From b2ca49b26cb89f3771f3b0daa21d62bb2152b6f7 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Mon, 26 Feb 2018 23:43:42 +0100 Subject: [PATCH 1/2] update: make icon extraction less dependent on aapt For androguard, @thezero already developed a way to get all the icons after only extracting the icon name. So this uses that for the aapt-based scans also, to make them less brittle. This should fix the problem where `fdroid update` was choosing the XML icon for apps that include one, like NewPipe. closes fdroid/fdroid-website#192 --- fdroidserver/update.py | 68 +++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 37 deletions(-) diff --git a/fdroidserver/update.py b/fdroidserver/update.py index 4d227dd4..90fc291b 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -53,9 +53,7 @@ UNSET_VERSION_CODE = -0x100000000 APK_NAME_PAT = re.compile(".*name='([a-zA-Z0-9._]*)'.*") APK_VERCODE_PAT = re.compile(".*versionCode='([0-9]*)'.*") APK_VERNAME_PAT = re.compile(".*versionName='([^']*)'.*") -APK_LABEL_PAT = re.compile(".*label='(.*?)'(\n| [a-z]*?=).*") -APK_ICON_PAT = re.compile(".*application-icon-([0-9]+):'([^']+?)'.*") -APK_ICON_PAT_NODPI = re.compile(".*icon='([^']+?)'.*") +APK_LABEL_ICON_PAT = re.compile(".*\s+label='(.*)'\s+icon='(.*)'") APK_SDK_VERSION_PAT = re.compile(".*'([0-9]*)'.*") APK_PERMISSION_PAT = \ re.compile(".*(name='(?P.*?)')(.*maxSdkVersion='(?P.*?)')?.*") @@ -1080,6 +1078,27 @@ def scan_apk(apk_file): return apk +def _get_apk_icons_src(apkfile, icon_name): + """Extract the paths to the app icon in all available densities + + """ + icons_src = dict() + density_re = re.compile('^res/(.*)/' + icon_name + '\.(png|xml)$') + with zipfile.ZipFile(apkfile) as zf: + for filename in zf.namelist(): + m = density_re.match(filename) + if m: + folder = m.group(1).split('-') + if len(folder) > 1: + density = screen_resolutions[folder[1]] + else: + density = '160' + icons_src[density] = m.group(0) + if icons_src.get('-1') is None: + icons_src['-1'] = icons_src['160'] + return icons_src + + def scan_apk_aapt(apk, apkfile): p = SdkToolsPopen(['aapt', 'dump', 'badging', apkfile], output=False) if p.returncode != 0: @@ -1092,6 +1111,7 @@ def scan_apk_aapt(apk, apkfile): else: logging.error(_("Failed to get apk information, skipping {path}").format(path=apkfile)) raise BuildException(_("Invalid APK")) + icon_name = None for line in p.output.splitlines(): if line.startswith("package:"): try: @@ -1101,25 +1121,13 @@ def scan_apk_aapt(apk, apkfile): except Exception as e: raise FDroidException("Package matching failed: " + str(e) + "\nLine was: " + line) elif line.startswith("application:"): - apk['name'] = re.match(APK_LABEL_PAT, line).group(1) - # Keep path to non-dpi icon in case we need it - match = re.match(APK_ICON_PAT_NODPI, line) - if match: - apk['icons_src']['-1'] = match.group(1) - elif line.startswith("launchable-activity:"): + m = re.match(APK_LABEL_ICON_PAT, line) + if m: + apk['name'] = m.group(1) + icon_name = os.path.splitext(os.path.basename(m.group(2)))[0] + elif not apk.get('name') and line.startswith("launchable-activity:"): # Only use launchable-activity as fallback to application - if not apk['name']: - apk['name'] = re.match(APK_LABEL_PAT, line).group(1) - if '-1' not in apk['icons_src']: - match = re.match(APK_ICON_PAT_NODPI, line) - if match: - apk['icons_src']['-1'] = match.group(1) - elif line.startswith("application-icon-"): - match = re.match(APK_ICON_PAT, line) - if match: - density = match.group(1) - path = match.group(2) - apk['icons_src'][density] = path + apk['name'] = re.match(APK_LABEL_ICON_PAT, line).group(1) elif line.startswith("sdkVersion:"): m = re.match(APK_SDK_VERSION_PAT, line) if m is None: @@ -1170,6 +1178,7 @@ def scan_apk_aapt(apk, apkfile): if feature.startswith("android.feature."): feature = feature[16:] apk['features'].add(feature) + apk['icons_src'] = _get_apk_icons_src(apkfile, icon_name) def scan_apk_androguard(apk, apkfile): @@ -1215,22 +1224,7 @@ def scan_apk_androguard(apk, apkfile): icon_id = int(apkobject.get_element("application", "icon").replace("@", "0x"), 16) icon_name = arsc.get_id(apk['packageName'], icon_id)[1] - - density_re = re.compile("^res/(.*)/" + icon_name + ".*$") - - for file in apkobject.get_files(): - d_re = density_re.match(file) - if d_re: - folder = d_re.group(1).split('-') - if len(folder) > 1: - resolution = folder[1] - else: - resolution = 'mdpi' - density = screen_resolutions[resolution] - apk['icons_src'][density] = d_re.group(0) - - if apk['icons_src'].get('-1') is None: - apk['icons_src']['-1'] = apk['icons_src']['160'] + apk['icons_src'] = _get_apk_icons_src(apkfile, icon_name) arch_re = re.compile("^lib/(.*)/.*$") arch = set([arch_re.match(file).group(1) for file in apkobject.get_files() if arch_re.match(file)]) From 498ea5d6095784841538e61892a8cfbfe6eecc48 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Tue, 27 Feb 2018 12:09:54 +0100 Subject: [PATCH 2/2] lint: ban all dangerous HTML tags * https://en.wikipedia.org/wiki/HTML_sanitization * https://asostack.com/enhance-your-google-play-store-description-with-rich-formatting-and-emojis-5f50ff354e5f --- fdroidserver/lint.py | 2 +- tests/lint.TestCase | 31 +++++++++++++++++++++++++++++-- 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py index 315a61b8..b0a5cad7 100644 --- a/fdroidserver/lint.py +++ b/fdroidserver/lint.py @@ -164,7 +164,7 @@ regex_checks = { _("Unnecessary leading space")), (re.compile(r'.*\s$'), _("Unnecessary trailing space")), - (re.compile(r'.*<(iframe|link|script).*'), + (re.compile(r'.*<(applet|base|body|button|embed|form|head|html|iframe|img|input|link|object|picture|script|source|style|svg|video).*', re.IGNORECASE), _("Forbidden HTML tags")), (re.compile(r'''.*\s+src=["']javascript:.*'''), _("Javascript in HTML src attributes")), diff --git a/tests/lint.TestCase b/tests/lint.TestCase index 433c0787..ad9f0514 100755 --- a/tests/lint.TestCase +++ b/tests/lint.TestCase @@ -3,6 +3,7 @@ # http://www.drdobbs.com/testing/unit-testing-with-python/240165163 import inspect +import logging import optparse import os import shutil @@ -23,6 +24,14 @@ import fdroidserver.lint class LintTest(unittest.TestCase): '''fdroidserver/lint.py''' + def setUp(self): + logging.basicConfig(level=logging.INFO) + self.basedir = os.path.join(localmodule, 'tests') + self.tmpdir = os.path.abspath(os.path.join(self.basedir, '..', '.testfiles')) + if not os.path.exists(self.tmpdir): + os.makedirs(self.tmpdir) + os.chdir(self.basedir) + def test_check_for_unsupported_metadata_files(self): config = dict() fdroidserver.common.fill_config_defaults(config) @@ -31,8 +40,8 @@ class LintTest(unittest.TestCase): fdroidserver.lint.config = config self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files()) - tmpdir = os.path.join(localmodule, '.testfiles') - tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, dir=tmpdir) + tmptestsdir = tempfile.mkdtemp(prefix=inspect.currentframe().f_code.co_name, + dir=self.tmpdir) self.assertFalse(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/')) shutil.copytree(os.path.join(localmodule, 'tests', 'metadata'), os.path.join(tmptestsdir, 'metadata'), @@ -42,6 +51,24 @@ class LintTest(unittest.TestCase): os.path.join(tmptestsdir, 'metadata')) self.assertTrue(fdroidserver.lint.check_for_unsupported_metadata_files(tmptestsdir + '/')) + def test_forbidden_html_tags(self): + config = dict() + fdroidserver.common.fill_config_defaults(config) + fdroidserver.common.config = config + fdroidserver.lint.config = config + + app = { + 'Name': 'Bad App', + 'Summary': 'We pwn you', + 'Description': 'This way: ', + } + + anywarns = False + for warn in fdroidserver.lint.check_regexes(app): + anywarns = True + logging.debug(warn) + self.assertTrue(anywarns) + if __name__ == "__main__": parser = optparse.OptionParser()