perf: 验证可信来源

2024-11-16 11:42:22 +08:00 · 2024-01-21 00:43:05 +08:00 · 2024-01-21 00:43:05 +08:00 · 24953b9ab7
commit 24953b9ab7
parent 94a88044dd
1 changed files with 13 additions and 7 deletions
--- a/app/src/main/kotlin/li/songe/gkd/util/Constants.kt
+++ b/app/src/main/kotlin/li/songe/gkd/util/Constants.kt
@ -2,6 +2,7 @@ package li.songe.gkd.util

 import android.webkit.URLUtil
 import io.ktor.http.Url
+import io.ktor.http.fullPath
 import li.songe.gkd.BuildConfig

 const val VOLUME_CHANGED_ACTION = "android.media.VOLUME_CHANGED_ACTION"
@ -27,12 +28,9 @@ val GIT_COMMIT_URL = if (BuildConfig.GIT_COMMIT_ID != null) {

 private val safeRemoteBaseUrls = arrayOf(
    "https://registry.npmmirror.com/@gkd-kit/",
-    "https://cdn.jsdelivr.net/npm/@gkd-kit/",
-    "https://fastly.jsdelivr.net/npm/@gkd-kit/",
-    "https://unpkg.com/@gkd-kit/",
+
    "https://github.com/gkd-kit/",
    "https://raw.githubusercontent.com/gkd-kit/",
-    HOME_PAGE_URL,
 )

 fun isSafeUrl(url: String): Boolean {
@ -40,9 +38,17 @@ fun isSafeUrl(url: String): Boolean {
    if (safeRemoteBaseUrls.any { u -> url.startsWith(u) }) {
        return true
    }
-    return try {
-        Url(url).host.endsWith(".gkd.li")
+    val u = try {
+        Url(url)
    } catch (e: Exception) {
-        false
+        return false
    }
+    if (u.host == "gkd.li" || u.host.endsWith(".gkd.li")) {
+        return true
+    } else if (u.host.endsWith(".jsdelivr.net") && u.fullPath.startsWith("/npm/@gkd-kit/")) {
+        return true
+    } else if ((u.host == "unpkg.com" || u.host.endsWith(".unpkg.com")) && u.fullPath.startsWith("/@gkd-kit/")) {
+        return true
+    }
+    return false
 }