[shared_preferences] Limit Android decoding (#8187)

When decoding stored preferences for `List<String>` support, only allow lists and strings to avoid potentially instantiating other object types.

Author: stuartmorgan-g

packages/shared_preferences/shared_preferences_android/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 2.3.4
+
+* Restrict types when decoding preferences.
+
 ## 2.3.3
 
 * Updates Java compatibility version to 11.

packages/shared_preferences/shared_preferences_android/android/src/main/java/io/flutter/plugins/sharedpreferences/LegacySharedPreferencesPlugin.java

@@ -197,7 +197,7 @@ static class ListEncoder implements SharedPreferencesListEncoder {
     public @NonNull List<String> decode(@NonNull String listString) throws RuntimeException {
       try {
         ObjectInputStream stream =
-            new ObjectInputStream(new ByteArrayInputStream(Base64.decode(listString, 0)));
+            new StringListObjectInputStream(new ByteArrayInputStream(Base64.decode(listString, 0)));
         return (List<String>) stream.readObject();
       } catch (IOException | ClassNotFoundException e) {
         throw new RuntimeException(e);

packages/shared_preferences/shared_preferences_android/android/src/main/kotlin/io/flutter/plugins/sharedpreferences/SharedPreferencesPlugin.kt

@@ -20,7 +20,6 @@ import io.flutter.embedding.engine.plugins.FlutterPlugin
 import io.flutter.plugin.common.BinaryMessenger
 import java.io.ByteArrayInputStream
 import java.io.ByteArrayOutputStream
-import java.io.ObjectInputStream
 import java.io.ObjectOutputStream
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.firstOrNull
@@ -250,25 +249,17 @@ class SharedPreferencesPlugin() : FlutterPlugin, SharedPreferencesAsyncApi {
   /** Class that provides tools for encoding and decoding List<String> to String and back. */
   class ListEncoder : SharedPreferencesListEncoder {
     override fun encode(list: List<String>): String {
-      try {
-        val byteStream = ByteArrayOutputStream()
-        val stream = ObjectOutputStream(byteStream)
-        stream.writeObject(list)
-        stream.flush()
-        return Base64.encodeToString(byteStream.toByteArray(), 0)
-      } catch (e: RuntimeException) {
-        throw RuntimeException(e)
-      }
+      val byteStream = ByteArrayOutputStream()
+      val stream = ObjectOutputStream(byteStream)
+      stream.writeObject(list)
+      stream.flush()
+      return Base64.encodeToString(byteStream.toByteArray(), 0)
     }
 
     override fun decode(listString: String): List<String> {
-      try {
-        val byteArray = Base64.decode(listString, 0)
-        val stream = ObjectInputStream(ByteArrayInputStream(byteArray))
-        return (stream.readObject() as List<*>).filterIsInstance<String>()
-      } catch (e: RuntimeException) {
-        throw RuntimeException(e)
-      }
+      val byteArray = Base64.decode(listString, 0)
+      val stream = StringListObjectInputStream(ByteArrayInputStream(byteArray))
+      return (stream.readObject() as List<*>).filterIsInstance<String>()
     }
   }
 }

packages/shared_preferences/shared_preferences_android/android/src/main/kotlin/io/flutter/plugins/sharedpreferences/StringListObjectInputStream.kt

@@ -0,0 +1,31 @@
+// Copyright 2013 The Flutter Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+package io.flutter.plugins.sharedpreferences
+
+import java.io.IOException
+import java.io.InputStream
+import java.io.ObjectInputStream
+import java.io.ObjectStreamClass
+
+/**
+ * An ObjectInputStream that only allows string lists, to prevent injected prefs from instantiating
+ * arbitrary objects.
+ */
+class StringListObjectInputStream(input: InputStream) : ObjectInputStream(input) {
+  @Throws(ClassNotFoundException::class, IOException::class)
+  override fun resolveClass(desc: ObjectStreamClass?): Class<*>? {
+    val allowList =
+        setOf(
+            "java.util.Arrays\$ArrayList",
+            "java.util.ArrayList",
+            "java.lang.String",
+            "[Ljava.lang.String;")
+    val name = desc?.name
+    if (name != null && !allowList.contains(name)) {
+      throw ClassNotFoundException(desc.name)
+    }
+    return super.resolveClass(desc)
+  }
+}

packages/shared_preferences/shared_preferences_android/android/src/test/kotlin/io/flutter/plugins/sharedpreferences/SharedPreferencesTest.kt

@@ -5,13 +5,17 @@
 package io.flutter.plugins.sharedpreferences
 
 import android.content.Context
+import android.util.Base64
 import androidx.test.core.app.ApplicationProvider
 import androidx.test.ext.junit.runners.AndroidJUnit4
 import io.flutter.embedding.engine.plugins.FlutterPlugin
 import io.flutter.plugin.common.BinaryMessenger
 import io.mockk.every
 import io.mockk.mockk
+import java.io.ByteArrayOutputStream
+import java.io.ObjectOutputStream
 import org.junit.Assert
+import org.junit.Assert.assertThrows
 import org.junit.Test
 import org.junit.runner.RunWith
 
@@ -48,6 +52,7 @@ internal class SharedPreferencesTest {
     every { flutterPluginBinding.binaryMessenger } returns binaryMessenger
     every { flutterPluginBinding.applicationContext } returns testContext
     plugin.onAttachedToEngine(flutterPluginBinding)
+    plugin.clear(null, emptyOptions)
     return plugin
   }
 
@@ -171,4 +176,24 @@ internal class SharedPreferencesTest {
     Assert.assertNull(all[doubleKey])
     Assert.assertNull(all[listKey])
   }
+
+  @Test
+  fun testUnexpectedClassDecodeThrows() {
+    // Only String should be allowed in an encoded list.
+    val badList = listOf(1, 2, 3)
+    // Replicate the behavior of ListEncoder.encode, but with a non-List<String> list.
+    val byteStream = ByteArrayOutputStream()
+    val stream = ObjectOutputStream(byteStream)
+    stream.writeObject(badList)
+    stream.flush()
+    val badPref = LIST_PREFIX + Base64.encodeToString(byteStream.toByteArray(), 0)
+
+    val plugin = pluginSetup()
+    val badListKey = "badList"
+    // Inject the bad pref as a string, as that is how string lists are stored internally.
+    plugin.setString(badListKey, badPref, emptyOptions)
+    assertThrows(ClassNotFoundException::class.java) {
+      plugin.getStringList(badListKey, emptyOptions)
+    }
+  }
 }

packages/shared_preferences/shared_preferences_android/pubspec.yaml

@@ -2,7 +2,7 @@ name: shared_preferences_android
 description: Android implementation of the shared_preferences plugin
 repository: https://github.com/flutter/packages/tree/main/packages/shared_preferences/shared_preferences_android
 issue_tracker: https://github.com/flutter/flutter/issues?q=is%3Aissue+is%3Aopen+label%3A%22p%3A+shared_preferences%22
-version: 2.3.3
+version: 2.3.4
 
 environment:
   sdk: ^3.5.0