostname: String, port: Int, key: PublicKey): Boolean {
|
||||
val fingerprint = sha256Fingerprint(key)
|
||||
val stored = credentialStore.getHostFingerprint(hostname, port)
|
||||
return if (stored == null) {
|
||||
credentialStore.saveHostKey(hostname, port, fingerprint)
|
||||
true
|
||||
} else {
|
||||
stored == fingerprint
|
||||
}
|
||||
}
|
||||
|
||||
private fun sha256Fingerprint(key: PublicKey): String {
|
||||
val digest = MessageDigest.getInstance("SHA-256").digest(key.encoded)
|
||||
return digest.joinToString(":") { "%02x".format(it) }
|
||||
}
|
||||
}
|
||||
@@ -10,6 +10,7 @@ import kotlinx.serialization.json.Json
|
||||
import kotlinx.serialization.json.jsonObject
|
||||
import kotlinx.serialization.json.jsonPrimitive
|
||||
import okhttp3.*
|
||||
import okhttp3.HttpUrl.Companion.toHttpUrlOrNull
|
||||
import okhttp3.MediaType.Companion.toMediaType
|
||||
import okhttp3.RequestBody.Companion.toRequestBody
|
||||
import org.xmlpull.v1.XmlPullParser
|
||||
@@ -38,9 +39,14 @@ open class WebDavProvider(protected val account: CloudAccount) : CloudProvider {
|
||||
.header("Authorization", Credentials.basic(user, pass))
|
||||
.build()
|
||||
val resp = chain.proceed(req)
|
||||
// follow redirect manually for WebDAV methods (OkHttp skips non-GET/HEAD redirects)
|
||||
// Follow redirects for WebDAV methods (OkHttp skips non-GET/HEAD redirects).
|
||||
// Only follow same-host redirects to prevent credential leakage to a different server.
|
||||
if (resp.code in 301..308) {
|
||||
val location = resp.header("Location") ?: return@addInterceptor resp
|
||||
val redirectHost = location.toHttpUrlOrNull()?.host
|
||||
if (redirectHost == null || redirectHost != req.url.host) {
|
||||
return@addInterceptor resp
|
||||
}
|
||||
resp.close()
|
||||
val redirectReq = req.newBuilder().url(location).build()
|
||||
chain.proceed(redirectReq)
|
||||
|
||||
@@ -3,7 +3,7 @@ package com.syncflow.data.security
|
||||
import android.content.Context
|
||||
import android.content.SharedPreferences
|
||||
import androidx.security.crypto.EncryptedSharedPreferences
|
||||
import androidx.security.crypto.MasterKey
|
||||
import androidx.security.crypto.MasterKeys
|
||||
import dagger.hilt.android.qualifiers.ApplicationContext
|
||||
import javax.inject.Inject
|
||||
import javax.inject.Singleton
|
||||
@@ -12,13 +12,11 @@ import javax.inject.Singleton
|
||||
class CredentialStore @Inject constructor(@ApplicationContext private val context: Context) {
|
||||
|
||||
private val prefs: SharedPreferences by lazy {
|
||||
val masterKey = MasterKey.Builder(context)
|
||||
.setKeyScheme(MasterKey.KeyScheme.AES256_GCM)
|
||||
.build()
|
||||
val masterKeyAlias = MasterKeys.getOrCreate(MasterKeys.AES256_GCM_SPEC)
|
||||
EncryptedSharedPreferences.create(
|
||||
context,
|
||||
"syncflow_credentials",
|
||||
masterKey,
|
||||
masterKeyAlias,
|
||||
context,
|
||||
EncryptedSharedPreferences.PrefKeyEncryptionScheme.AES256_SIV,
|
||||
EncryptedSharedPreferences.PrefValueEncryptionScheme.AES256_GCM,
|
||||
)
|
||||
@@ -37,7 +35,7 @@ class CredentialStore @Inject constructor(@ApplicationContext private val contex
|
||||
prefs.edit().remove(credKey(accountId)).apply()
|
||||
}
|
||||
|
||||
// ── PKCE verifiers (OAuth flow) ───────────────────────────────────────────
|
||||
// ── PKCE verifiers and OAuth state (OAuth flow) ───────────────────────────
|
||||
|
||||
fun savePkceVerifier(provider: String, verifier: String) {
|
||||
prefs.edit().putString(pkceKey(provider), verifier).apply()
|
||||
@@ -49,8 +47,18 @@ class CredentialStore @Inject constructor(@ApplicationContext private val contex
|
||||
prefs.edit().remove(pkceKey(provider)).apply()
|
||||
}
|
||||
|
||||
// ── SFTP host key fingerprints (TOFU) ─────────────────────────────────────
|
||||
|
||||
fun saveHostKey(host: String, port: Int, fingerprint: String) {
|
||||
prefs.edit().putString(hostKey(host, port), fingerprint).apply()
|
||||
}
|
||||
|
||||
fun getHostFingerprint(host: String, port: Int): String? =
|
||||
prefs.getString(hostKey(host, port), null)
|
||||
|
||||
// ── Key helpers ───────────────────────────────────────────────────────────
|
||||
|
||||
private fun credKey(accountId: Long) = "cred_$accountId"
|
||||
private fun pkceKey(provider: String) = "pkce_$provider"
|
||||
private fun hostKey(host: String, port: Int) = "sshhost_${host}_$port"
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user