MOBILE-3458 core: Validate custom URLs and QR

src/lang/en.json

@@ -102,6 +102,7 @@
     "errorsomedatanotdownloaded": "If you downloaded this activity, please notice that some data isn't downloaded during the download process for performance and data usage reasons.",
     "errorsync": "An error occurred while synchronising. Please try again.",
     "errorsyncblocked": "This {{$a}} cannot be synchronised right now because of an ongoing process. Please try again later. If the problem persists, try restarting the app.",
+    "errorurlschemeinvalidsite": "This site URL cannot be opened in this app.",
     "explanationdigitalminor": "This information is required to determine if your age is over the digital age of consent. This is the age when an individual can consent to terms and conditions and their data being legally stored and processed.",
     "favourites": "Starred",
     "filename": "Filename",

src/providers/urlschemes.ts

@@ -29,6 +29,7 @@ import { CoreSitePluginsProvider } from '@core/siteplugins/providers/siteplugins
 import { CoreConfigConstants } from '../configconstants';
 import { CoreConstants } from '@core/constants';
 import { makeSingleton } from '@singletons/core.singletons';
+import { CoreUrl } from '@singletons/url';
 
 /**
  * All params that can be in a custom URL scheme.
@@ -166,6 +167,12 @@ export class CoreCustomURLSchemesProvider {
         }
 
         try {
+            const isValid = await this.isInFixedSiteUrls(data.siteUrl);
+
+            if (!isValid) {
+                throw this.translate.instant('core.errorurlschemeinvalidsite');
+            }
+
             if (data.redirect && data.redirect.match(/^https?:\/\//) && data.redirect.indexOf(data.siteUrl) == -1) {
                 // Redirect URL must belong to the same site. Reject.
                 throw this.translate.instant('core.contentlinks.errorredirectothersite');
@@ -540,6 +547,38 @@ export class CoreCustomURLSchemesProvider {
             this.domUtils.showErrorModalDefault(error.error, this.translate.instant('core.login.invalidsite'));
         }
     }
+
+    /**
+     * Check if a site URL is one of the fixed sites for the app (in case there are fixed sites).
+     *
+     * @param siteUrl Site URL to check.
+     * @return Promise resolved with boolean: whether is one of the fixed sites.
+     */
+    protected async isInFixedSiteUrls(siteUrl: string): Promise<boolean> {
+        if (this.loginHelper.isFixedUrlSet()) {
+
+            return CoreUrl.sameDomainAndPath(siteUrl, <string> this.loginHelper.getFixedSites());
+        } else if (this.loginHelper.hasSeveralFixedSites()) {
+            const sites = <any[]> this.loginHelper.getFixedSites();
+
+            const site = sites.find((site) => {
+                return CoreUrl.sameDomainAndPath(siteUrl, site.url);
+            });
+
+            return !!site;
+        } else if (CoreConfigConstants.multisitesdisplay == 'sitefinder' && CoreConfigConstants.onlyallowlistedsites) {
+            // Call the sites finder to validate the site.
+            const result = await this.sitesProvider.findSites(siteUrl.replace(/^https?\:\/\/|\.\w{2,3}\/?$/g, ''));
+
+            const site = result && result.find((site) => {
+                return CoreUrl.sameDomainAndPath(siteUrl, site.url);
+            });
+
+            return !!site;
+        }
+
+        return true;
+    }
 }
 
 /**

src/singletons/url.ts

@@ -12,6 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+import { CoreTextUtils } from '@providers/utils/text';
+
 /**
  * Parts contained within a url.
  */
@@ -172,4 +174,27 @@ export class CoreUrl {
     static removeProtocol(url: string): string {
         return url.replace(/^[a-zA-Z]+:\/\//i, '');
     }
+
+    /**
+     * Check if two URLs have the same domain and path.
+     *
+     * @param urlA First URL.
+     * @param urlB Second URL.
+     * @return Whether they have same domain and path.
+     */
+    static sameDomainAndPath(urlA: string, urlB: string): boolean {
+        // Add protocol if missing, the parse function requires it.
+        if (!urlA.match(/^[^\/:\.\?]*:\/\//)) {
+            urlA = `https://${urlA}`;
+        }
+        if (!urlB.match(/^[^\/:\.\?]*:\/\//)) {
+            urlB = `https://${urlB}`;
+        }
+
+        const partsA = CoreUrl.parse(urlA);
+        const partsB = CoreUrl.parse(urlB);
+
+        return partsA.domain == partsB.domain &&
+                CoreTextUtils.instance.removeEndingSlash(partsA.path) == CoreTextUtils.instance.removeEndingSlash(partsB.path);
+    }
 }