-
-
Notifications
You must be signed in to change notification settings - Fork 142
Expand file tree
/
Copy pathDevFlags.cpp
More file actions
141 lines (121 loc) · 4.18 KB
/
DevFlags.cpp
File metadata and controls
141 lines (121 loc) · 4.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
// DevFlags.cpp
#include "DevFlags.h"
#include "JEnv.h"
#include <atomic>
#include <mutex>
#include <vector>
#include <string>
namespace tns {
bool IsScriptLoadingLogEnabled() {
static std::atomic<int> cached{-1}; // -1 unknown, 0 false, 1 true
int v = cached.load(std::memory_order_acquire);
if (v != -1) {
return v == 1;
}
static std::once_flag initFlag;
std::call_once(initFlag, []() {
bool enabled = false;
try {
JEnv env;
jclass runtimeClass = env.FindClass("com/tns/Runtime");
if (runtimeClass != nullptr) {
jmethodID mid = env.GetStaticMethodID(runtimeClass, "getLogScriptLoadingEnabled", "()Z");
if (mid != nullptr) {
jboolean res = env.CallStaticBooleanMethod(runtimeClass, mid);
enabled = (res == JNI_TRUE);
}
}
} catch (...) {
// keep default false
}
cached.store(enabled ? 1 : 0, std::memory_order_release);
});
return cached.load(std::memory_order_acquire) == 1;
}
// Security config
static std::once_flag s_securityConfigInitFlag;
static bool s_allowRemoteModules = false;
static std::vector<std::string> s_remoteModuleAllowlist;
static bool s_isDebuggable = false;
// Helper to check if a URL starts with a given prefix
static bool UrlStartsWith(const std::string& url, const std::string& prefix) {
if (prefix.size() > url.size()) return false;
return url.compare(0, prefix.size(), prefix) == 0;
}
void InitializeSecurityConfig() {
std::call_once(s_securityConfigInitFlag, []() {
try {
JEnv env;
jclass runtimeClass = env.FindClass("com/tns/Runtime");
if (runtimeClass == nullptr) {
return;
}
// Check isDebuggable first
jmethodID isDebuggableMid = env.GetStaticMethodID(runtimeClass, "isDebuggable", "()Z");
if (isDebuggableMid != nullptr) {
jboolean res = env.CallStaticBooleanMethod(runtimeClass, isDebuggableMid);
s_isDebuggable = (res == JNI_TRUE);
}
// If debuggable, we don't need to check further - always allow
if (s_isDebuggable) {
s_allowRemoteModules = true;
return;
}
// Check isRemoteModulesAllowed
jmethodID allowRemoteMid = env.GetStaticMethodID(runtimeClass, "isRemoteModulesAllowed", "()Z");
if (allowRemoteMid != nullptr) {
jboolean res = env.CallStaticBooleanMethod(runtimeClass, allowRemoteMid);
s_allowRemoteModules = (res == JNI_TRUE);
}
// Get the allowlist
jmethodID getAllowlistMid = env.GetStaticMethodID(runtimeClass, "getRemoteModuleAllowlist", "()[Ljava/lang/String;");
if (getAllowlistMid != nullptr) {
jobjectArray allowlistArray = (jobjectArray)env.CallStaticObjectMethod(runtimeClass, getAllowlistMid);
if (allowlistArray != nullptr) {
jsize len = env.GetArrayLength(allowlistArray);
for (jsize i = 0; i < len; i++) {
jstring jstr = (jstring)env.GetObjectArrayElement(allowlistArray, i);
if (jstr != nullptr) {
const char* str = env.GetStringUTFChars(jstr, nullptr);
if (str != nullptr) {
s_remoteModuleAllowlist.push_back(std::string(str));
env.ReleaseStringUTFChars(jstr, str);
}
env.DeleteLocalRef(jstr);
}
}
env.DeleteLocalRef(allowlistArray);
}
}
} catch (...) {
// Keep defaults (remote modules disabled)
}
});
}
bool IsRemoteModulesAllowed() {
InitializeSecurityConfig();
return s_allowRemoteModules || s_isDebuggable;
}
bool IsRemoteUrlAllowed(const std::string& url) {
InitializeSecurityConfig();
// Debug mode always allows all URLs
if (s_isDebuggable) {
return true;
}
// Production: first check if remote modules are allowed at all
if (!s_allowRemoteModules) {
return false;
}
// If no allowlist is configured, allow all URLs (user explicitly enabled remote modules)
if (s_remoteModuleAllowlist.empty()) {
return true;
}
// Check if URL matches any allowlist prefix
for (const std::string& prefix : s_remoteModuleAllowlist) {
if (UrlStartsWith(url, prefix)) {
return true;
}
}
return false;
}
} // namespace tns