Skip to main content

URL verification

Verify URLs

URLs input from external sources are a subtle, yet common source of vulnerabilities. The key capability provided by safe to run in respect of insecure URLs is the ability to call urlVerification on a string.

The return value is true if the URL verification is safe, and false if not

Configuration

By default, no URLs are allowed:

"https://safetorun.com".urlVerification {} == false 

However, we can add an allowed host:

"https://safetorun.com".urlVerification {
"safetorun.com".allowHost()
} == true

Or, we can specify an entire URL:

"https://safetorun.com".urlVerification {
"https://safetorun.com".allowUrl()
} == true

Not recommended - but we can bypass any URL check by allowing all urls:

"https://safetorun.com".urlVerification {
allowAnyUrl()
} == true

Parameters

By default, no parameters are allowed;

"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
} == false

We can, however add some allowable configuration:

"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowParameter {
allowedType = AllowedType.String
parameterName = "param"
}
} == true

These allowed types will only allow the correct types to be used as parameters:

"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowParameter {
allowedType = AllowedType.Bool
parameterName = "param"
}
} == false

You can allow very specific URLs if you prefer:

"https://safetorun.com?param=abc".urlVerification {
"https://safetorun.com?param=abc".allowUrl()
} == true

Or, you can bypass the whole check for parameters (not recommended):

"https://safetorun.com?param=abc".urlVerification {
"safetorun.com".allowHost()
allowAnyParameter()
} == true

Any URL will also allow parameters:

"https://safetorun.com?param=abc".urlVerification {
allowAnyUrl()
} == true

Samples

A sample of protecting your webview from 3rd party websites:

3rd party website protection

A sample of protecting your app from third party intents:

3rd party intent protection