-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
This ensures no illegal cookies are send to okhttp #18203
Conversation
When a website in a ReactNative WebView sets a cookie with an illegal character, this cookie will automatically be added to any request to the same domain. This happens through: BridgeInterceptor.java (l.84) ReactCookieJarContainer.java (l.44) JavaNetCookieJar.java (l.59) ForwardingCookieHandler.java (l.57) ForwardingCookieHandler.java (l.168) CookieManager.java (l.39) The BridgeInterceptor.java then tries to set a Cookie header, which validates both keys and values, and then crashes. okhttp3.6.0 Headers.java (l.320) This fix will strip illegal characters from any cookie that is being passed to the okhttp request.
Fixes #17568 |
Hey there, A while ago I opened a PR: #17569 The bot also told me it would be best to tag someone to take a look. Could you guys please take a look? Thanks! |
Thanks for the PR! Any chance you can add a test for this? |
Hi @hramos, Thanks for the reply! I'm aware the server is setting cookie values that are outside of the accepted range, but sometimes you can't control what a server is doing! Another solution could be to urlencode the invalid cookies, instead of ignoring them, please let me know what you think :) |
Hi @hramos, |
This will test the filtering of invalid cookies that might be set through the Android WebView.
Hey @hramos, Not sure why circleci checks don't pass, seems like the cache is corrupt? Locally all tests pass:
I'm not used to working with mockito, so let me know if you need any changes! 👍 |
* upstream/master: Local cli/android/normalize project name
Sorry for the trouble! Circle had some issues. If you rebase past 6f6084d your tests should pass. |
Thanks for adding the regression test 👍 |
* upstream/master: Fix Android job Enable obfuscation in ProGuard rules by default Add a way to dismiss PopupMenu elements Simplify templates Explicitly set path to yarn Prevent show a hidden status bar when opening modals, fix facebook#7474
I merged the latest master, which fails on something (in my eyes) unrelated to my changes. |
Hey @hramos I'm not sure what is causing the circleci fail, do you know how I can verify that my regression tests are passing? |
Looks like Circle is going through an outage right now. They had a similar outage, affecting macOS jobs, the other day. |
@hramos Shall I wait for it to be resolve and then rebase on master, or can you review the PR as is? :) |
Failing tests will only hold back the PR from being merged. It shouldn't hold back any reviews. I should also make it clear that I'm not actively reviewing pull requests (as evidenced by the number of open PRs). I'm around to support the landing of PRs that require it (i.e. the import failed), as well as to make sure new PRs are in a good state so that the community may be able to review them. |
Allright, thanks for the pointers! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice PR. Y’all should merge this.
@erikpoort I tried to find reviewers for this pull request and wanted to ping them to take another look. However, based on the blame information for the files in this pull request I couldn't find any reviewers. This sometimes happens when the files in the pull request are new or don't exist on master anymore. Is this pull request still relevant? If yes could you please rebase? In case you know who has context on this code feel free to mention them in a comment (one person is fine). Thanks for reading and hope you will continue contributing to the project. |
* upstream/master: (290 commits) Bump babel-preset-react-native version to 5.0.0 for Babel 7 Upgrade Prettier to v1.12.1 on fbsource Make Spacing cloneable Fix BadtokenException thrown when opening Android Catalyst app Fix crash when reloading with Perf Monitor enabled Remove extra space in source_files Forked RN renderers for FB and OSS (52afbe0...0887c7d) Fix OSS Fabric test build Use real YogaNodes in FabricReconcilerTest Bump metro@0.33.0 Add getParent() method for easier migration Use real YogaNodes in FabricUIManagerTest Display JS component stack in native view exceptions Add devDependencies support for templates Move Fabric tests to OSS Pass drawable width and height in pixels for inline image Switch equality check in BlobModule.java cxxreact/RAMBundleRegistry: nit fixes cxxreact/RAMBundleRegistry: prepend segment ID Revert D7569885: Fix anti aliasing rounded background ...
@hramos I don't know if you've seen it, but the PR has been reviewed by @swankjesse from okhttp :) (thanks!! 👍 ) I have also rebased on the latest master. You mentioned: "Failing tests will only hold back the PR from being merged.", is there any way I can help to resolve these failing tests? They seem unrelated to my code. |
@erikpoort I tried to find reviewers for this pull request and wanted to ping them to take another look. However, based on the blame information for the files in this pull request I couldn't find any reviewers. This sometimes happens when the files in the pull request are new or don't exist on master anymore. Is this pull request still relevant? If yes could you please rebase? In case you know who has context on this code feel free to mention them in a comment (one person is fine). Thanks for reading and hope you will continue contributing to the project. |
* upstream/master: (298 commits) Fabric: Support for object notation in dynamic-to-Point/Size/Edges converstions Add more fabric logging information Wire up event handler bindings RN: Fix Reponder Logic in Text Remove Native Extensions Move Native Extensions from JSContext layer to ContextFactory Prevent RefreshControl from getting stuck when a parent is scrolled horizontally Remove __fbUninstallRNGlobalErrorHandler Bump Metro to 0.37.1 Re-format BUCK to use recommended style. Prettier Fabric: Deletion of unused files Fix JUnit report location when running Jest Fabric: Using unique_ptr for storing YGNode inside YogaLayoutableShadowNode Alternative Instance Handle Approach without JSWeakRef React sync for revisions de84d5c...c0fe8d6 Fix typo iOS: Introduced ComponentDescriptorFactory to provide app specific component registry Bump rn babel preset to 5.0.1 Add automated script to update the babelHelpers file ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@hramos is landing this pull request. If you are a Facebook employee, you can view this diff on Phabricator.
Summary: When a website in a ReactNative WebView sets a cookie with an illegal character, this cookie will automatically be added to any request to the same domain. This happens through: BridgeInterceptor.java (l.84) ReactCookieJarContainer.java (l.44) JavaNetCookieJar.java (l.59) ForwardingCookieHandler.java (l.57) ForwardingCookieHandler.java (l.168) CookieManager.java (l.39) The BridgeInterceptor.java then tries to set a Cookie header, which validates both keys and values, and then crashes. okhttp3.6.0 Headers.java (l.320) This fix will strip illegal characters from any cookie that is being passed to the okhttp request. To demonstrate how to crash the app, you can find an example app here: https://github.com/erikpoort/react-native-test-illegal-cookie Or you can load the following url into a webview: https://invalidcookietest.us.dev.monkapps.com/ Press the 'Set cookie' button. Then try to fetch the same url. [ANDROID] [BREAKING] [ReactCookieJarContainer.java] - I'm filtering cookies containing illegal characters from any request. Closes facebook#18203 Differential Revision: D8164302 Pulled By: hramos fbshipit-source-id: 6e58461df594eb2c7aad4c7ad70b76d12ac09b84
Does this affect the cookies sent by a fetch request inside of an app(not inside webview)? Cookies were automatically being sent from my fetch calls, but it stopping doing so when I did an upgrade of react-native from 0.55 to 0.56 around 2 weeks back. |
No, fetch is using okhttp3 and doesn't save cookies with illegal characters. Only the android webview saves those cookies. RN combines okhttp3 and android webview cookies to do a new request. Before this PR, those webview cookies weren't filtered and okhttp3 would respond by throwing an exception on those illegal characters, thus crashing the app. |
Summary: This sync includes the following changes: - **[b5c6dd2de](facebook/react@b5c6dd2de )**: Don't use Spread in DevTools Injection (#18277) //<Sebastian Markbåge>// - **[a463fef31](facebook/react@a463fef31 )**: Revert "[React Native] Add getInspectorDataForViewAtPoint (#18233)" //<Sebastian Markbage>// - **[dc7eedae3](facebook/react@dc7eedae3 )**: Encode server rendered host components as array tuples (#18273) //<Sebastian Markbåge>// - **[bf351089a](facebook/react@bf351089a )**: [React Native] Add getInspectorDataForViewAtPoint (#18233) //<Ricky>// - **[99d737186](facebook/react@99d737186 )**: [Flight] Split Streaming from Relay Implemenation (#18260) //<Sebastian Markbåge>// - **[160505b0c](facebook/react@160505b0c )**: ReactDOM.useEvent: Add more scaffolding for useEvent hook (#18271) //<Dominic Gannaway>// - **[526c12f49](facebook/react@526c12f49 )**: Enable enableProfilerCommitHooks flag for FB (#18230) //<Brian Vaughn>// - **[29534252a](facebook/react@29534252a )**: ReactDOM.useEvent add flag and entry point (#18267) //<Dominic Gannaway>// - **[704c8b011](facebook/react@704c8b011 )**: Fix Flow type for AnyNativeEvent (#18266) //<Dominic Gannaway>// - **[bdc5cc463](facebook/react@bdc5cc463 )**: Add Relay Flight Build (#18242) //<Sebastian Markbåge>// - **[7a1691cdf](facebook/react@7a1691cdf )**: Refactor Host Config Infra (getting rid of .inline*.js) (#18240) //<Sebastian Markbåge>// - **[238b57f0f](facebook/react@238b57f0f )**: [Blocks] Make it possible to have lazy initialized and lazy loaded Blocks (#18220) //<Sebastian Markbåge>// - **[235a6c4af](facebook/react@235a6c4af )**: Bugfix: Dropped effects in Legacy Mode Suspense (#18238) //<Andrew Clark>// - **[562cf013d](facebook/react@562cf013d )**: Add a flag to disable module pattern components (#18133) //<Dan Abramov>// - **[115cd12d9](facebook/react@115cd12d9 )**: Add test run that uses www feature flags (#18234) //<Andrew Clark>// - **[4027f2a3b](facebook/react@4027f2a3b )**: Break up require/import statements in strings (#18222) //<Christoph Nakazawa>// - **[024a76431](facebook/react@024a76431 )**: Implemented Profiler onCommit() and onPostCommit() hooks (#17910) //<Brian Vaughn>// - **[d35f8a581](facebook/react@d35f8a581 )**: feat: honor displayName of context types (#18224) //<Brian Vaughn>// - **[3ee812e6b](facebook/react@3ee812e6b )**: Revert "feat: honor displayName of context types (#18035)" (#18223) //<Dominic Gannaway>// - **[6a0efddd8](facebook/react@6a0efddd8 )**: Modern Event System: export internal FB flag for testing (#18221) //<Dominic Gannaway>// - **[fa03206ee](facebook/react@fa03206ee )**: Remove _ctor field from Lazy components (#18217) //<Sebastian Markbåge>// - **[2fe0fbb05](facebook/react@2fe0fbb05 )**: Use accumulateTwoPhaseDispatchesSingle directly (#18203) //<Dominic Gannaway>// - **[503fd82b4](facebook/react@503fd82b4 )**: Modern Event System: Add support for internal FB Primer (#18210) //<Dominic Gannaway>// - **[45c172d94](facebook/react@45c172d94 )**: feat: honor displayName of context types (#18035) //<Brian Vaughn>// - **[ec652f4da](facebook/react@ec652f4da )**: Bugfix: Expired partial tree infinite loops (#17949) //<Andrew Clark>// - **[d2158d6cc](facebook/react@d2158d6cc )**: Fix flow types (#18204) //<Brian Vaughn>// - **[7e83af17c](facebook/react@7e83af17c )**: Put React.jsx and React.jsxDEV behind experimental build (#18023) //<Luna Ruan>// - **[8cb2fb21e](facebook/react@8cb2fb21e )**: Refine isFiberSuspenseAndTimedOut (#18184) //<Dominic Gannaway>// - **[62861bbcc](facebook/react@62861bbcc )**: More event system cleanup and scaffolding (#18179) //<Dominic Gannaway>// - **[8ccfce460](facebook/react@8ccfce460 )**: Only use Rollup's CommonJS plugin for "react-art" (#18186) //<Sebastian Markbåge>// - **[c26506a7d](facebook/react@c26506a7d )**: Update react-shallow-renderer from 16.12.0 to 16.13.0 (#18185) //<Minh Nguyen>// - **[26aa1987c](facebook/react@26aa1987c )**: [Native] Enable and remove targetAsInstance feature flag. (#18182) //<Eli White>// - **[4469700bb](facebook/react@4469700bb )**: Change ReactVersion from CJS to ES module (#18181) //<Sebastian Markbåge>// - **[58eedbb02](facebook/react@58eedbb02 )**: Check in a forked version of object-assign only for UMD builds (#18180) //<Sebastian Markbåge>// - **[053347e6b](facebook/react@053347e6b )**: react-test-renderer: improve findByType() error message (#17439) //<Henry Q. Dineen>// - **[4ee592e95](facebook/react@4ee592e95 )**: Add an early invariant to debug a mystery crash (#18159) //<Dan Abramov>// - **[7ea4e4111](facebook/react@7ea4e4111 )**: Fix typo in warning text (#18103) //<Sophie Alpert>// - **[79a25125b](facebook/react@79a25125b )**: feat: add recommended config eslint rule (#14762) //<Simen Bekkhus>// - **[ae60caacf](facebook/react@ae60caacf )**: [Fabric] Fix targetAsInstance dispatchEvent "cannot read property of null" (#18156) //<Joshua Gross>// - **[d72700ff5](facebook/react@d72700ff5 )**: Remove runtime dependency on prop-types (#18127) //<Dan Abramov>// - **[549e41883](facebook/react@549e41883 )**: Move remaining things to named exports (#18165) //<Sebastian Markbåge>// - **[739f20bed](facebook/react@739f20bed )**: Remove Node shallow builds (#18157) //<Sebastian Markbåge>// - **[3e809bf5d](facebook/react@3e809bf5d )**: Convert React Native builds to named exports (#18136) //<Sebastian Markbåge>// - **[869dbda72](facebook/react@869dbda72 )**: Don't build shallow renderer for FB (#18153) //<Dan Abramov>// - **[293878e07](facebook/react@293878e07 )**: Replace ReactShallowRenderer with a dependency (#18144) //<Minh Nguyen>// - **[b4e314891](facebook/react@b4e314891 )**: Remove unused flag (#18132) //<Dan Abramov>// - **[849e8328b](facebook/react@849e8328b )**: Remove unnecessary warnings (#18135) //<Dan Abramov>// - **[f9c0a4544](facebook/react@f9c0a4544 )**: Convert the rest of react-dom and react-test-renderer to Named Exports (#18145) //<Sebastian Markbåge>// - **[c1c5499cc](facebook/react@c1c5499cc )**: update version numbers for 16.13 (#18143) //<Sunil Pai>// - **[e1c7e651f](facebook/react@e1c7e651f )**: Update ReactDebugHooks to handle composite hooks (#18130) //<Brian Vaughn>// - **[d28bd2994](facebook/react@d28bd2994 )**: remove OSS testing builds (#18138) //<Sunil Pai>// - **[8e13e770e](facebook/react@8e13e770e )**: Remove /testing entry point from 'react' package (#18137) //<Sebastian Markbåge>// - **[60016c448](facebook/react@60016c448 )**: Export React as Named Exports instead of CommonJS (#18106) //<Sebastian Markbåge>// - **[8d7535e54](facebook/react@8d7535e54 )**: Add nolint to FB bundle headers (#18126) //<Dominic Gannaway>// - **[bf13d3e3c](facebook/react@bf13d3e3c )**: [eslint-plugin-react-hooks] Fix cyclic caching for loops containing a… (#16853) //<Moji Izadmehr>// - **[501a78881](facebook/react@501a78881 )**: runAllPassiveEffectDestroysBeforeCreates's feature flag description typo fixed (#18115) //<adasq>// - **[09348798a](facebook/react@09348798a )**: Codemod to import * as React from "react"; (#18102) //<Sebastian Markbåge>// - **[78e816032](facebook/react@78e816032 )**: Don't warn about unmounted updates if pending passive unmount (#18096) //<Brian Vaughn>// - **[2c4221ce8](facebook/react@2c4221ce8 )**: Change string refs in function component message (#18031) //<Sebastian Markbåge>// - **[65bbda7f1](facebook/react@65bbda7f1 )**: Rename Chunks API to Blocks (#18086) //<Sebastian Markbåge>// - **[8b596e00a](facebook/react@8b596e00a )**: Remove unused arguments in the reconciler (#18092) //<Dan Abramov>// - **[5de5b6150](facebook/react@5de5b6150 )**: Bugfix: `memo` drops lower pri updates on bail out (#18091) //<Andrew Clark>// - **[abfbae02a](facebook/react@abfbae02a )**: Update Rollup version to 1.19.4 and fix breaking changes (#15037) //<Kunuk Nykjær>// - **[b789060dc](facebook/react@b789060dc )**: Feature Flag for React.jsx` "spreading a key to jsx" warning (#18074) //<Sunil Pai>// - **[3f85d53ca](facebook/react@3f85d53ca )**: Further pre-requisite changes to plugin event system (#18083) //<Dominic Gannaway>// - **[ea6ed3dbb](facebook/react@ea6ed3dbb )**: Warn for update on different component in render (#17099) //<Andrew Clark>// - **[085d02133](facebook/react@085d02133 )**: [Native] Migrate focus/blur to call TextInputState with the host component (#18068) //<Eli White>// - **[1000f6135](facebook/react@1000f6135 )**: Add container to event listener signature (#18075) //<Dominic Gannaway>// - **[a12dd52a4](facebook/react@a12dd52a4 )**: Don't build some packages for WWW (#18078) //<Dan Abramov>// - **[2512c309e](facebook/react@2512c309e )**: Remove Flare bundles from build (#18077) //<Dominic Gannaway>// - **[4912ba31e](facebook/react@4912ba31e )**: Add modern event system flag + rename legacy plugin module (#18073) //<Dominic Gannaway>// - **[4d9f85006](facebook/react@4d9f85006 )**: Re-throw errors thrown by the renderer at the root in the complete phase (#18029) //<Andrew Clark>// - **[14afeb103](facebook/react@14afeb103 )**: Added missing feature flag //<Brian Vaughn>// - **[691096c95](facebook/react@691096c95 )**: Split recent passive effects changes into 2 flags (#18030) //<Brian Vaughn>// - **[56d8a73af](facebook/react@56d8a73af )**: [www] Disable Scheduler `timeout` w/ dynamic flag (#18069) //<Andrew Clark>// - **[d533229fb](facebook/react@d533229fb )**: Fix Prettier //<Dan Abramov>// - **[56a8c3532](facebook/react@56a8c3532 )**: eslint-plugin-react-hooks@2.4.0 //<Dan Abramov>// - **[93a229bab](facebook/react@93a229bab )**: Update eslint rule exhaustive deps to use new suggestions feature (#17385) //<Will Douglas>// - **[9def56ec0](facebook/react@9def56ec0 )**: Refactor DOM plugin system to single module (#18025) //<Dominic Gannaway>// - **[2d6be757d](facebook/react@2d6be757d )**: [Native] Delete NativeComponent and NativeMethodsMixin (#18036) //<Eli White>// - **[d4f2b03](facebook/react@d4f2b0379 )**: Add Auto Import to Babel Plugin (#16626) //<Luna Ruan>// - **[8777b44e9](facebook/react@8777b44e9 )**: Add Modern WWW build (#18028) //<Dan Abramov>// - **[a607ea4c4](facebook/react@a607ea4c4 )**: Remove getIsHydrating (#18019) //<Dan Abramov>// - **[f7278034d](facebook/react@f7278034d )**: Flush all passive destroy fns before calling create fns (#17947) //<Brian Vaughn>// - **[529e58ab0](facebook/react@529e58ab0 )**: Remove legacy www config from Rollup build (#18016) //<Dominic Gannaway>// - **[42918f40a](facebook/react@42918f40a )**: Change build from babylon to babel (#18015) //<Dominic Gannaway>// - **[df5faddcc](facebook/react@df5faddcc )**: Refactor commitPlacement to recursively insert nodes (#17996) //<Dominic Gannaway>// - **[517de74b0](facebook/react@517de74b0 )**: Tweak comment wording (#18007) //<Dan Abramov>// - **[b63cb6f6c](facebook/react@b63cb6f6c )**: Update ReactFiberExpirationTime.js (#17825) //<haseeb>// - **[89c6042df](facebook/react@89c6042df )**: fix: typo in test (#18005) //<Jesse Katsumata>// - **[4f71f25a3](facebook/react@4f71f25a3 )**: Re-enable shorthand CSS property collision warning (#18002) //<Sophie Alpert>// - **[c55c34e46](facebook/react@c55c34e46 )**: Move React Map child check to behind flags or __DEV__ (#17995) //<Dominic Gannaway>// - **[3f814e758](facebook/react@3f814e758 )**: Fix Flow type for React Native (#17992) //<Dan Abramov>// - **[256d78d11](facebook/react@256d78d11 )**: Add feature flag for removing children Map support (#17990) //<Dominic Gannaway>// - **[9dba218d9](facebook/react@9dba218d9 )**: [Mock Scheduler] Mimic browser's advanceTime (#17967) //<Andrew Clark>// - **[d6e08fe0a](facebook/react@d6e08fe0a )**: Remove Suspense priority warning (#17971) //<Dan Abramov>// - **[812277dab](facebook/react@812277dab )**: Fix onMouseEnter is fired on disabled buttons (#17675) //<Alfredo Granja>// - **[3e9251d60](facebook/react@3e9251d60 )**: make testing builds for React/ReactDOM (#17915) //<Sunil Pai>// - **[ace9e8134](facebook/react@ace9e8134 )**: Simplify Continuous Hydration Targets (#17952) //<Sebastian Markbåge>// - **[7df32c4c8](facebook/react@7df32c4c8 )**: Flush `useEffect` clean up functions in the passive effects phase (#17925) //<Brian Vaughn>// - **[434770c3b](facebook/react@434770c3b )**: Add beforeRemoveInstance method to ReactNoop (#17959) //<Dominic Gannaway>// - **[6ae2c33a7](facebook/react@6ae2c33a7 )**: StrictMode should call sCU twice in DEV (#17942) //<Brian Vaughn>// - **[9dbe1c54d](facebook/react@9dbe1c54d )**: Revert "Bugfix: Expiring a partially completed tree (#17926)" (#17941) //<Andrew Clark>// - **[b2382a715](facebook/react@b2382a715 )**: Add ReactDOM.unstable_renderSubtreeIntoContainer warning flag (#17936) //<Dominic Gannaway>// - **[01974a867](facebook/react@01974a867 )**: Bugfix: Expiring a partially completed tree (#17926) //<Andrew Clark>// Changelog: [General][Changed] - React Native sync for revisions 241c446...b5c6dd2 Reviewed By: gaearon Differential Revision: D20347361 fbshipit-source-id: e9e6282474ab6471585e8e7fb6ea8518aa48390d
Motivation
When a website in a ReactNative WebView sets a cookie with an illegal
character, this cookie will automatically be added to any request to the
same domain.
This happens through:
BridgeInterceptor.java (l.84)
ReactCookieJarContainer.java (l.44)
JavaNetCookieJar.java (l.59)
ForwardingCookieHandler.java (l.57)
ForwardingCookieHandler.java (l.168)
CookieManager.java (l.39)
The BridgeInterceptor.java then tries to set a Cookie header, which
validates both keys and values, and then crashes.
okhttp3.6.0 Headers.java (l.320)
This fix will strip illegal characters from any cookie that is being
passed to the okhttp request.
Test Plan
To demonstrate how to crash the app, you can find an example app here:
https://github.com/erikpoort/react-native-test-illegal-cookie
Or you can load the following url into a webview: https://invalidcookietest.us.dev.monkapps.com/
Press the 'Set cookie' button.
Then try to fetch the same url.
Release Notes
[ANDROID] [BREAKING] [ReactCookieJarContainer.java] - I'm filtering cookies containing illegal characters from any request.