You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been running CodeQL scans regularly on our code base and have encountered an issue that I believe needs attention from the maintainers.
Problem
During our latest scan, CodeQL flagged an issue in file Vault/Pods/Elephant/Sources/SVGView.swift at line number 37 with the following reason & description :
CodeQL
Vault/Pods/Elephant/Sources/SVGView.swift:37 Unsafe WebView fetch
Tainted data is used in a WebView fetch without restricting the base URL.
Fetching data in a web view without restricting the base URL may allow an attacker to access sensitive local data, for example using file://. Data can then be extracted from the software using the URL of a machine under the attacker's control. More generally, an attacker may use a URL under their control as part of a cross-site scripting attack.
Recommendation
When loading HTML into a web view, always set the baseURL to an appropriate URL that you control, or to about:blank. Do not use nil, as this does not restrict URLs that can be resolved. Also do not use a baseURL that could itself be controlled by an attacker.
Example
In the following example, a call to UIWebView.loadHTMLString has the baseURL set to nil, which does not restrict URLs that can be resolved from within the web page.
let webview = UIWebView()
...
webview.loadHTMLString(htmlData, baseURL: nil) // BAD
To fix the problem, we set the baseURL to about:blank. This ensures that an attacker cannot resolve URLs that point to the local file system, or to web servers under their control.
let webview = UIWebView()
...
webview.loadHTMLString(htmlData, baseURL: URL(string: "about:blank")) // GOOD
This issue needs to be addressed to prevent it from being flagged in future scans.
Request:
Could the Team please review this issue. Our goal is to ensure that this particular CodeQL scan issue is resolved in upcoming scans to provide more security on the codebase.
Additional Information
We are using the cocoapod dependency manager for using Elephant with version-> 'Elephant', '0.1.0'
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered:
Hi Team,
We've been running CodeQL scans regularly on our code base and have encountered an issue that I believe needs attention from the maintainers.
Problem
During our latest scan, CodeQL flagged an issue in file
Vault/Pods/Elephant/Sources/SVGView.swiftat line number37with the following reason & description :This issue needs to be addressed to prevent it from being flagged in future scans.
Request:
Could the Team please review this issue. Our goal is to ensure that this particular CodeQL scan issue is resolved in upcoming scans to provide more security on the codebase.
Additional Information
We are using the cocoapod dependency manager for using Elephant with version->
'Elephant', '0.1.0'Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered: