From 40c71e4b06130ee35da848adadef4b71228dc186 Mon Sep 17 00:00:00 2001
From: Torsten Grote <t@grobox.de>
Date: Thu, 24 Aug 2023 16:19:18 +0200
Subject: [PATCH] [db] Reject invalid URIs when adding repos

---
 .../main/java/org/fdroid/repo/RepoAdder.kt    |  7 ++++++-
 .../java/org/fdroid/repo/RepoAdderTest.kt     | 20 +++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/libs/database/src/main/java/org/fdroid/repo/RepoAdder.kt b/libs/database/src/main/java/org/fdroid/repo/RepoAdder.kt
index c107c709c..37d3ece5b 100644
--- a/libs/database/src/main/java/org/fdroid/repo/RepoAdder.kt
+++ b/libs/database/src/main/java/org/fdroid/repo/RepoAdder.kt
@@ -25,6 +25,7 @@ import org.fdroid.database.Repository
 import org.fdroid.database.RepositoryDaoInt
 import org.fdroid.download.DownloaderFactory
 import org.fdroid.download.HttpManager
+import org.fdroid.download.HttpManager.Companion.isInvalidHttpUrl
 import org.fdroid.download.NotFoundException
 import org.fdroid.index.IndexFormatVersion
 import org.fdroid.index.SigningException
@@ -125,7 +126,11 @@ internal class RepoAdder(
         // get repo url and fingerprint
         val nUri = repoUriGetter.getUri(url)
         log.info("Parsed URI: $nUri")
-        // TODO reject non-http(s) Uri here
+        if (isInvalidHttpUrl(nUri.uri.toString())) {
+            val e = IllegalArgumentException("Unsupported URI: ${nUri.uri}")
+            addRepoState.value = AddRepoError(INVALID_INDEX, e)
+            return
+        }
 
         // some plumping to receive the repo preview
         var receivedRepo: Repository? = null
diff --git a/libs/database/src/test/java/org/fdroid/repo/RepoAdderTest.kt b/libs/database/src/test/java/org/fdroid/repo/RepoAdderTest.kt
index 3dde83f84..43338a0be 100644
--- a/libs/database/src/test/java/org/fdroid/repo/RepoAdderTest.kt
+++ b/libs/database/src/test/java/org/fdroid/repo/RepoAdderTest.kt
@@ -107,6 +107,26 @@ internal class RepoAdderTest {
         }
     }
 
+    @Test
+    fun testInvalidUri() = runTest {
+        repoAdder.fetchRepositoryInt("irc://example.org/repo/") // invalid scheme
+
+        repoAdder.addRepoState.test {
+            val state1 = awaitItem()
+            assertIs<AddRepoError>(state1)
+            assertEquals(INVALID_INDEX, state1.errorType)
+        }
+
+        repoAdder.abortAddingRepo()
+        repoAdder.fetchRepositoryInt("https://%-") // invalid hostname
+
+        repoAdder.addRepoState.test {
+            val state1 = awaitItem()
+            assertIs<AddRepoError>(state1)
+            assertEquals(INVALID_INDEX, state1.errorType)
+        }
+    }
+
     @Test
     fun testAddingMinRepo() = runTest {
         val url = "https://example.org/repo/"