[Android] Restrict AOT shared library engine flag to trusted paths #173359
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
…_library_name_flag
szwl-g
reviewed
Aug 19, 2025
engine/src/flutter/shell/platform/android/io/flutter/embedding/engine/loader/FlutterLoader.java
Outdated
Show resolved
Hide resolved
Contributor
Author
|
Ah I just realized I have a real failure on Android to address here. I'll update the PR when I've gotten the chance to take a look. |
Contributor
Author
Fixed if you can take a second look! @reidbaker |
reidbaker
approved these changes
Aug 26, 2025
|
|
||
| // Canocalize path for safety analysis. | ||
| File aotSharedLibraryFile = getFileFromPath(aotSharedLibraryPath); | ||
| String aotSharedLibraryPathCanonicalPath = aotSharedLibraryFile.getCanonicalPath(); |
Contributor
There was a problem hiding this comment.
what happens if I pass "--aot-shared-library-name=<>?/\1234-some-invalid-string"
Maybe it results in an empty pathname? https://docs.oracle.com/javase/7/docs/api/java/io/File.html#File(java.lang.String) similar to an empty string
Contributor
Author
There was a problem hiding this comment.
I'm glad you pointed this out because it looks like an IOException is thrown in the path is invalid. I added a try/catch so we can return null early in this case + a test.
I didn't do the same for the internal storage directory because I think it's safe to assume that it is a valid path.
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Aug 27, 2025
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Aug 27, 2025
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Aug 27, 2025
auto-submit bot
pushed a commit
to flutter/packages
that referenced
this pull request
Aug 28, 2025
flutter/flutter@c65f01d...da5523a 2025-08-27 dacoharkes@google.com [native assets] Roll dependencies (flutter/flutter#174522) 2025-08-27 engine-flutter-autoroll@skia.org Roll Skia from 8cf2faada2b5 to 7e6da45059c5 (5 revisions) (flutter/flutter#174523) 2025-08-27 43054281+camsim99@users.noreply.github.com [Android] Restrict AOT shared library engine flag to trusted paths (flutter/flutter#173359) 2025-08-27 engine-flutter-autoroll@skia.org Roll Fuchsia Linux SDK from L5zGzsIWIS8N36AFQ... to bHYRvLv2Dg56RWZF2... (flutter/flutter#174518) 2025-08-27 engine-flutter-autoroll@skia.org Roll Packages from 1ef712e to 86fbeec (7 revisions) (flutter/flutter#174521) 2025-08-27 engine-flutter-autoroll@skia.org Roll Skia from 448a0d0e57e3 to 8cf2faada2b5 (1 revision) (flutter/flutter#174510) 2025-08-27 engine-flutter-autoroll@skia.org Roll Skia from 4703976a4dae to 448a0d0e57e3 (3 revisions) (flutter/flutter#174494) 2025-08-27 sokolovskyi.konstantin@gmail.com Fix SliverMainAxisGroup and SliverCrossAxisGroup gestures' local positions. (flutter/flutter#174265) 2025-08-27 robert.ancell@canonical.com Fix lock up when window resized with merged UI and platform threads. (flutter/flutter#172893) 2025-08-27 engine-flutter-autoroll@skia.org Roll Skia from dc2872de506f to 4703976a4dae (1 revision) (flutter/flutter#174489) 2025-08-27 engine-flutter-autoroll@skia.org Roll Dart SDK from db45c0ce46f9 to 89023922f96d (2 revisions) (flutter/flutter#174481) 2025-08-27 32538273+ValentinVignal@users.noreply.github.com Migrate examples and defaults to `WidgetState` (flutter/flutter#174421) 2025-08-27 engine-flutter-autoroll@skia.org Roll Skia from 8e48b9e6d67b to dc2872de506f (7 revisions) (flutter/flutter#174479) 2025-08-27 36861262+QuncCccccc@users.noreply.github.com SnackBar with action no longer auto-dismiss (flutter/flutter#173084) 2025-08-26 engine-flutter-autoroll@skia.org Roll Dart SDK from 9054cd8af73c to db45c0ce46f9 (1 revision) (flutter/flutter#174438) 2025-08-26 engine-flutter-autoroll@skia.org Roll Skia from f941bfab7c09 to 8e48b9e6d67b (4 revisions) (flutter/flutter#174468) 2025-08-26 matanlurey@users.noreply.github.com Fix bug in test_golden_comparator, add an e2e test. (flutter/flutter#174459) 2025-08-26 matt.boetger@gmail.com fix typo in test_profile/README.md (flutter/flutter#174384) 2025-08-26 matanlurey@users.noreply.github.com Remove CP labels on not-merged PRs, and explain why (flutter/flutter#174448) 2025-08-26 1063596+reidbaker@users.noreply.github.com Increase testing coverage and maintainability of android manifest parsing logic (flutter/flutter#174070) 2025-08-26 1961493+harryterkelsen@users.noreply.github.com [web] Add test that pictures are not rasterized when clipped out (flutter/flutter#174452) 2025-08-26 engine-flutter-autoroll@skia.org Roll Skia from 538260c45b4a to f941bfab7c09 (3 revisions) (flutter/flutter#174450) 2025-08-26 30870216+gaaclarke@users.noreply.github.com fixes the vulkan image layout transitions for mipmap generation (flutter/flutter#173884) 2025-08-26 15619084+vashworth@users.noreply.github.com Move flakey iOS tests to bringup (flutter/flutter#174446) 2025-08-26 30870216+gaaclarke@users.noreply.github.com [Impeller] Make sure inline passes always do a clear action. (flutter/flutter#174083) 2025-08-26 engine-flutter-autoroll@skia.org Roll Skia from 21214d63fc40 to 538260c45b4a (2 revisions) (flutter/flutter#174441) If this roll has caused a breakage, revert this CL and stop the roller using the controls here: https://autoroll.skia.org/r/flutter-packages Please CC stuartmorgan@google.com on the revert to ensure that a human is aware of the problem. To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose To report a problem with the AutoRoller itself, please file a bug: https://issues.skia.org/issues/new?component=1389291&template=1850622 Documentation for the AutoRoller is here: https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Aug 28, 2025
mboetger
pushed a commit
to mboetger/flutter
that referenced
this pull request
Sep 18, 2025
…lutter#173359) ### Overview Restricts the `--aot-shared-library-name` flag used for launching `FlutterFragment`s to only accept paths that point to the application's internal storage. ### Why restrict the path at all Currently, when an application launches a `FlutterFragment` with an `Intent` that passes the `--aot-shared-library-name` flag, the Flutter engine [will call `dlopen`](https://github.com/flutter/flutter/blob/f45a8f8b719e9c0648d0ac563023522e72a80a00/engine/src/flutter/fml/platform/posix/native_library_posix.cc#L14) on the native code that lives where the passed path points with no checks. So, if that path points to malicious code, we've got a problem. See go/flutter-fragment-flag-security-analysis for full context. By restricting the path to a trusted location, we ensure that the application developer is either writing their own native code (that we can assume not to be malicious) or is importing third party code and manually packaging it with their application code, ensuring that it has been vetted by the application author (or at least indicating that it should be vetted). ### Why restrict the path to the application's internal storage The [native code directory within internal storage](https://developer.android.com/reference/android/content/pm/ApplicationInfo#nativeLibraryDir) is where native JNI libraries are stored by default when the AGP [`useLegacyPackaging` option](https://developer.android.com/build/releases/past-releases/agp-4-2-0-release-notes#compress-native-libs-dsl) is set to true, so any compiled native code that's part of an Android app will live there. If `useLegacyPackaging` is set to false or the application developer wishes to reference native code some other way, they can manually package it within internal storage, which is generally a secure place to store files for your application needs. Also, as far as I'm aware, this is the only secure place the application developers could reference native code *by path* in their application (for example, developers could put their native code in the `app/src/main/assets` directory, then copy it into internal storage for reference by path). _My primary sources:_ https://developer.android.com/ndk/guides/concepts https://developer.android.com/studio/projects/add-native-code https://developer.android.com/training/data-storage ### Prior art Flutter has enforced a similar sort of path restriction for the `file_selector_android` package; see flutter/packages#8184. Just like that PR does, this PR makes sure to canonicalize paths passed to the flag and attempts to test sneaky partial internal storage paths to mitigate path traversal attacks. ### Future work As mentioned in my TODO, the pattern of willy-nilly adding any flags passed in an `Intent` to launch a `FlutterFragment` is dangerous. We plan to address this vulnerability in a future PR: flutter#172553 ### P.S. This PR also renames `application_library_path` to `application_library_paths` This is actually a vector of AOT shared library (plural) paths that can include the one passed with the `--aot-shared-library-name` flag as well as the fallbacks. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [ ] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. **Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md [Data Driven Fixes]: https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
korca0220
pushed a commit
to korca0220/flutter
that referenced
this pull request
Sep 22, 2025
…lutter#173359) ### Overview Restricts the `--aot-shared-library-name` flag used for launching `FlutterFragment`s to only accept paths that point to the application's internal storage. ### Why restrict the path at all Currently, when an application launches a `FlutterFragment` with an `Intent` that passes the `--aot-shared-library-name` flag, the Flutter engine [will call `dlopen`](https://github.com/flutter/flutter/blob/f45a8f8b719e9c0648d0ac563023522e72a80a00/engine/src/flutter/fml/platform/posix/native_library_posix.cc#L14) on the native code that lives where the passed path points with no checks. So, if that path points to malicious code, we've got a problem. See go/flutter-fragment-flag-security-analysis for full context. By restricting the path to a trusted location, we ensure that the application developer is either writing their own native code (that we can assume not to be malicious) or is importing third party code and manually packaging it with their application code, ensuring that it has been vetted by the application author (or at least indicating that it should be vetted). ### Why restrict the path to the application's internal storage The [native code directory within internal storage](https://developer.android.com/reference/android/content/pm/ApplicationInfo#nativeLibraryDir) is where native JNI libraries are stored by default when the AGP [`useLegacyPackaging` option](https://developer.android.com/build/releases/past-releases/agp-4-2-0-release-notes#compress-native-libs-dsl) is set to true, so any compiled native code that's part of an Android app will live there. If `useLegacyPackaging` is set to false or the application developer wishes to reference native code some other way, they can manually package it within internal storage, which is generally a secure place to store files for your application needs. Also, as far as I'm aware, this is the only secure place the application developers could reference native code *by path* in their application (for example, developers could put their native code in the `app/src/main/assets` directory, then copy it into internal storage for reference by path). _My primary sources:_ https://developer.android.com/ndk/guides/concepts https://developer.android.com/studio/projects/add-native-code https://developer.android.com/training/data-storage ### Prior art Flutter has enforced a similar sort of path restriction for the `file_selector_android` package; see flutter/packages#8184. Just like that PR does, this PR makes sure to canonicalize paths passed to the flag and attempts to test sneaky partial internal storage paths to mitigate path traversal attacks. ### Future work As mentioned in my TODO, the pattern of willy-nilly adding any flags passed in an `Intent` to launch a `FlutterFragment` is dangerous. We plan to address this vulnerability in a future PR: flutter#172553 ### P.S. This PR also renames `application_library_path` to `application_library_paths` This is actually a vector of AOT shared library (plural) paths that can include the one passed with the `--aot-shared-library-name` flag as well as the fallbacks. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [ ] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. **Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md [Data Driven Fixes]: https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
Jaineel-Mamtora
pushed a commit
to Jaineel-Mamtora/flutter_forked
that referenced
this pull request
Sep 24, 2025
…lutter#173359) ### Overview Restricts the `--aot-shared-library-name` flag used for launching `FlutterFragment`s to only accept paths that point to the application's internal storage. ### Why restrict the path at all Currently, when an application launches a `FlutterFragment` with an `Intent` that passes the `--aot-shared-library-name` flag, the Flutter engine [will call `dlopen`](https://github.com/flutter/flutter/blob/f45a8f8b719e9c0648d0ac563023522e72a80a00/engine/src/flutter/fml/platform/posix/native_library_posix.cc#L14) on the native code that lives where the passed path points with no checks. So, if that path points to malicious code, we've got a problem. See go/flutter-fragment-flag-security-analysis for full context. By restricting the path to a trusted location, we ensure that the application developer is either writing their own native code (that we can assume not to be malicious) or is importing third party code and manually packaging it with their application code, ensuring that it has been vetted by the application author (or at least indicating that it should be vetted). ### Why restrict the path to the application's internal storage The [native code directory within internal storage](https://developer.android.com/reference/android/content/pm/ApplicationInfo#nativeLibraryDir) is where native JNI libraries are stored by default when the AGP [`useLegacyPackaging` option](https://developer.android.com/build/releases/past-releases/agp-4-2-0-release-notes#compress-native-libs-dsl) is set to true, so any compiled native code that's part of an Android app will live there. If `useLegacyPackaging` is set to false or the application developer wishes to reference native code some other way, they can manually package it within internal storage, which is generally a secure place to store files for your application needs. Also, as far as I'm aware, this is the only secure place the application developers could reference native code *by path* in their application (for example, developers could put their native code in the `app/src/main/assets` directory, then copy it into internal storage for reference by path). _My primary sources:_ https://developer.android.com/ndk/guides/concepts https://developer.android.com/studio/projects/add-native-code https://developer.android.com/training/data-storage ### Prior art Flutter has enforced a similar sort of path restriction for the `file_selector_android` package; see flutter/packages#8184. Just like that PR does, this PR makes sure to canonicalize paths passed to the flag and attempts to test sneaky partial internal storage paths to mitigate path traversal attacks. ### Future work As mentioned in my TODO, the pattern of willy-nilly adding any flags passed in an `Intent` to launch a `FlutterFragment` is dangerous. We plan to address this vulnerability in a future PR: flutter#172553 ### P.S. This PR also renames `application_library_path` to `application_library_paths` This is actually a vector of AOT shared library (plural) paths that can include the one passed with the `--aot-shared-library-name` flag as well as the fallbacks. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [ ] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. **Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md [Data Driven Fixes]: https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Nov 12, 2025
lucaantonelli
pushed a commit
to lucaantonelli/flutter
that referenced
this pull request
Nov 21, 2025
…lutter#173359) ### Overview Restricts the `--aot-shared-library-name` flag used for launching `FlutterFragment`s to only accept paths that point to the application's internal storage. ### Why restrict the path at all Currently, when an application launches a `FlutterFragment` with an `Intent` that passes the `--aot-shared-library-name` flag, the Flutter engine [will call `dlopen`](https://github.com/flutter/flutter/blob/f45a8f8b719e9c0648d0ac563023522e72a80a00/engine/src/flutter/fml/platform/posix/native_library_posix.cc#L14) on the native code that lives where the passed path points with no checks. So, if that path points to malicious code, we've got a problem. See go/flutter-fragment-flag-security-analysis for full context. By restricting the path to a trusted location, we ensure that the application developer is either writing their own native code (that we can assume not to be malicious) or is importing third party code and manually packaging it with their application code, ensuring that it has been vetted by the application author (or at least indicating that it should be vetted). ### Why restrict the path to the application's internal storage The [native code directory within internal storage](https://developer.android.com/reference/android/content/pm/ApplicationInfo#nativeLibraryDir) is where native JNI libraries are stored by default when the AGP [`useLegacyPackaging` option](https://developer.android.com/build/releases/past-releases/agp-4-2-0-release-notes#compress-native-libs-dsl) is set to true, so any compiled native code that's part of an Android app will live there. If `useLegacyPackaging` is set to false or the application developer wishes to reference native code some other way, they can manually package it within internal storage, which is generally a secure place to store files for your application needs. Also, as far as I'm aware, this is the only secure place the application developers could reference native code *by path* in their application (for example, developers could put their native code in the `app/src/main/assets` directory, then copy it into internal storage for reference by path). _My primary sources:_ https://developer.android.com/ndk/guides/concepts https://developer.android.com/studio/projects/add-native-code https://developer.android.com/training/data-storage ### Prior art Flutter has enforced a similar sort of path restriction for the `file_selector_android` package; see flutter/packages#8184. Just like that PR does, this PR makes sure to canonicalize paths passed to the flag and attempts to test sneaky partial internal storage paths to mitigate path traversal attacks. ### Future work As mentioned in my TODO, the pattern of willy-nilly adding any flags passed in an `Intent` to launch a `FlutterFragment` is dangerous. We plan to address this vulnerability in a future PR: flutter#172553 ### P.S. This PR also renames `application_library_path` to `application_library_paths` This is actually a vector of AOT shared library (plural) paths that can include the one passed with the `--aot-shared-library-name` flag as well as the fallbacks. ## Pre-launch Checklist - [x] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [x] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [x] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [x] I signed the [CLA]. - [ ] I listed at least one issue that this PR fixes in the description above. - [x] I updated/added relevant documentation (doc comments with `///`). - [x] I added new tests to check the change I am making, or this PR is [test-exempt]. - [x] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [x] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. **Note**: The Flutter team is currently trialing the use of [Gemini Code Assist for GitHub](https://developers.google.com/gemini-code-assist/docs/review-github-code). Comments from the `gemini-code-assist` bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md [Data Driven Fixes]: https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Overview
Restricts the
--aot-shared-library-nameflag used for launchingFlutterFragments to only accept paths that point to the application's internal storage.Why restrict the path at all
Currently, when an application launches a
FlutterFragmentwith anIntentthat passes the--aot-shared-library-nameflag, the Flutter engine will calldlopenon the native code that lives where the passed path points with no checks. So, if that path points to malicious code, we've got a problem. See go/flutter-fragment-flag-security-analysis for full context.By restricting the path to a trusted location, we ensure that the application developer is either writing their own native code (that we can assume not to be malicious) or is importing third party code and manually packaging it with their application code, ensuring that it has been vetted by the application author (or at least indicating that it should be vetted).
Why restrict the path to the application's internal storage
The native code directory within internal storage is where native JNI libraries are stored by default when the AGP
useLegacyPackagingoption is set to true, so any compiled native code that's part of an Android app will live there.If
useLegacyPackagingis set to false or the application developer wishes to reference native code some other way, they can manually package it within internal storage, which is generally a secure place to store files for your application needs. Also, as far as I'm aware, this is the only secure place the application developers could reference native code by path in their application (for example, developers could put their native code in theapp/src/main/assetsdirectory, then copy it into internal storage for reference by path).My primary sources:
https://developer.android.com/ndk/guides/concepts
https://developer.android.com/studio/projects/add-native-code
https://developer.android.com/training/data-storage
Prior art
Flutter has enforced a similar sort of path restriction for the
file_selector_androidpackage; see flutter/packages#8184. Just like that PR does, this PR makes sure to canonicalize paths passed to the flag and attempts to test sneaky partial internal storage paths to mitigate path traversal attacks.Future work
As mentioned in my TODO, the pattern of willy-nilly adding any flags passed in an
Intentto launch aFlutterFragmentis dangerous. We plan to address this vulnerability in a future PR: #172553P.S. This PR also renames
application_library_pathtoapplication_library_pathsThis is actually a vector of AOT shared library (plural) paths that can include the one passed with the
--aot-shared-library-nameflag as well as the fallbacks.Pre-launch Checklist
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.
Note: The Flutter team is currently trialing the use of Gemini Code Assist for GitHub. Comments from the
gemini-code-assistbot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.