Improve download security and refine rate limit parsing

- Enhanced file name sanitization in `AndroidDownloader` and `DesktopDownloader` to strip URL query parameters/fragments and prevent path traversal.
- Updated `AndroidDownloader` and `DesktopDownloader` to use `response.use { ... }` blocks for better resource management.
- Refactored `RateLimitInterceptor` to provide more detailed error logging for malformed rate limit headers.
- Simplified `Authenticator` calls in `HttpClientFactory.android.kt` by using explicit imports.
- Ensured `Authenticator.setDefault(null)` is called when building OkHttpClient to avoid credential leaks.

Author: rainxchzed

core/data/src/androidMain/kotlin/zed/rainxch/core/data/network/HttpClientFactory.android.kt

@@ -6,11 +6,12 @@ import java.net.InetSocketAddress
 import java.net.Proxy
 import okhttp3.Credentials
 import zed.rainxch.core.domain.model.ProxyConfig
+import java.net.Authenticator
 import java.net.PasswordAuthentication
 import java.net.ProxySelector
 
 actual fun createPlatformHttpClient(proxyConfig: ProxyConfig): HttpClient {
-    java.net.Authenticator.setDefault(null)
+    Authenticator.setDefault(null)
 
     return HttpClient(OkHttp) {
         engine {
@@ -54,7 +55,7 @@ actual fun createPlatformHttpClient(proxyConfig: ProxyConfig): HttpClient {
                     )
 
                     if (proxyConfig.username != null) {
-                        java.net.Authenticator.setDefault(object : java.net.Authenticator() {
+                        Authenticator.setDefault(object : Authenticator() {
                             override fun getPasswordAuthentication(): PasswordAuthentication? {
                                 if (requestingHost == proxyConfig.host &&
                                     requestingPort == proxyConfig.port

core/data/src/androidMain/kotlin/zed/rainxch/core/data/services/AndroidDownloader.kt

@@ -30,20 +30,26 @@ class AndroidDownloader(
     private val activeDownloads = ConcurrentHashMap<String, Call>()
 
     private fun buildClient(): OkHttpClient {
+        Authenticator.setDefault(null)
+
         return OkHttpClient.Builder().apply {
             when (val config = proxyManager.currentProxyConfig.value) {
                 is ProxyConfig.None -> proxy(Proxy.NO_PROXY)
-                is ProxyConfig.System -> { }
+                is ProxyConfig.System -> {}
                 is ProxyConfig.Http -> {
                     proxy(Proxy(Proxy.Type.HTTP, InetSocketAddress(config.host, config.port)))
                     if (config.username != null && config.password != null) {
                         proxyAuthenticator { _, response ->
                             response.request.newBuilder()
-                                .header("Proxy-Authorization", Credentials.basic(config.username!!, config.password!!))
+                                .header(
+                                    "Proxy-Authorization",
+                                    Credentials.basic(config.username!!, config.password!!)
+                                )
                                 .build()
                         }
                     }
                 }
+
                 is ProxyConfig.Socks -> {
                     proxy(Proxy(Proxy.Type.SOCKS, InetSocketAddress(config.host, config.port)))
                     if (config.username != null && config.password != null) {
@@ -67,8 +73,13 @@ class AndroidDownloader(
         val dir = File(dirPath)
         if (!dir.exists()) dir.mkdirs()
 
-        val safeName = (suggestedFileName?.takeIf { it.isNotBlank() }
-            ?: url.substringAfterLast('/').ifBlank { "asset-${UUID.randomUUID()}.apk" })
+        val rawName = suggestedFileName?.takeIf { it.isNotBlank() }
+            ?: url.substringAfterLast('/').substringBefore('?').substringBefore('#')
+                .ifBlank { "asset-${UUID.randomUUID()}.apk" }
+        val safeName = rawName.substringAfterLast('/').substringAfterLast('\\')
+        require(safeName.isNotBlank() && safeName != "." && safeName != "..") {
+            "Invalid file name: $rawName"
+        }
 
         val destination = File(dir, safeName)
 
@@ -87,37 +98,41 @@ class AndroidDownloader(
         activeDownloads[safeName] = call
 
         try {
-            val response = call.execute()
-            if (!response.isSuccessful) {
-                throw kotlinx.io.IOException("Unexpected code ${response.code}")
-            }
+            call.execute().use { response ->
+                if (!response.isSuccessful) {
+                    throw kotlinx.io.IOException("Unexpected code ${response.code}")
+                }
 
-            val body = response.body
-            val contentLength = body.contentLength()
-            val total = if (contentLength > 0) contentLength else null
-
-            body.byteStream().use { input ->
-                destination.outputStream().use { output ->
-                    val buffer = ByteArray(8192)
-                    var downloaded: Long = 0
-                    var bytesRead: Int
-                    while (input.read(buffer).also { bytesRead = it } != -1) {
-                        output.write(buffer, 0, bytesRead)
-                        downloaded += bytesRead
-                        val percent = if (total != null) ((downloaded * 100L) / total).toInt() else null
-                        emit(DownloadProgress(downloaded, total, percent))
+                val body = response.body
+                val contentLength = body.contentLength()
+                val total = if (contentLength > 0) contentLength else null
+
+                body.byteStream().use { input ->
+                    destination.outputStream().use { output ->
+                        val buffer = ByteArray(8192)
+                        var downloaded: Long = 0
+                        var bytesRead: Int
+                        while (input.read(buffer).also { bytesRead = it } != -1) {
+                            output.write(buffer, 0, bytesRead)
+                            downloaded += bytesRead
+                            val percent =
+                                if (total != null) ((downloaded * 100L) / total).toInt() else null
+                            emit(DownloadProgress(downloaded, total, percent))
+                        }
                     }
                 }
-            }
 
-            if (destination.exists() && destination.length() > 0) {
-                Logger.d { "Download complete: ${destination.absolutePath}" }
-                val finalDownloaded = destination.length()
-                val finalPercent = if (total != null) ((finalDownloaded * 100L) / total).toInt() else 100
-                emit(DownloadProgress(finalDownloaded, total, finalPercent))
-            } else {
-                throw IllegalStateException("File not ready after download: ${destination.absolutePath}")
+                if (destination.exists() && destination.length() > 0) {
+                    Logger.d { "Download complete: ${destination.absolutePath}" }
+                    val finalDownloaded = destination.length()
+                    val finalPercent =
+                        if (total != null) ((finalDownloaded * 100L) / total).toInt() else 100
+                    emit(DownloadProgress(finalDownloaded, total, finalPercent))
+                } else {
+                    throw IllegalStateException("File not ready after download: ${destination.absolutePath}")
+                }
             }
+
         } catch (e: Exception) {
             destination.delete()
             Logger.e(e) { "Download failed" }
@@ -129,8 +144,13 @@ class AndroidDownloader(
 
     override suspend fun saveToFile(url: String, suggestedFileName: String?): String =
         withContext(Dispatchers.IO) {
-            val safeName = (suggestedFileName?.takeIf { it.isNotBlank() }
-                ?: url.substringAfterLast('/').ifBlank { "asset-${UUID.randomUUID()}.apk" })
+            val rawName = suggestedFileName?.takeIf { it.isNotBlank() }
+                ?: url.substringAfterLast('/').substringBefore('?').substringBefore('#')
+                    .ifBlank { "asset-${UUID.randomUUID()}.apk" }
+            val safeName = rawName.substringAfterLast('/').substringAfterLast('\\')
+            require(safeName.isNotBlank() && safeName != "." && safeName != "..") {
+                "Invalid file name: $rawName"
+            }
 
             val file = File(files.appDownloadsDir(), safeName)
 

core/data/src/commonMain/kotlin/zed/rainxch/core/data/network/interceptor/RateLimitInterceptor.kt

@@ -16,7 +16,7 @@ import zed.rainxch.core.domain.repository.RateLimitRepository
 class RateLimitInterceptor(
     private val rateLimitRepository: RateLimitRepository,
 ) {
-    
+
     class Config {
         var rateLimitRepository: RateLimitRepository? = null
     }
@@ -52,9 +52,18 @@ class RateLimitInterceptor(
 
         private fun parseRateLimitFromHeaders(headers: Headers): RateLimitInfo? {
             return try {
-                val limit = headers["X-RateLimit-Limit"]?.toIntOrNull() ?: return null.also { Logger.w { "Missing X-RateLimit-Limit" } }
-                val remaining = headers["X-RateLimit-Remaining"]?.toIntOrNull() ?: return null.also { Logger.w { "Missing X-RateLimit-Remaining" } }
-                val reset = headers["X-RateLimit-Reset"]?.toLongOrNull() ?: return null.also { Logger.w { "Missing X-RateLimit-Reset" } }
+                val limitHeader = headers["X-RateLimit-Limit"]
+                    ?: return null.also { Logger.w { "Missing X-RateLimit-Limit" } }
+                val limit = limitHeader.toIntOrNull()
+                    ?: return null.also { Logger.w { "Malformed X-RateLimit-Limit: $limitHeader" } }
+                val remainingHeader = headers["X-RateLimit-Remaining"]
+                    ?: return null.also { Logger.w { "Missing X-RateLimit-Remaining" } }
+                val remaining = remainingHeader.toIntOrNull()
+                    ?: return null.also { Logger.w { "Malformed X-RateLimit-Remaining: $remainingHeader" } }
+                val resetHeader = headers["X-RateLimit-Reset"]
+                    ?: return null.also { Logger.w { "Missing X-RateLimit-Reset" } }
+                val reset = resetHeader.toLongOrNull()
+                    ?: return null.also { Logger.w { "Malformed X-RateLimit-Reset: $resetHeader" } }
                 val resource = headers["X-RateLimit-Resource"] ?: "core"
 
                 RateLimitInfo(limit, remaining, reset, resource)

core/data/src/jvmMain/kotlin/zed/rainxch/core/data/services/DesktopDownloader.kt

@@ -30,20 +30,26 @@ class DesktopDownloader(
     private val activeDownloads = ConcurrentHashMap<String, Call>()
 
     private fun buildClient(): OkHttpClient {
+        Authenticator.setDefault(null)
+
         return OkHttpClient.Builder().apply {
             when (val config = proxyManager.currentProxyConfig.value) {
                 is ProxyConfig.None -> proxy(Proxy.NO_PROXY)
-                is ProxyConfig.System -> { }
+                is ProxyConfig.System -> {}
                 is ProxyConfig.Http -> {
                     proxy(Proxy(Proxy.Type.HTTP, InetSocketAddress(config.host, config.port)))
                     if (config.username != null && config.password != null) {
                         proxyAuthenticator { _, response ->
                             response.request.newBuilder()
-                                .header("Proxy-Authorization", Credentials.basic(config.username!!, config.password!!))
+                                .header(
+                                    "Proxy-Authorization",
+                                    Credentials.basic(config.username!!, config.password!!)
+                                )
                                 .build()
                         }
                     }
                 }
+
                 is ProxyConfig.Socks -> {
                     proxy(Proxy(Proxy.Type.SOCKS, InetSocketAddress(config.host, config.port)))
                     if (config.username != null && config.password != null) {
@@ -91,36 +97,39 @@ class DesktopDownloader(
         activeDownloads[safeName] = call
 
         try {
-            val response = call.execute()
-            if (!response.isSuccessful) {
-                throw kotlinx.io.IOException("Unexpected code ${response.code}")
-            }
+            call.execute().use { response ->
+                if (!response.isSuccessful) {
+                    throw kotlinx.io.IOException("Unexpected code ${response.code}")
+                }
 
-            val body = response.body
-            val contentLength = body.contentLength()
-            val total = if (contentLength > 0) contentLength else null
-
-            body.byteStream().use { input ->
-                destination.outputStream().use { output ->
-                    val buffer = ByteArray(DEFAULT_BUFFER_SIZE)
-                    var downloaded: Long = 0
-                    var bytesRead: Int
-                    while (input.read(buffer).also { bytesRead = it } != -1) {
-                        output.write(buffer, 0, bytesRead)
-                        downloaded += bytesRead
-                        val percent = if (total != null) ((downloaded * 100L) / total).toInt() else null
-                        emit(DownloadProgress(downloaded, total, percent))
+                val body = response.body
+                val contentLength = body.contentLength()
+                val total = if (contentLength > 0) contentLength else null
+
+                body.byteStream().use { input ->
+                    destination.outputStream().use { output ->
+                        val buffer = ByteArray(DEFAULT_BUFFER_SIZE)
+                        var downloaded: Long = 0
+                        var bytesRead: Int
+                        while (input.read(buffer).also { bytesRead = it } != -1) {
+                            output.write(buffer, 0, bytesRead)
+                            downloaded += bytesRead
+                            val percent =
+                                if (total != null) ((downloaded * 100L) / total).toInt() else null
+                            emit(DownloadProgress(downloaded, total, percent))
+                        }
                     }
                 }
-            }
 
-            if (destination.exists() && destination.length() > 0) {
-                Logger.d { "Download complete: ${destination.absolutePath}" }
-                val finalDownloaded = destination.length()
-                val finalPercent = if (total != null) ((finalDownloaded * 100L) / total).toInt() else 100
-                emit(DownloadProgress(finalDownloaded, total, finalPercent))
-            } else {
-                throw IllegalStateException("File not ready after download: ${destination.absolutePath}")
+                if (destination.exists() && destination.length() > 0) {
+                    Logger.d { "Download complete: ${destination.absolutePath}" }
+                    val finalDownloaded = destination.length()
+                    val finalPercent =
+                        if (total != null) ((finalDownloaded * 100L) / total).toInt() else 100
+                    emit(DownloadProgress(finalDownloaded, total, finalPercent))
+                } else {
+                    throw IllegalStateException("File not ready after download: ${destination.absolutePath}")
+                }
             }
         } catch (e: Exception) {
             destination.delete()