Merge pull request #256 from razorpay/b/intent_redirection_vulnerability

Check if activity is trusted to avoid Intent Redirection Vulnerability
razorpay · Jul 25, 2022 · 138c5d8 · 138c5d8
2 parents ec5f44b + 210d488
commit 138c5d8
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 14 deletions.
diff --git a/android/src/main/java/com/razorpay/razorpay_flutter/RazorpayDelegate.java b/android/src/main/java/com/razorpay/razorpay_flutter/RazorpayDelegate.java
@@ -2,6 +2,7 @@
 
 import android.app.Activity;
 import android.content.Intent;
+import android.util.Log;
 
 import com.razorpay.Checkout;
 import com.razorpay.CheckoutActivity;
@@ -36,23 +37,31 @@ public class RazorpayDelegate implements ActivityResultListener, ExternalWalletL
     private static final int TLS_ERROR = 3;
     private static final int INCOMPATIBLE_PLUGIN = 3;
     private static final int UNKNOWN_ERROR = 100;
-
+    private String packageName;
 
     public RazorpayDelegate(Activity activity) {
         this.activity = activity;
     }
 
+    void setPackageName(String packageName){
+        this.packageName = packageName;
+        Log.d("PackageName", packageName);
+    }
+
     void openCheckout(Map<String, Object> arguments, Result result) {
 
         this.pendingResult = result;
 
         JSONObject options = new JSONObject(arguments);
+        if (activity.getPackageName().equalsIgnoreCase(packageName)){
+            Log.d("PAYMENT", activity.getPackageName()+";;;"+packageName);
+            Intent intent = new Intent(activity, CheckoutActivity.class);
+            intent.putExtra("OPTIONS", options.toString());
+            intent.putExtra("FRAMEWORK", "flutter");
 
-        Intent intent = new Intent(activity, CheckoutActivity.class);
-        intent.putExtra("OPTIONS", options.toString());
-        intent.putExtra("FRAMEWORK", "flutter");
+            activity.startActivityForResult(intent, Checkout.RZP_REQUEST_CODE);
+        }
 
-        activity.startActivityForResult(intent, Checkout.RZP_REQUEST_CODE);
 
     }
 

diff --git a/android/src/main/java/com/razorpay/razorpay_flutter/RazorpayFlutterPlugin.java b/android/src/main/java/com/razorpay/razorpay_flutter/RazorpayFlutterPlugin.java
@@ -67,6 +67,10 @@ public void onMethodCall(MethodCall call, Result result) {
                 razorpayDelegate.openCheckout((Map<String, Object>) call.arguments, result);
                 break;
 
+            case "setPackageName":
+                razorpayDelegate.setPackageName((String)call.arguments);
+                break;
+
             case "resync":
                 razorpayDelegate.resync(result);
                 break;

diff --git a/example/android/build.gradle b/example/android/build.gradle
@@ -5,7 +5,7 @@ buildscript {
     }
 
     dependencies {
-        classpath 'com.android.tools.build:gradle:3.3.1'
+        classpath 'com.android.tools.build:gradle:4.1.0'
     }
 }
 

diff --git a/example/android/gradle.properties b/example/android/gradle.properties
@@ -1,2 +1,3 @@
 org.gradle.jvmargs=-Xmx1536M
 android.enableR8=true
+android.useAndroidX=true
diff --git a/example/android/gradle/wrapper/gradle-wrapper.properties b/example/android/gradle/wrapper/gradle-wrapper.properties
@@ -3,4 +3,4 @@ distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-4.10.2-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.7-all.zip
diff --git a/example/ios/Flutter/flutter_export_environment.sh b/example/ios/Flutter/flutter_export_environment.sh
@@ -1,14 +1,13 @@
 #!/bin/sh
 # This is a generated file; do not edit or check into version control.
-export "FLUTTER_ROOT=/Users/ramprasad.a/Developer/flutter"
-export "FLUTTER_APPLICATION_PATH=/Users/ramprasad.a/Documents/RamprasadA/project/razorpay-flutter/example"
+export "FLUTTER_ROOT=/Users/vivek.shindhe/Downloads/flutter"
+export "FLUTTER_APPLICATION_PATH=/Users/vivek.shindhe/Projects/razorpay/flutter/razorpay-flutter/example"
 export "COCOAPODS_PARALLEL_CODE_SIGN=true"
-export "FLUTTER_TARGET=/Users/ramprasad.a/Documents/RamprasadA/project/razorpay-flutter/example/lib/main.dart"
+export "FLUTTER_TARGET=lib/main.dart"
 export "FLUTTER_BUILD_DIR=build"
 export "FLUTTER_BUILD_NAME=1.2.6"
 export "FLUTTER_BUILD_NUMBER=1.2.6"
-export "DART_DEFINES=Zmx1dHRlci5pbnNwZWN0b3Iuc3RydWN0dXJlZEVycm9ycz10cnVl,RkxVVFRFUl9XRUJfQVVUT19ERVRFQ1Q9dHJ1ZQ=="
 export "DART_OBFUSCATION=false"
-export "TRACK_WIDGET_CREATION=true"
+export "TRACK_WIDGET_CREATION=false"
 export "TREE_SHAKE_ICONS=false"
-export "PACKAGE_CONFIG=/Users/ramprasad.a/Documents/RamprasadA/project/razorpay-flutter/example/.dart_tool/package_config.json"
+export "PACKAGE_CONFIG=.dart_tool/package_config.json"
diff --git a/lib/razorpay_flutter.dart b/lib/razorpay_flutter.dart
@@ -1,6 +1,7 @@
 import 'package:flutter/services.dart';
-
 import 'package:eventify/eventify.dart';
+import 'package:package_info_plus/package_info_plus.dart';
+import 'dart:io' show Platform;
 
 class Razorpay {
   // Response codes from platform
@@ -44,6 +45,11 @@ class Razorpay {
       });
       return;
     }
+    PackageInfo packageInfo = await PackageInfo.fromPlatform();
+    if(Platform.isAndroid){
+      print(packageInfo.packageName);
+      _channel.invokeMethod('setPackageName', packageInfo.packageName);
+    }
 
     var response = await _channel.invokeMethod('open', options);
     _handleResult(response);

diff --git a/pubspec.yaml b/pubspec.yaml
@@ -12,6 +12,7 @@ dependencies:
     sdk: flutter
   eventify: ^1.0.0
   fluttertoast: ^8.0.7
+  package_info_plus: ^1.4.3
 
 dev_dependencies:
   flutter_test:
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,7 +5,7 @@ buildscript { @@
         }
         dependencies {
-            classpath 'com.android.tools.build:gradle:3.3.1'
+            classpath 'com.android.tools.build:gradle:4.1.0'
         }
     }
@@ Expand Down @@