BUG: zat validate is too aggressive when checking for insecure URLs

Answered

May 18, 2022 20:55

In requests.rb, there is:

def find_address_containing_http(file_content)

file_content.scan(URI.regexp(['http'])).map(&:compact).map(&:last)

end

This regex is far too aggressive: it looks a URL anywhere in the code, without regard for _why_ that URL is being used. For example, an xmlns value would be an insecure URL (e.g.

http://www.w3.org/2000/svg)

I can't validate (or package) my app because of this code. Is there a way I can tell the validation to ignore those sections?

2 Comments

Greg Katechis
- May 18, 2022 22:41
Zendesk Developer Advocacy
Hi Chris! I just tested this in a sample app and I received some warnings about insecure HTTP requests, but it did validate the app successfully. Are you receiving any other errors at the same time that may be preventing validation/package? If so, could you share the error messages that you receive?

Also, I would recommend looking at a tool that is currently in beta, called ZCLI, for app development. When I ran the same validate command there, I didn't even receive the warnings. There are a few things that need to be ironed out with ZCLI before it's production ready, but it might handle some things better than ZAT does, so it's worth a shot!

-1
Chris Pellet
- May 19, 2022 15:20
Thanks for the suggestion Greg. I can confirm that ZCLI doesn't have the same issue.

0

Please sign in to leave a comment.

2 Comments

Didn't find what you were looking for?