fix(android): Drop SAF document authorities from getDataFromUri allowlist

antonis · claude · antonis · commit 7f971e5447c5 · 2026-04-28T15:32:21.000+02:00
Authority-only matching cannot verify that a SAF URI was granted in the current attach flow versus a previously persisted grant. The in-SDK image picker returns content://media/... on modern Android, so dropping SAF support has no impact on the FeedbackForm flow. Test inverted from allowsSafDocumentsAuthorities to rejectsSafDocumentsAuthorities. Addresses Warden review feedback on #6045. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/packages/core/android/src/main/java/io/sentry/react/RNSentryModuleImpl.java b/packages/core/android/src/main/java/io/sentry/react/RNSentryModuleImpl.java
@@ -1145,6 +1145,14 @@ static boolean isAllowedUri(@NotNull Uri uri, @Nullable Context ctx) {
     return "file".equals(lowerScheme) && isPathUnderAppDirs(uri.getPath(), ctx);
   }
 
+  // Allowlist is intentionally narrow:
+  // - `media` is what the in-SDK image picker flow returns.
+  // - the app's own FileProvider is needed when the host app exposes attachments via it.
+  // SAF document authorities
+  // (com.android.{externalstorage,providers.media,providers.downloads}.documents)
+  // are deliberately excluded: authority-only matching would let any caller read any document
+  // the app has been granted persistent SAF permission for, without verifying the URI was granted
+  // in the current attach flow.
   @VisibleForTesting
   static boolean isAllowedContentAuthority(@Nullable String authority, @Nullable Context ctx) {
     if (authority == null) {
@@ -1154,11 +1162,6 @@ static boolean isAllowedContentAuthority(@Nullable String authority, @Nullable C
     if ("media".equals(lower)) {
       return true;
     }
-    if ("com.android.providers.media.documents".equals(lower)
-        || "com.android.externalstorage.documents".equals(lower)
-        || "com.android.providers.downloads.documents".equals(lower)) {
-      return true;
-    }
     if (ctx != null) {
       final String pkg = ctx.getPackageName();
       if (pkg != null && lower.equals(pkg.toLowerCase(Locale.ROOT) + ".fileprovider")) {
diff --git a/packages/core/android/src/test/java/io/sentry/react/RNSentryUriValidationTest.java b/packages/core/android/src/test/java/io/sentry/react/RNSentryUriValidationTest.java
@@ -71,14 +71,16 @@ public void allowsContentSchemeCaseInsensitive() {
   }
 
   @Test
-  public void allowsSafDocumentsAuthorities() {
-    assertTrue(
+  public void rejectsSafDocumentsAuthorities() {
+    // SAF authorities are excluded from the allowlist: authority-only matching cannot verify
+    // that the URI was granted in the current attach flow versus a previously persisted grant.
+    assertFalse(
         RNSentryModuleImpl.isAllowedUri(
             mockUri("content", "com.android.providers.media.documents", "/doc"), ctx));
-    assertTrue(
+    assertFalse(
         RNSentryModuleImpl.isAllowedUri(
             mockUri("content", "com.android.externalstorage.documents", "/doc"), ctx));
-    assertTrue(
+    assertFalse(
         RNSentryModuleImpl.isAllowedUri(
             mockUri("content", "com.android.providers.downloads.documents", "/doc"), ctx));
   }
