Only allow https call links to be passed through the custom app scheme

2025-03-10 21:39:12 +00:00 · 2023-09-25 09:17:44 +03:00 · 2023-09-25 09:17:44 +03:00 · 44c6da7ce6
commit 44c6da7ce6
parent 22756891c1
1 changed files with 3 additions and 1 deletions
--- a/ElementX/Sources/Application/Navigation/AppRoutes.swift
+++ b/ElementX/Sources/Application/Navigation/AppRoutes.swift
@ -91,7 +91,9 @@ struct ElementCallURLParser: URLParser {
            }
            
            guard let encodedURLString = components.queryItems?.first(where: { $0.name == customSchemeURLQueryParameterName })?.value,
-                  let callURL = URL(string: encodedURLString) else {
+                  let callURL = URL(string: encodedURLString),
+                  callURL.scheme == "https" // Don't allow URLs from potentially unsafe domains
+            else {
                MXLog.error("Invalid custom scheme call parameters: \(url)")
                return nil
            }