Add intent verification to BroadcastReceiver classes

Update onReceive methods to check for correct action before proceeding. This prevents potential risk of third-party applications to send explicit intents to this receiver to cause a denial of service.
OneSignal · Nov 7, 2023 · 48eb818 · 48eb818
1 parent ae8991b
commit 48eb818
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/...ignal/notifications/src/main/java/com/onesignal/notifications/receivers/BootUpReceiver.kt b/...ignal/notifications/src/main/java/com/onesignal/notifications/receivers/BootUpReceiver.kt
@@ -37,6 +37,10 @@ class BootUpReceiver : BroadcastReceiver() {
         context: Context,
         intent: Intent,
     ) {
+        // Return early if the action does not match expected action
+        if (intent.action != Intent.ACTION_BOOT_COMPLETED) {
+            return
+        }
         if (!OneSignal.initWithContext(context)) {
             return
         }

diff --git a/...gnal/notifications/src/main/java/com/onesignal/notifications/receivers/UpgradeReceiver.kt b/...gnal/notifications/src/main/java/com/onesignal/notifications/receivers/UpgradeReceiver.kt
@@ -41,6 +41,10 @@ class UpgradeReceiver : BroadcastReceiver() {
         // TODO: Now that we arent restoring like we use to, think we can remove this? Ill do some
         //  testing and look at the issue but maybe someone has a answer or rems what directly
         //  was causing this issue
+        // Return early if the action does not match expected action
+        if (intent.action != Intent.ACTION_MY_PACKAGE_REPLACED) {
+            return
+        }
         // Return early if using Android 7.0 due to upgrade restore crash (#263)
         if (Build.VERSION.SDK_INT == Build.VERSION_CODES.N) {
             return