Make the 'WebView classloader' filtering - to discourage loading arbitrary classes from the WebView APK. |
||||
Issue descriptionIn crbug.com/803816 we're adding a classloader to provide to the WebView Support Library for it to load classes from the WebView Apk. We should make that classloader filtering, to avoid apps trying to load arbitrary WebView classes using that classloader. Note: since (IIRC) we're already proguarding most of WebView, it should be difficult for apps to load arbitrary classes anyway.
,
May 11 2018
Yeah it's not obviously worth it - and this would be a new source for bugs. The whitelist should be heavily related to classes we avoid obfuscating - I think it should only contain classes from the support library glue though.
,
May 11 2018
This was specifically requested by feature council as a condition of the API to get the classloader being public. While it's true that it's possible to get the classloader other ways and that proguard makes it hard to abuse this anyway, the fact that the underlying API is public means that they want it to have a specifically restricted scope, as otherwise it implies apps are supposed to be able to do this.
,
May 11 2018
Ack. Our support library code appears to only fetch "org.chromium.support_lib_glue.SupportLibReflectionUtil" [1]. Is this the only class we should whitelist, or do we want to whitelist others to support other use cases for this API? There's sadly no documentation on *how* this is expected to filter. RuntimeException for loading a non-whitelisted class? Return null for non-whitelisted class? Should we also improve the API docs to mention this is a "filtering" classloader, and document what it does when misused by apps? [1] http://cs/android/frameworks/support/webkit/src/main/java/androidx/webkit/internal/WebViewGlueCommunicator.java?l=64&rcl=b3edde5d60c2f38cc67d7c420194c9a8d30c47f8
,
May 17 2018
Maybe this could help: https://stackoverflow.com/questions/3092449/implementing-a-filtering-class-loader I guess we just need to: * override loadClass * throw an exception for classes we intend to filter out
,
Jun 1 2018
The following revision refers to this bug: https://chrome-internal.googlesource.com/clank/internal/apps/+/0d0b15a592330daeadaca3a57f280d92c6b909f4 commit 0d0b15a592330daeadaca3a57f280d92c6b909f4 Author: Nate Fischer <ntfschr@google.com> Date: Fri Jun 01 19:08:03 2018
,
Jun 1 2018
No verification needed, I verified locally before landing. |
||||
►
Sign in to add a comment |
||||
Comment 1 by ntfschr@chromium.org
, May 11 2018