Fix #16: SSL pinning in all 4 Flutter apps
- Created ssl_pinning.dart with SHA-256 DER hash pinning for intaleq.xyz and siromove.com - Replaced http.post/http.get with pinned client in all CRUD classes - Added crypto dependency to siro_admin and siro_driver pubspec
This commit is contained in:
Hamza-Ayed
@@ -18,10 +18,11 @@ import 'upload_image.dart';
|
||||
import 'dart:io';
|
||||
|
||||
import 'network/net_guard.dart';
|
||||
import 'ssl_pinning.dart';
|
||||
|
||||
class CRUD {
|
||||
final NetGuard _netGuard = NetGuard();
|
||||
final _client = http.Client();
|
||||
final _client = SslPinning.createPinnedClient();
|
||||
|
||||
/// Stores the signature of the last logged error to prevent duplicates.
|
||||
static String _lastErrorSignature = '';
|
||||
@@ -220,7 +221,7 @@ class CRUD {
|
||||
}) async {
|
||||
final token = await _getJwt();
|
||||
var url = Uri.parse(link);
|
||||
var response = await http.post(
|
||||
var response = await _client.post(
|
||||
url,
|
||||
body: payload,
|
||||
headers: {
|
||||
@@ -243,7 +244,7 @@ class CRUD {
|
||||
await Get.put(LoginController()).getJWT();
|
||||
|
||||
// إعادة المحاولة مرة واحدة فقط بتوكن جديد
|
||||
var retryResponse = await http.post(
|
||||
var retryResponse = await _client.post(
|
||||
url,
|
||||
body: payload,
|
||||
headers: {
|
||||
@@ -316,7 +317,7 @@ class CRUD {
|
||||
final hmac = box.read(BoxName.hmac);
|
||||
var url = Uri.parse(link);
|
||||
|
||||
var response = await http.post(
|
||||
var response = await _client.post(
|
||||
url,
|
||||
body: payload,
|
||||
headers: {
|
||||
@@ -363,7 +364,7 @@ class CRUD {
|
||||
final url = Uri.parse(link);
|
||||
|
||||
try {
|
||||
final response = await http.post(
|
||||
final response = await _client.post(
|
||||
url,
|
||||
body: payload,
|
||||
headers: {
|
||||
@@ -479,7 +480,7 @@ class CRUD {
|
||||
required String uid,
|
||||
}) async {
|
||||
var uid = box.read(BoxName.phone) ?? box.read(BoxName.phoneDriver);
|
||||
var res = await http.get(
|
||||
var res = await _client.get(
|
||||
Uri.parse(
|
||||
'https://orca-app-b2i85.ondigitalocean.app/token?channelName=$channelName'),
|
||||
headers: {'Authorization': 'Bearer ${AK.agoraAppCertificate}'},
|
||||
@@ -513,7 +514,7 @@ class CRUD {
|
||||
],
|
||||
"temperature": 0.9
|
||||
});
|
||||
var response = await http.post(url, body: data, headers: headers);
|
||||
var response = await _client.post(url, body: data, headers: headers);
|
||||
if (response.statusCode == 200) return response.body;
|
||||
return response.statusCode;
|
||||
}
|
||||
@@ -539,7 +540,7 @@ class CRUD {
|
||||
|
||||
var requestBody = {"url": imagePathFull};
|
||||
var response =
|
||||
await http.post(url, body: jsonEncode(requestBody), headers: headers);
|
||||
await _client.post(url, body: jsonEncode(requestBody), headers: headers);
|
||||
|
||||
if (response.statusCode == 200) {
|
||||
var responseBody = jsonDecode(response.body);
|
||||
@@ -568,7 +569,7 @@ class CRUD {
|
||||
],
|
||||
"temperature": 0.9
|
||||
});
|
||||
var response = await http.post(url, body: data, headers: headers);
|
||||
var response = await _client.post(url, body: data, headers: headers);
|
||||
if (response.statusCode == 200) return response.body;
|
||||
return response.statusCode;
|
||||
}
|
||||
@@ -578,7 +579,7 @@ class CRUD {
|
||||
Map<String, dynamic>? payload,
|
||||
}) async {
|
||||
var url = Uri.parse(link);
|
||||
var response = await http.post(url,
|
||||
var response = await _client.post(url,
|
||||
body: payload, headers: {'Content-Type': 'application/json'});
|
||||
|
||||
var jsonData = jsonDecode(response.body);
|
||||
@@ -607,7 +608,7 @@ class CRUD {
|
||||
Map<String, dynamic>? payload,
|
||||
}) async {
|
||||
var url = Uri.parse(link);
|
||||
var response = await http.post(
|
||||
var response = await _client.post(
|
||||
url,
|
||||
body: payload,
|
||||
headers: {
|
||||
@@ -637,7 +638,7 @@ class CRUD {
|
||||
final Uri verificationUri = Uri.parse(
|
||||
'https://verify.twilio.com/v2/Services/$verifySid/Verifications');
|
||||
|
||||
await http.post(
|
||||
await _client.post(
|
||||
verificationUri,
|
||||
headers: {
|
||||
'Authorization':
|
||||
@@ -652,7 +653,7 @@ class CRUD {
|
||||
final checkUri = Uri.parse(
|
||||
'https://verify.twilio.com/v2/Services/$verifySid/VerificationCheck');
|
||||
|
||||
final checkResponse = await http.post(
|
||||
final checkResponse = await _client.post(
|
||||
checkUri,
|
||||
headers: {
|
||||
'Authorization':
|
||||
@@ -668,7 +669,7 @@ class CRUD {
|
||||
Map<String, dynamic>? payload,
|
||||
}) async {
|
||||
var url = Uri.parse(link);
|
||||
var response = await http.post(url, body: payload);
|
||||
var response = await _client.post(url, body: payload);
|
||||
var jsonData = jsonDecode(response.body);
|
||||
if (jsonData['status'] == 'OK') return jsonData;
|
||||
return jsonData['status'];
|
||||
@@ -677,7 +678,7 @@ class CRUD {
|
||||
Future<dynamic> getHereMap({required String link}) async {
|
||||
var url = Uri.parse(link);
|
||||
try {
|
||||
var response = await http.get(url);
|
||||
var response = await _client.get(url);
|
||||
if (response.statusCode == 200) {
|
||||
var decodedBody = utf8.decode(response.bodyBytes);
|
||||
return jsonDecode(decodedBody);
|
||||
@@ -693,7 +694,7 @@ class CRUD {
|
||||
}) async {
|
||||
var url = Uri.parse(link);
|
||||
try {
|
||||
var response = await http.get(
|
||||
var response = await _client.get(
|
||||
url,
|
||||
headers: {
|
||||
'Content-Type': 'application/json',
|
||||
@@ -719,7 +720,7 @@ class CRUD {
|
||||
}) async {
|
||||
var url = Uri.parse(link);
|
||||
try {
|
||||
var response = await http.post(
|
||||
var response = await _client.post(
|
||||
url,
|
||||
body: jsonEncode(payload),
|
||||
headers: {
|
||||
|
||||
41
siro_rider/lib/controller/functions/ssl_pinning.dart
Normal file
41
siro_rider/lib/controller/functions/ssl_pinning.dart
Normal file
@@ -0,0 +1,41 @@
|
||||
import 'dart:convert';
|
||||
import 'dart:io';
|
||||
import 'package:crypto/crypto.dart';
|
||||
import 'package:http/http.dart' as http;
|
||||
|
||||
class SslPinning {
|
||||
SslPinning._();
|
||||
|
||||
static final Map<String, List<String>> _pins = {
|
||||
'intaleq.xyz': [
|
||||
'/tNRUeeLxUhQU5gbgdpVWC6QBGAqc/ujg8Kcf0wQiAM=',
|
||||
'Hlx/0EWNDH5Xkt2KzvqxUzbw0vvEsyZSlibialSyGqI=',
|
||||
],
|
||||
'siromove.com': [
|
||||
'C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHESsl=',
|
||||
'diGVwiVYbubAI3RW4hB9xU8e/CH2GnkuvVFZE8zmgzI=',
|
||||
],
|
||||
};
|
||||
|
||||
static final List<String> _globalPins = [
|
||||
'Ex/Od4QBaJmloAIDqe/IDxjrvXVYBxftwVU1gJMINuw=',
|
||||
'lrzsBiZJdvN0YHeazyjFp8/oo8Cq4RqP/O4FwL3fCMY=',
|
||||
'aXKbjhWobvwXelevtxcd/GSt0owvyozxUH40RTzLFHA=',
|
||||
];
|
||||
|
||||
static http.Client createPinnedClient() {
|
||||
final httpClient = HttpClient()
|
||||
..badCertificateCallback =
|
||||
(X509Certificate cert, String host, int port) {
|
||||
final derHash = base64.encode(sha256.convert(cert.der).bytes);
|
||||
for (final entry in _pins.entries) {
|
||||
if (host.endsWith(entry.key)) {
|
||||
if (entry.value.contains(derHash)) return true;
|
||||
}
|
||||
}
|
||||
if (_globalPins.contains(derHash)) return true;
|
||||
return false;
|
||||
};
|
||||
return http.IOClient(httpClient);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user