Sanitize NSURL in Objective C

Question

I am using checkmarx for security vulnerabilities in code. (react-native). I enabled deep linking in react-native using this guide from the official documentation for ios https://reactnative.dev/docs/linking. From the documentation i added this code to AppDelegate.m


- (BOOL)application:(UIApplication *)application
   openURL:(NSURL *)url
   options:(NSDictionary<UIApplicationOpenURLOptionsKey,id> *)options
{
  return [RCTLinkingManager application:application openURL:url options:options];
}

However checkmarx reports that i need to sanitize or validate the url to prevent XSS attacks, any idea on how to achieve this?

The `url` will be `nil` if it is not valid. See also [here](https://stackoverflow.com/questions/3811996/how-to-determine-if-a-string-is-a-url-in-objective-c) — koen, Jan 05 '21 at 18:12
@Joshua what is the exact vulnerability that Checkmarx reports? — securecodeninja, Jan 09 '21 at 21:02
@Joshua Asare there are at least 2 types of XSS under Objective C that Checkmarx have, can you be specific? — securecodeninja, Jan 22 '21 at 17:32

score 0 · Answer 1 · answered Jan 25 '21 at 05:03

To mitigate the XSS vulnerability in the code, you must URL encode the url argument by using the stringByAddingPercentEncodingWithAllowedCharacters method:

- (BOOL)application:(UIApplication *)application
   openURL:(NSURL *)url
   options:(NSDictionary<UIApplicationOpenURLOptionsKey,id> *)options
{

NSString *urlEncoded = [url stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet URLHostAllowedCharacterSet]];

  return [RCTLinkingManager application:application openURL:urlEncoded options:options];
}

Sanitize NSURL in Objective C

1 Answers1