Refactor CSGuard: Implement reflection intent hook, restructure gradle, fix bypasses

Author: errorcodeQQ

CSGuard/build.gradle.kts

@@ -0,0 +1,20 @@
+version = 1
+
+cloudstream {
+    description = "Defensive CloudStream plugin that intercepts and neutralizes malicious browser-redirect ad injections from other extensions. Wraps provider Context objects so raw Intent.ACTION_VIEW calls to ad networks are silently dropped to the void."
+    authors = listOf("CSGuard")
+    status = 1
+    tvTypes = listOf("Others")
+    requiresResources = false
+    language = "en"
+    iconUrl = "https://raw.githubusercontent.com/google/material-design-icons/master/png/communication/security/png48/security_48dp.png"
+}
+
+android {
+    namespace = "com.csguard"
+    lint { abortOnError = false }
+    buildFeatures {
+        buildConfig = true
+        viewBinding = false
+    }
+}

CSGuard/gradle.properties

@@ -0,0 +1,3 @@
+org.gradle.jvmargs=-Xmx2048m -Dfile.encoding=UTF-8
+android.useAndroidX=true
+android.enableJetifier=true

CSGuard/src/main/AndroidManifest.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="utf-8"?>
+<manifest />

CSGuard/src/main/kotlin/com/csguard/AdBlockList.kt

@@ -0,0 +1,150 @@
+package com.csguard
+
+/**
+ * Known ad-network / popunder domains used by malicious CloudStream extensions.
+ *
+ * This list is seeded from a real-world analysis of the
+ * `NivinCNC/CNCVerse-Cloud-Stream-Extension` repo, where the constant
+ *
+ *     OMG10 = "aHR0cHM6Ly9vbWcxMC5jb20vNC8xMTEwNDQ4OQ=="
+ *
+ * base64-decodes to `https://omg10.com/4/11104489` — an OMG/PropellerAds-style
+ * popunder ad-network URL fired via raw `Intent.ACTION_VIEW` from inside
+ * `MainAPI.loadLinks()` on every Play tap.
+ *
+ * The list is intentionally broad: extensions like this rotate ad networks, so
+ * we block by category rather than just by the single observed domain.
+ */
+object AdBlockList {
+
+    // ---- Hard-blocked hosts (known ad networks / popunders / redirectors) ----
+    val BLOCKED_HOSTS: Set<String> = setOf(
+        // Observed in CNCVerse repo
+        "omg10.com",
+        "omg1.com", "omg2.com", "omg3.com", "omg4.com", "omg5.com",
+        "omg6.com", "omg7.com", "omg8.com", "omg9.com",
+
+        // PropellerAds / Monetag family
+        "propellerads.com", "propeller-tracking.com",
+        "monetag.com", "monetag-handhub.com",
+
+        // Adsterra
+        "adsterra.com", "adsterra.network", "prohitshere.com",
+
+        // HilltopAds
+        "hilltopads.com", "hilltopads.net", "hilltopads-delivery.com",
+
+        // PopAds / PopCash
+        "popads.net", "popcash.net", "popmyads.com",
+
+        // Ad-Maven / Maven
+        "ad-maven.com", "a-mo.net", "mvn.link",
+
+        // Shortcutters commonly used by ad-redirect layers
+        "bit.ly", "t.ly", "cutt.ly", "shorturl.at", "tinyurl.com",
+        "shrtco.de", "soo.gd", "s.id", "is.gd", "v.gd",
+        "linkvertise.com", "linkvertise.net",
+
+        // Generic popunder / malvertising CDNs
+        "onclickperformance.com", "onclickprediction.com",
+        "onclickscript.com", "highperformanceformat.com",
+        "pushmonetization.com", "realtimepush.com",
+        "highratecpm.com", "profithighrate.com",
+        "crazypushsub.com", "push-notification.tools",
+        "bemobtrcks.com", "bemobpath.com",
+        "go2cloud.org", "go2affise.com",
+        "trackings.selfpublishing.com",
+        "xl-trail.com", "trail_trk.com",
+
+        // Suspicious TLD patterns commonly abused
+        // (will be matched more carefully in code — see isBlocked())
+    )
+
+    // ---- Hosts that are explicitly ALLOWED to open externally ----
+    //
+    // CloudStream itself opens these for repo install / legal / community
+    // purposes, and they are user-initiated actions — not silent ad redirects.
+    val SAFE_HOSTS: Set<String> = setOf(
+        // CloudStream infra
+        "cs.repo", "cloudstream.on.fleek.co",
+        "recloudstream.github.io", "github.com", "raw.githubusercontent.com",
+
+        // Self-promo (user-initiated, in the form of a dialog with a button)
+        "t.me", "telegram.me",
+
+        // Common legitimate support sites
+        "discord.com", "discord.gg", "patreon.com", "ko-fi.com",
+        "buymeacoffee.com",
+
+        // Search/lookup that user might legitimately want
+        "www.google.com", "duckduckgo.com",
+
+        // Wikipedia / IMDB for metadata
+        "wikipedia.org", "imdb.com"
+    )
+
+    // ---- URL patterns that are NEVER media stream URLs ----
+    //
+    // If an ExtractorLink or PlayInBrowser target matches one of these
+    // patterns, it's almost certainly an ad/redirect, not a real video.
+    val NON_MEDIA_PATH_PATTERNS: List<Regex> = listOf(
+        Regex("/\\d+/(\\d{6,})"),         // /4/11104489 style ad zone IDs
+        Regex("/(popunder|popunderinit)"),
+        Regex("/(redirect|go|visit|jump)/[a-zA-Z0-9]+"),
+        Regex("/watch\\?key="),
+        Regex("click\\?"),
+        Regex("/aff(_)?id=")
+    )
+
+    /**
+     * Returns true if the host (or any of its parent domains) is on the
+     * hard-block list.
+     */
+    fun isHostBlocked(host: String?): Boolean {
+        if (host.isNullOrBlank()) return false
+        val h = host.lowercase().trim()
+        // exact match
+        if (h in BLOCKED_HOSTS) return true
+        // suffix match (handles subdomains like ads.omg10.com)
+        for (blocked in BLOCKED_HOSTS) {
+            if (h == blocked || h.endsWith(".$blocked")) return true
+        }
+        return false
+    }
+
+    /**
+     * Returns true if the host is explicitly allowed to open externally.
+     *
+     * Combines three sources:
+     *   1. [SAFE_HOSTS] — static baseline of CloudStream-essential hosts
+     *   2. [AllowlistStore.alwaysAllow] — persistent user-approved hosts
+     *   3. [AllowlistStore] session allow-once — process-scoped one-shot approvals
+     *
+     * Always called from the [GuardPolicy.shouldBlock] hot path, so it must be fast.
+     */
+    fun isHostSafe(host: String?): Boolean {
+        if (host.isNullOrBlank()) return false
+        val h = host.lowercase().trim()
+        // 1. Static baseline
+        if (h in SAFE_HOSTS) return true
+        for (safe in SAFE_HOSTS) {
+            if (h == safe || h.endsWith(".$safe")) return true
+        }
+        // 2 & 3. User-managed allowlist (persistent + session)
+        return try {
+            AllowlistStore.isAllowed(h)
+        } catch (_: Throwable) {
+            // AllowlistStore not initialized yet — be safe, fall back to baseline
+            false
+        }
+    }
+
+    /**
+     * Heuristic: does the URL path look like an ad-redirect path
+     * rather than a real media file?
+     */
+    fun looksLikeAdPath(url: String?): Boolean {
+        if (url.isNullOrBlank()) return false
+        return NON_MEDIA_PATH_PATTERNS.any { it.containsMatchIn(url) }
+    }
+}

CSGuard/src/main/kotlin/com/csguard/AllowlistStore.kt

@@ -0,0 +1,142 @@
+package com.csguard
+
+import android.content.Context
+import android.content.SharedPreferences
+import android.util.Log
+import org.json.JSONArray
+import org.json.JSONObject
+
+/**
+ * Persistent, user-managed allowlist of hosts that CSGuard will NOT block,
+ * even in STRICT mode.
+ *
+ * Backed by SharedPreferences so it survives plugin reloads and app restarts.
+ *
+ * Two scopes:
+ *   - **Always-allow** hosts: persisted across all future sessions.
+ *   - **Allow-once** hosts: kept only for the current process; cleared on
+ *     plugin reload. Useful for one-off approvals without permanently
+ *     whitelisting a host.
+ *
+ * Combined with the static [AdBlockList.SAFE_HOSTS] (the built-in baseline
+ * of CloudStream-essential hosts), the effective allowlist at any moment is:
+ *
+ *     SAFE_HOSTS ∪ alwaysAllowHosts ∪ sessionAllowOnceHosts
+ */
+object AllowlistStore {
+
+    private const val TAG = "CSGuard"
+    private const val PREFS_NAME = "csguard_allowlist"
+    private const val KEY_ALWAYS = "always_allow_hosts"
+    private const val KEY_BLOCKED = "blocked_attempts_log"
+    private const val MAX_BLOCKED_LOG = 200
+
+    @Volatile private var prefs: SharedPreferences? = null
+
+    // In-memory session-only allow-once set (process-scoped, not persisted)
+    private val sessionAllowOnce = java.util.Collections.synchronizedSet(HashSet<String>())
+
+    fun init(context: Context) {
+        if (prefs != null) return
+        prefs = context.applicationContext.getSharedPreferences(PREFS_NAME, Context.MODE_PRIVATE)
+        Log.i(TAG, "AllowlistStore initialized — alwaysAllow=${alwaysAllow().size} hosts")
+    }
+
+    // ───────────────────── Always-allow (persistent) ─────────────────────
+
+    fun alwaysAllow(): Set<String> {
+        val raw = prefs?.getString(KEY_ALWAYS, "[]") ?: "[]"
+        return try {
+            val arr = JSONArray(raw)
+            (0 until arr.length()).map { arr.getString(it).lowercase().trim() }.toSet()
+        } catch (_: Throwable) { emptySet() }
+    }
+
+    fun addAlwaysAllow(host: String): Boolean {
+        val normalized = host.lowercase().trim()
+        if (normalized.isEmpty()) return false
+        val current = alwaysAllow().toMutableSet()
+        if (!current.add(normalized)) return false
+        prefs?.edit()?.putString(KEY_ALWAYS, JSONArray(current.toList()).toString())?.apply()
+        Log.i(TAG, "AllowlistStore: added always-allow → $normalized")
+        return true
+    }
+
+    fun removeAlwaysAllow(host: String): Boolean {
+        val normalized = host.lowercase().trim()
+        val current = alwaysAllow().toMutableSet()
+        if (!current.remove(normalized)) return false
+        prefs?.edit()?.putString(KEY_ALWAYS, JSONArray(current.toList()).toString())?.apply()
+        Log.i(TAG, "AllowlistStore: removed always-allow → $normalized")
+        return true
+    }
+
+    // ───────────────────── Allow-once (session-only) ─────────────────────
+
+    fun allowOnce(host: String) {
+        sessionAllowOnce.add(host.lowercase().trim())
+        Log.i(TAG, "AllowlistStore: allow-once (session) → $host")
+    }
+
+    fun clearSessionAllowOnce() {
+        sessionAllowOnce.clear()
+    }
+
+    // ───────────────────── Effective allowlist check ─────────────────────
+
+    fun isAllowed(host: String?): Boolean {
+        if (host.isNullOrBlank()) return false
+        val h = host.lowercase().trim()
+        if (h in sessionAllowOnce) return true
+        val always = alwaysAllow()
+        if (h in always) return true
+        // suffix match for subdomains
+        for (allowed in always) {
+            if (h.endsWith(".$allowed")) return true
+        }
+        return false
+    }
+
+    // ───────────────────── Blocked log (for review) ─────────────────────
+
+    data class BlockedEntry(
+        val url: String,
+        val caller: String,
+        val timestamp: Long
+    )
+
+    fun blockedLog(): List<BlockedEntry> {
+        val raw = prefs?.getString(KEY_BLOCKED, "[]") ?: "[]"
+        return try {
+            val arr = JSONArray(raw)
+            (0 until arr.length()).map { idx ->
+                val obj = arr.getJSONObject(idx)
+                BlockedEntry(
+                    url = obj.optString("url"),
+                    caller = obj.optString("caller"),
+                    timestamp = obj.optLong("ts")
+                )
+            }
+        } catch (_: Throwable) { emptyList() }
+    }
+
+    fun recordBlocked(url: String, caller: String) {
+        val current = blockedLog().toMutableList()
+        current.add(0, BlockedEntry(url, caller, System.currentTimeMillis()))
+        // Trim to MAX_BLOCKED_LOG, keep most recent
+        val trimmed = current.take(MAX_BLOCKED_LOG)
+        val arr = JSONArray()
+        for (entry in trimmed) {
+            val obj = JSONObject()
+            obj.put("url", entry.url)
+            obj.put("caller", entry.caller)
+            obj.put("ts", entry.timestamp)
+            arr.put(obj)
+        }
+        prefs?.edit()?.putString(KEY_BLOCKED, arr.toString())?.apply()
+    }
+
+    fun clearBlockedLog() {
+        prefs?.edit()?.remove(KEY_BLOCKED)?.apply()
+    }
+}

CSGuard/src/main/kotlin/com/csguard/BlockedLog.kt

@@ -0,0 +1,28 @@
+package com.csguard
+
+/**
+ * Thin shim around [AllowlistStore.recordBlocked] so that the
+ * [InstrumentationHook] can record blocks without caring about persistence.
+ *
+ * Kept as a separate object for clarity and to make it easy to swap in a
+ * different sink (file logger, remote logger, etc.) later.
+ */
+object BlockedLog {
+    @JvmStatic
+    fun record(url: String, caller: String) {
+        try {
+            AllowlistStore.recordBlocked(url, caller)
+        } catch (_: Throwable) {
+            // Persistence must never break the block path
+        }
+    }
+
+    @JvmStatic
+    fun all(): List<AllowlistStore.BlockedEntry> =
+        try { AllowlistStore.blockedLog() } catch (_: Throwable) { emptyList() }
+
+    @JvmStatic
+    fun clear() {
+        try { AllowlistStore.clearBlockedLog() } catch (_: Throwable) {}
+    }
+}