Add dependency verification and remove information leak from OkHttp

.gitlab-ci.yml

@@ -99,7 +99,7 @@ fdroid build:
     - ln -s $CI_PROJECT_DIR/fdroidserver /home/vagrant/fdroidserver
     - mkdir -p /vagrant/cache
     - wget -q https://services.gradle.org/distributions/gradle-5.6.2-bin.zip --output-document=/vagrant/cache/gradle-5.6.2-bin.zip
-    # Check sha256 of the gralde build
+    # Check sha256 of the gradle build
     - echo '32fce6628848f799b0ad3205ae8db67d0d828c10ffe62b748a7c0d9f4a5d9ee0 /vagrant/cache/gradle-5.6.2-bin.zip' | sha256sum -c
     - bash fdroidserver/buildserver/provision-gradle
     - bash fdroidserver/buildserver/provision-apt-get-install https://deb.debian.org/debian

app/build.gradle

@@ -203,11 +203,13 @@ dependencies {
         exclude group: "com.android.support"
     }
 
-    implementation 'com.github.bumptech.glide:okhttp-integration:4.13.2'
+    implementation 'com.github.bumptech.glide:okhttp3-integration:4.13.2'
     implementation('com.github.bumptech.glide:recyclerview-integration:4.13.2') {
         // Excludes the support library because it's already included by Glide.
         transitive = false
     }
+    implementation 'com.github.bumptech.glide:annotations:4.13.2'
+    annotationProcessor 'com.github.bumptech.glide:compiler:4.13.2'
     kapt 'com.github.bumptech.glide:compiler:4.13.2'
 
     implementation 'androidx.legacy:legacy-support-v4:1.0.0'

app/proguard-rules.pro

@@ -88,6 +88,9 @@
     static void throwUninitializedPropertyAccessException(java.lang.String);
 }
 
+-keep public class * extends com.bumptech.glide.module.AppGlideModule
+-keep class com.bumptech.glide.GeneratedAppGlideModuleImpl
+
 ##---------------Begin: proguard configuration for Gson  ----------
 # Gson uses generic type information stored in a class file when working with fields. Proguard
 # removes such information by default, so configure it to keep all of it.

app/src/main/java/org/pixeldroid/app/utils/GlideApplication.kt

@@ -0,0 +1,26 @@
+package org.pixeldroid.app.utils
+
+import android.content.Context
+import com.bumptech.glide.Glide
+import com.bumptech.glide.Registry
+import com.bumptech.glide.annotation.GlideModule
+import com.bumptech.glide.integration.okhttp3.OkHttpUrlLoader
+import com.bumptech.glide.load.model.GlideUrl
+import com.bumptech.glide.module.AppGlideModule
+import okhttp3.ConnectionSpec
+import okhttp3.OkHttpClient
+import org.pixeldroid.app.utils.api.PixelfedAPI
+import java.io.InputStream
+
+@GlideModule
+class PixelDroidGlideModule : AppGlideModule() {
+    override fun registerComponents(context: Context, glide: Glide, registry: Registry) {
+        val client: OkHttpClient = OkHttpClient().newBuilder()
+            // Only do secure-ish TLS connections (no HTTP or very old SSL/TLS)
+            .connectionSpecs(listOf(ConnectionSpec.MODERN_TLS))
+            .addNetworkInterceptor(PixelfedAPI.headerInterceptor)
+            .build()
+        val factory = OkHttpUrlLoader.Factory(client)
+        glide.registry.replace(GlideUrl::class.java, InputStream::class.java, factory)
+    }
+}

app/src/main/java/org/pixeldroid/app/utils/api/PixelfedAPI.kt

@@ -2,6 +2,8 @@ package org.pixeldroid.app.utils.api
 
 import com.google.gson.*
 import io.reactivex.rxjava3.core.Observable
+import okhttp3.ConnectionSpec
+import okhttp3.Interceptor
 import org.pixeldroid.app.utils.api.objects.*
 import okhttp3.MultipartBody
 import okhttp3.OkHttpClient
@@ -30,8 +32,19 @@ interface PixelfedAPI {
 
 
     companion object {
+        val headerInterceptor = Interceptor { chain ->
+            val requestBuilder = chain.request().newBuilder()
+                .removeHeader("User-Agent")
+                .addHeader("User-Agent", "PixelDroid") //TODO check if okay?
+            chain.proceed(requestBuilder.build())
+        }
+
         fun createFromUrl(baseUrl: String): PixelfedAPI {
-            return Retrofit.Builder()
+            return Retrofit.Builder().client(
+                OkHttpClient().newBuilder().addNetworkInterceptor(headerInterceptor)
+                    // Only do secure-ish TLS connections (no HTTP or very old SSL/TLS)
+                    .connectionSpecs(listOf(ConnectionSpec.MODERN_TLS)).build()
+            )
                 .baseUrl(baseUrl)
                 .addConverterFactory(GsonConverterFactory.create(gSonInstance))
                 .addCallAdapterFactory(RxJava3CallAdapterFactory.create())
@@ -65,7 +78,10 @@ interface PixelfedAPI {
             intermediate
                 .baseUrl(user.instance_uri)
                 .client(
-                    OkHttpClient().newBuilder().authenticator(TokenAuthenticator(user, db, pixelfedAPIHolder))
+                    OkHttpClient().newBuilder().addNetworkInterceptor(headerInterceptor)
+                            // Only do secure-ish TLS connections (no HTTP or very old SSL/TLS)
+                        .connectionSpecs(listOf(ConnectionSpec.MODERN_TLS))
+                        .authenticator(TokenAuthenticator(user, db, pixelfedAPIHolder))
                         .addInterceptor {
                             it.request().newBuilder().run {
                                 header("Accept", "application/json")