fix: Update CDVAllowList to support more valid schemes (#1473)

These may be unusual schemes, but they are canonically valid and should be supported. Closes GH-1291.
apache · Aug 21, 2024 · f3339a9 · f3339a9
1 parent 3ce3a7e
commit f3339a9
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/CordovaLib/Classes/Private/Plugins/CDVIntentAndNavigationFilter/CDVAllowList.m b/CordovaLib/Classes/Private/Plugins/CDVIntentAndNavigationFilter/CDVAllowList.m
@@ -169,7 +169,7 @@ - (void)addAllowListEntry:(NSString*)origin
         self.allowList = nil;
         self.permittedSchemes = nil;
     } else { // specific access
-        NSRegularExpression* parts = [NSRegularExpression regularExpressionWithPattern:@"^((\\*|[A-Za-z-]+):/?/?)?(((\\*\\.)?[^*/:]+)|\\*)?(:(\\d+))?(/.*)?" options:0 error:nil];
+        NSRegularExpression* parts = [NSRegularExpression regularExpressionWithPattern:@"^((\\*|([a-z][a-z0-9+\\-.]*)):/?/?)?(((\\*\\.)?[^*/:]+)|\\*)?(:(\\d+))?(/.*)?" options:0 error:nil];
         NSTextCheckingResult* m = [parts firstMatchInString:origin options:NSMatchingAnchored range:NSMakeRange(0, [origin length])];
         if (m != nil) {
             NSRange r;
@@ -180,7 +180,7 @@ - (void)addAllowListEntry:(NSString*)origin
             }
 
             NSString* host = nil;
-            r = [m rangeAtIndex:3];
+            r = [m rangeAtIndex:4];
             if (r.location != NSNotFound) {
                 host = [origin substringWithRange:r];
             }
@@ -191,13 +191,13 @@ - (void)addAllowListEntry:(NSString*)origin
             }
 
             NSString* port = nil;
-            r = [m rangeAtIndex:7];
+            r = [m rangeAtIndex:8];
             if (r.location != NSNotFound) {
                 port = [origin substringWithRange:r];
             }
 
             NSString* path = nil;
-            r = [m rangeAtIndex:8];
+            r = [m rangeAtIndex:9];
             if (r.location != NSNotFound) {
                 path = [origin substringWithRange:r];
             }

diff --git a/tests/CordovaLibTests/CDVAllowListTests.m b/tests/CordovaLibTests/CDVAllowListTests.m
@@ -209,6 +209,21 @@ - (void)testAllowListRejectionString
     XCTAssertTrue([expectedErrorString isEqualToString:errorString], @"Customized allowList rejection string has unexpected value.");
 }
 
+- (void)testUnusualSchemes
+{
+    NSArray* allowedHosts = [NSArray arrayWithObjects:
+        @"com.myapp://*",
+        @"web+app://*",
+        @"a12345://*",
+        nil];
+
+    CDVAllowList* allowList = [[CDVAllowList alloc] initWithArray:allowedHosts];
+
+    XCTAssertTrue([allowList URLIsAllowed:[NSURL URLWithString:@"com.myapp://www.apache.org"]]);
+    XCTAssertTrue([allowList URLIsAllowed:[NSURL URLWithString:@"web+app://www.apache.org"]]);
+    XCTAssertTrue([allowList URLIsAllowed:[NSURL URLWithString:@"a12345://www.apache.org"]]);
+}
+
 - (void)testSpecificProtocol
 {
     NSArray* allowedHosts = [NSArray arrayWithObjects: