Skip to content

Navigation: deeplink start location vulnerability fix #352

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbarta merged 3 commits into from
Nov 11, 2025
Merged

Navigation: deeplink start location vulnerability fix #352

mbarta merged 3 commits into from
Nov 11, 2025

Conversation

@mbarta
Copy link
Contributor

@mbarta mbarta commented Nov 10, 2025

This is a back-port of a vulnerability fix from HotwireNative library: hotwired/hotwire-native-android#154

When the navigation graph is created, the Navigation library checks for deep link attributes inside of the Intent's extras. This can be potentially abused to navigate to a location inside of a HotwireWebFragment which is not app's owned domain.

Similar documented case: https://swarm.ptsecurity.com/android-jetpack-navigation-deep-links-handling-exploitation/

The fix is a simple check during navigation graph initialisation which ensures that the host of the deep link start location is the same as host of the NavHost start location set in the Hotwire Native config. If the hosts don't match, navigation to the deep link location is not allowed and is replaced with the start location from config.

@mbarta mbarta requested review from jayohms and jhutarek November 10, 2025 14:04
@mbarta mbarta self-assigned this Nov 10, 2025
@mbarta mbarta changed the title Mb/start location vulnerability fix Navigation: deeplink start location vulnerability fix Nov 10, 2025
mbarta
mbarta commented Nov 10, 2025
View reviewed changes
turbo/build.gradle.kts
testImplementation("org.assertj:assertj-core:3.24.2")
testImplementation("org.robolectric:robolectric:4.9.2")
testImplementation("org.mockito:mockito-core:5.2.0")
testImplementation("org.robolectric:robolectric:4.10.3")
Copy link
Contributor Author

@mbarta mbarta Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Had to update test libraries for compatibility with Java 21+

jayohms
jayohms approved these changes Nov 10, 2025
View reviewed changes
Copy link
Collaborator

@jayohms jayohms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @mbarta!

@mbarta mbarta merged commit 855b838 into main Nov 11, 2025
1 check passed
@mbarta mbarta deleted the mb/start_location_vulnerability_fix branch November 11, 2025 09:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jayohms jayohms jayohms approved these changes

@jhutarek jhutarek Awaiting requested review from jhutarek

Assignees

@mbarta mbarta

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbarta @jayohms