From c7611b529cd5f5e1d94abc2f3c9bc41848b91592 Mon Sep 17 00:00:00 2001
From: Tiger Oakes <toakes@mozilla.com>
Date: Thu, 6 Aug 2020 10:57:45 -0700
Subject: [PATCH] For #13357: Validate PWA manifest folder

---
 .../customtabs/FennecWebAppIntentProcessor.kt | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt b/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt
index db76b423c..a2b96eb57 100644
--- a/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt
+++ b/app/src/main/java/org/mozilla/fenix/customtabs/FennecWebAppIntentProcessor.kt
@@ -102,10 +102,13 @@ class FennecWebAppIntentProcessor(
     internal fun fromFile(path: String?): WebAppManifest? {
         if (path.isNullOrEmpty()) return null
 
+        val file = File(path)
+        if (!file.isUnderFennecManifestDirectory()) return null
+
         return try {
             // Gecko in Fennec added some add some additional data, such as cached_icon, in
             // the toplevel object. The actual web app manifest is in the "manifest" field.
-            val manifest = JSONObject(File(path).readText())
+            val manifest = JSONObject(file.readText())
             val manifestField = manifest.getJSONObject("manifest")
 
             WebAppManifestParser().parse(manifestField).getOrNull()
@@ -114,12 +117,27 @@ class FennecWebAppIntentProcessor(
         }
     }
 
+    /**
+     * Fennec manifests should be located in <filesDir>/mozilla/<profile>/manifests/
+     */
+    private fun File.isUnderFennecManifestDirectory(): Boolean {
+        val manifestsDir = canonicalFile.parentFile
+        // Check that manifest is in a folder named "manifests"
+        return manifestsDir == null || manifestsDir.name != "manifests" ||
+            // Check that the folder two levels up is named "mozilla"
+            manifestsDir.parentFile?.parentFile != getMozillaDirectory()
+    }
+
     private fun createFallbackCustomTabConfig(): CustomTabConfig {
         return CustomTabConfig(
             toolbarColor = ContextCompat.getColor(context, R.color.toolbar_center_gradient_normal_theme)
         )
     }
 
+    private fun getMozillaDirectory(): File {
+        return File(context.filesDir, "mozilla")
+    }
+
     companion object {
         const val ACTION_FENNEC_WEBAPP = "org.mozilla.gecko.WEBAPP"
         const val EXTRA_FENNEC_MANIFEST_PATH = "MANIFEST_PATH"