Skip to content

INTENG-22685 - Integration validator protected endpoint bugfix #1269

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

INTENG-22685 - Integration validator protected endpoint bugfix #1269

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
783fae1
Added bool to getAPIBaseUrl for whether or not custom endpoint should…
rob-gioia-branch May 21, 2025
e74c04b
Updated call in testbed code with the new parameter
rob-gioia-branch May 21, 2025
6b5354a
Update Branch-SDK/src/main/java/io/branch/referral/validators/ServerR…
rob-gioia-branch May 21, 2025
04d3113
Update Branch-SDK-TestBed/src/main/java/io/branch/branchandroidtestbe…
rob-gioia-branch May 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 4 additions & 3 deletions Branch-SDK-TestBed/src/main/java/io/branch/branchandroidtestbed/SettingsActivity.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,9 +54,10 @@ void setupRetryEditText() {
void setupApiUrlText() {
final EditText apiUrlText = findViewById(R.id.api_url_text);
final PrefHelper prefHelper = PrefHelper.getInstance(this);
String currentApiUrl = prefHelper.getAPIBaseUrl();

apiUrlText.setText(currentApiUrl);
String currentApiUrl = prefHelper.getAPIBaseUrl(true);
if (currentApiUrl != null) {
apiUrlText.setText(currentApiUrl);
}

apiUrlText.setOnEditorActionListener((textView, i, keyEvent) -> {
if (i == EditorInfo.IME_ACTION_DONE) {
Expand Down
2 changes: 1 addition & 1 deletion Branch-SDK/src/main/java/io/branch/referral/Branch.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1793,7 +1793,7 @@ public interface LogoutStatusListener {
private class GetShortLinkTask extends AsyncTask<ServerRequest, Void, ServerResponse> {
@Override protected ServerResponse doInBackground(ServerRequest... serverRequests) {
return branchRemoteInterface_.make_restful_post(serverRequests[0].getPost(),
prefHelper_.getAPIBaseUrl() + Defines.RequestPath.GetURL.getPath(),
prefHelper_.getAPIBaseUrl(true) + Defines.RequestPath.GetURL.getPath(),
Defines.RequestPath.GetURL.getPath(), prefHelper_.getBranchKey());
}
}
Expand Down
4 changes: 2 additions & 2 deletions Branch-SDK/src/main/java/io/branch/referral/PrefHelper.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,8 +239,8 @@ static void setAPIUrl(String url) {
* @return A {@link String} variable containing the hard-coded base URL that the Branch
* API uses.
*/
public String getAPIBaseUrl() {
if (URLUtil.isHttpsUrl(customServerURL_)) {
public String getAPIBaseUrl(boolean useCustom) {
if (useCustom && URLUtil.isHttpsUrl(customServerURL_)) {
Comment on lines +242 to +243
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Code Refactor

Issue: The URL validation is only checking if the URL starts with https, but not validating if it's a properly formatted URL.
Fix: Use additional URL validation to ensure the custom URL is properly formatted.
Impact: Prevents potential issues with malformed URLs that happen to start with https.

Suggested change
public String getAPIBaseUrl(boolean useCustom) {
if (useCustom && URLUtil.isHttpsUrl(customServerURL_)) {
public String getAPIBaseUrl(boolean useCustom) {
if (useCustom && !TextUtils.isEmpty(customServerURL_) && URLUtil.isHttpsUrl(customServerURL_)) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Omitting this change since that is something outside of this PR (pre-existing code not related to the change)

return customServerURL_;
}

Expand Down
2 changes: 1 addition & 1 deletion Branch-SDK/src/main/java/io/branch/referral/ServerRequest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,7 +252,7 @@ public final String getRequestPath() {
* @return A url for executing this request against the server.
*/
public String getRequestUrl() {
return prefHelper_.getAPIBaseUrl() + requestPath_.getPath();
return prefHelper_.getAPIBaseUrl(true) + requestPath_.getPath();
}

/**
Expand Down
3 changes: 2 additions & 1 deletion Branch-SDK/src/main/java/io/branch/referral/validators/ServerRequestGetAppConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,8 @@ public boolean isGetRequest() {

@Override
public String getRequestUrl() {
return prefHelper_.getAPIBaseUrl() + getRequestPath() + "/" + prefHelper_.getBranchKey();
// Always use default URL for app config validation endpoint for security reasons
return prefHelper_.getAPIBaseUrl(false) + getRequestPath() + "/" + prefHelper_.getBranchKey();
}

@Override
Expand Down
Loading