adobe / aepsdk-assurance-ios

Adobe Experience Platform Assurance SDK

Apache License 2.0

1 stars 12 forks source link

[MOB-16690] Sanitize socket url #66

Closed cdhoffmann closed 1 year ago

cdhoffmann commented 1 year ago

Security review found that we are not sanitizing our SocketURL and are exposed to JS injection.

Solution: Add an isSafe function to our URL+Parser extension which checks the URL params.

Currently it makes the following assumptions (checked with services to make sure we could make these assumptions):

sessionID will always be a valid UUID (with hyphens)
clientID (same as above)
orgID always ends with @AdobeOrg
token will always be a 4 digit integer (in string format)

codecov[bot] commented 1 year ago

Codecov Report

Merging #66 (42531df) into dev (c72de3d) will decrease coverage by 0.34%. The diff coverage is 81.13%.

@@            Coverage Diff             @@
##              dev      #66      +/-   ##
==========================================
- Coverage   89.05%   88.71%   -0.34%     
==========================================
  Files          32       32              
  Lines        1315     1364      +49     
==========================================
+ Hits         1171     1210      +39     
- Misses        144      154      +10