validate appid when reading metadata files

The metadata file must be named after the Application ID of the app it is describing, and Android Application IDs must be valid Java Package Names.
2024-11-19 21:30:10 +01:00 · 2018-09-01 12:08:37 +02:00 · 2018-09-01 12:08:37 +02:00 · 5d161cc9fd
commit 5d161cc9fd
parent 3011953d0e
3 changed files with 32 additions and 3 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -1518,7 +1518,19 @@ def parse_androidmanifests(paths, app):


 def is_valid_package_name(name):
-    return re.match("[A-Za-z_][A-Za-z_0-9.]+$", name)
+    """Check whether name is a valid fdroid package name
+
+    APKs and manually defined package names must use a valid Java
+    Package Name.  Automatically generated package names for non-APK
+    files use the SHA-256 sum.
+
+    """
+    return re.match("^([a-f0-9]+|[A-Za-z_][A-Za-z_0-9.]+)$", name)
+
+
+def is_valid_java_package_name(name):
+    """Check whether name is a valid Java package name aka Application ID"""
+    return re.match("^[A-Za-z_][A-Za-z_0-9.]+$", name)


 def getsrclib(spec, srclib_dir, subdir=None, basepath=False,
--- a/fdroidserver/metadata.py
+++ b/fdroidserver/metadata.py
@ -805,6 +805,9 @@ def read_metadata(xref=True, check_vcs=[], refresh=True, sort_by_time=False):
        if metadatapath == '.fdroid.txt':
            warn_or_exception(_('.fdroid.txt is not supported!  Convert to .fdroid.yml or .fdroid.json.'))
        appid, _ignored = fdroidserver.common.get_extension(os.path.basename(metadatapath))
+        if appid != '.fdroid' and not fdroidserver.common.is_valid_package_name(appid):
+            warn_or_exception(_("{appid} from {path} is not a valid Java Package Name!")
+                              .format(appid=appid, path=metadatapath))
        if appid in apps:
            warn_or_exception(_("Found multiple metadata files for {appid}")
                              .format(appid=appid))
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@ -158,9 +158,10 @@ class CommonTest(unittest.TestCase):
            self.assertFalse(debuggable,
                             "debuggable APK state was not properly parsed!")

-    def testPackageNameValidity(self):
+    def test_is_valid_package_name(self):
        for name in ["org.fdroid.fdroid",
-                     "org.f_droid.fdr0ID"]:
+                     "org.f_droid.fdr0ID",
+                     "05041684efd9b16c2888b1eddbadd0359f655f311b89bdd1737f560a10d20fb8"]:
            self.assertTrue(fdroidserver.common.is_valid_package_name(name),
                            "{0} should be a valid package name".format(name))
        for name in ["0rg.fdroid.fdroid",
@ -170,6 +171,19 @@ class CommonTest(unittest.TestCase):
            self.assertFalse(fdroidserver.common.is_valid_package_name(name),
                             "{0} should not be a valid package name".format(name))

+    def test_is_valid_java_package_name(self):
+        for name in ["org.fdroid.fdroid",
+                     "org.f_droid.fdr0ID"]:
+            self.assertTrue(fdroidserver.common.is_valid_java_package_name(name),
+                            "{0} should be a valid package name".format(name))
+        for name in ["0rg.fdroid.fdroid",
+                     ".f_droid.fdr0ID",
+                     "org.fdroid/fdroid",
+                     "/org.fdroid.fdroid",
+                     "05041684efd9b16c2888b1eddbadd0359f655f311b89bdd1737f560a10d20fb8"]:
+            self.assertFalse(fdroidserver.common.is_valid_java_package_name(name),
+                             "{0} should not be a valid package name".format(name))
+
    def test_prepare_sources(self):
        testint = 99999999
        teststr = 'FAKE_STR_FOR_TESTING'