Skip to content

Latest commit

 

History

History
82 lines (62 loc) · 6.16 KB

mitigations.md

File metadata and controls

82 lines (62 loc) · 6.16 KB

Mitigation Strategies Analysis for baseflow/photoview

Mitigation Strategy: Strict Image Source Validation

  • Description:

    1. Define Allowed Sources: Create a configuration file or a hardcoded list that explicitly defines the allowed image sources (domains, URL prefixes, or very restricted local paths).
    2. URL Parsing: Before passing any URL to photoview, use a robust URL parsing library to decompose the URL.
    3. Scheme Check: Verify the URL scheme is https:// (or file:// only if absolutely necessary and with further, stringent restrictions). Reject other schemes.
    4. Host/Domain Check: Compare the parsed host (domain) against the whitelist. Reject if not in the whitelist.
    5. Path Traversal Prevention: Examine the parsed path. Ensure it does not contain ../ or ..\. Normalize the path.
    6. Query Parameter Validation: Validate each query parameter's name and value against expected formats.
    7. Content-Type Header Check (Post-Fetch): After fetching the image data (but before passing it to photoview), check the Content-Type header. Ensure it's an expected image MIME type.

  • Threats Mitigated:

    • Image Source Manipulation (Severity: High): Prevents photoview from displaying images from malicious sources. This is the core threat.
    • Remote Code Execution (RCE) (Severity: Critical): If a vulnerability exists in the underlying image decoding library, this prevents photoview from being used to deliver the exploit.
    • Information Disclosure (Severity: Medium): Prevents photoview from loading and displaying unintended local files.

  • Impact:

    • Image Source Manipulation: Risk significantly reduced (almost eliminated with a well-maintained whitelist).
    • RCE: Risk significantly reduced (prevents exploit delivery to photoview).
    • Information Disclosure: Risk significantly reduced.

  • Currently Implemented:

    • Basic scheme and domain checks in ImageLoader.kt.

  • Missing Implementation:

    • Full whitelist, path traversal prevention, query parameter validation, Content-Type check, robust URL parsing.

Mitigation Strategy: Image Size and Resource Limits

  • Description:

    1. Define Maximum Dimensions: Set maximum width and height limits (e.g., MAX_IMAGE_WIDTH, MAX_IMAGE_HEIGHT).
    2. Define Maximum File Size: Set a maximum file size limit (e.g., MAX_IMAGE_SIZE).
    3. Pre-Check Dimensions/Size (If Possible): If image metadata is available before downloading, check against the limits. Reject if exceeded.
    4. In-Memory Check (If Pre-Check Not Possible): Load the image in a way that lets you check dimensions without fully decoding (e.g., BitmapFactory.Options.inJustDecodeBounds = true in Android). Reject if exceeded.
    5. Timeout: Implement a timeout for image loading. Abort if it takes too long.
    6. Progressive Loading (If Supported): If the underlying image loading mechanism (used by photoview) supports it, enable progressive loading.

    Crucially, steps 3, 4, and 6 are about preventing the data from even reaching photoview's full processing if it's already known to be problematic.

  • Threats Mitigated:

    • Denial of Service (DoS) via Large Images (Severity: Medium): Prevents photoview from attempting to process images that could crash the app.
    • Resource Exhaustion (Severity: Medium): Protects device resources.

  • Impact:

    • DoS: Risk significantly reduced.
    • Resource Exhaustion: Risk significantly reduced.

  • Currently Implemented:

    • Basic timeout in ImageLoader.kt.

  • Missing Implementation:

    • Maximum dimension/file size checks, pre-checks, progressive loading utilization.

Mitigation Strategy: Secure Input to photoview's API

  • Description:

    1. Understand photoview's API: Thoroughly review the photoview library's API documentation. Identify all methods that accept input (e.g., URLs, file paths, byte arrays, input streams).
    2. Validate All Input: Before calling any photoview API method, rigorously validate all input parameters. This includes:
      • URLs/File Paths: Apply the "Strict Image Source Validation" strategy described above.
      • Byte Arrays/Input Streams: If you're providing image data directly (not via a URL), ensure the data originates from a trusted source and has been validated (e.g., Content-Type, size limits). Never pass unvalidated user-provided data directly to photoview.
      • Other Parameters: Check any other parameters (e.g., configuration options) for expected types and values.
    3. Error Handling: Implement robust error handling for all photoview API calls. Handle potential exceptions gracefully (e.g., IOException, IllegalArgumentException). Do not allow the application to crash or leak sensitive information due to unexpected errors. Log errors securely.

  • Threats Mitigated:

    • Image Source Manipulation (Severity: High): Ensures that only validated data is ever passed to photoview.
    • Remote Code Execution (RCE) (Severity: Critical): Prevents attacker-controlled data from reaching potentially vulnerable image decoding routines via photoview.
    • Denial of Service (DoS) (Severity: Medium): Prevents malformed or excessively large data from being processed by photoview.
    • Information Disclosure (Severity: Medium): Prevents photoview from accessing or displaying unintended data.

  • Impact:

    • All Threats: Risk significantly reduced by ensuring that photoview only receives validated, expected input.

  • Currently Implemented:

    • Basic URL validation (scheme and domain) before calling photoview.setImageURI().

  • Missing Implementation:

    • Comprehensive input validation for all photoview API methods.
    • Robust error handling for all photoview interactions.
    • Validation of byte arrays/input streams (if used).