Skip to content

fix(mobile): validate external URL schemes before opening (port #2494) #2498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
charlesvien merged 2 commits into from
Jun 10, 2026
Merged

fix(mobile): validate external URL schemes before opening (port #2494) #2498

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6e0bf11
fix(mobile): validate external URL schemes before opening (port #2494)
Gilbert09 Jun 5, 2026
c94732a
fix(mobile): log blocked WebView URLs and parameterise opener tests
Gilbert09 Jun 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions apps/mobile/src/app/mcp-servers/template/[id].tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import { Lock, Warning } from "phosphor-react-native";
import { useMemo, useState } from "react";
import {
ActivityIndicator,
Linking,
Pressable,
ScrollView,
TextInput,
Expand All @@ -21,6 +20,7 @@ import { installTemplateWithOAuth } from "@/features/mcp/oauth";
import { isStdioServer } from "@/features/mcp/types";
import { useScreenInsets } from "@/hooks/useScreenInsets";
import { logger } from "@/lib/logger";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { useThemeColors } from "@/lib/theme";

const log = logger.scope("mcp-template-detail");
Expand Down Expand Up @@ -168,7 +168,7 @@ export default function McpTemplateDetailScreen() {

{template.docs_url ? (
<Pressable
onPress={() => Linking.openURL(template.docs_url as string)}
onPress={() => openExternalUrl(template.docs_url as string)}
className="mb-4 rounded-lg border border-gray-5 bg-card px-3 py-2 active:bg-gray-2"
>
<Text className="font-medium text-[13px] text-accent-11">
Expand Down
5 changes: 3 additions & 2 deletions apps/mobile/src/features/chat/components/GithubRefChip.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { Linking, Text } from "react-native";
import { Text } from "react-native";
import { openExternalUrl } from "@/lib/openExternalUrl";

interface GithubRefChipProps {
href: string;
Expand All @@ -13,7 +14,7 @@ interface GithubRefChipProps {
export function GithubRefChip({ href, kind, label }: GithubRefChipProps) {
return (
<Text
onPress={() => Linking.openURL(href)}
onPress={() => openExternalUrl(href)}
className="rounded-md bg-gray-3 px-1.5 py-0.5 font-mono text-[11px] text-accent-11"
accessibilityRole="link"
accessibilityLabel={`GitHub ${kind === "pr" ? "pull request" : "issue"} ${label}`}
Expand Down
12 changes: 3 additions & 9 deletions apps/mobile/src/features/chat/components/MarkdownImage.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,7 @@
import { ImageBroken } from "phosphor-react-native";
import { useEffect, useState } from "react";
import {
ActivityIndicator,
Image,
Linking,
Pressable,
Text,
View,
} from "react-native";
import { ActivityIndicator, Image, Pressable, Text, View } from "react-native";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { useThemeColors } from "@/lib/theme";

interface MarkdownImageProps {
Expand Down Expand Up @@ -67,7 +61,7 @@ export function MarkdownImage({ url, alt }: MarkdownImageProps) {

return (
<Pressable
onPress={() => Linking.openURL(url)}
onPress={() => openExternalUrl(url)}
accessibilityRole="image"
accessibilityLabel={alt || "Image"}
className="active:opacity-80"
Expand Down
5 changes: 3 additions & 2 deletions apps/mobile/src/features/chat/components/MarkdownText.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
import { useMemo } from "react";
import { Linking, ScrollView, Text, View } from "react-native";
import { ScrollView, Text, View } from "react-native";
import { getCloudUrlFromRegion, useAuthStore } from "@/features/auth";
import { UNIVERSAL_LINK_PREFIX } from "@/lib/deep-links";
import { parseGithubIssueUrl } from "@/lib/githubIssueUrl";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { type ParsePostHogUrlOptions, parsePostHogUrl } from "@/lib/posthogUrl";
import { getColorForClass, highlightCode } from "@/lib/syntax-highlight";
import { useThemeColors } from "@/lib/theme";
Expand Down Expand Up @@ -223,7 +224,7 @@ function parseBlocks(text: string): Block[] {
}

function openUrl(url: string) {
Linking.openURL(url);
openExternalUrl(url);
}

function splitTrailingPunctuation(text: string): {
Expand Down
5 changes: 3 additions & 2 deletions apps/mobile/src/features/chat/components/PostHogRefChip.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { Linking, Text } from "react-native";
import { Text } from "react-native";
import { openExternalUrl } from "@/lib/openExternalUrl";
import type { PostHogRefKind } from "@/lib/posthogUrl";

interface PostHogRefChipProps {
Expand All @@ -19,7 +20,7 @@ export function PostHogRefChip({ href, kind, label }: PostHogRefChipProps) {

return (
<Text
onPress={() => Linking.openURL(href)}
onPress={() => openExternalUrl(href)}
className="rounded-md bg-gray-3 px-1.5 py-0.5 font-mono text-[11px] text-accent-11"
accessibilityRole="link"
accessibilityLabel={`PostHog ${destination} link ${label}`}
Expand Down
5 changes: 3 additions & 2 deletions apps/mobile/src/features/inbox/components/SignalCard.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,10 @@ import {
WarningCircle,
} from "phosphor-react-native";
import { useState } from "react";
import { Linking, Pressable, View } from "react-native";
import { Pressable, View } from "react-native";
import { MarkdownText } from "@/features/chat/components/MarkdownText";
import { formatRelativeTime } from "@/lib/format";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { useThemeColors } from "@/lib/theme";
import type { Signal, SignalFindingContent } from "../types";

Expand Down Expand Up @@ -248,7 +249,7 @@ export function SignalCard({ signal, finding }: SignalCardProps) {
<View className="flex-1" />
{externalUrl && (
<Pressable
onPress={() => Linking.openURL(externalUrl)}
onPress={() => openExternalUrl(externalUrl)}
hitSlop={6}
className="flex-row items-center gap-1 active:opacity-60"
>
Expand Down
4 changes: 2 additions & 2 deletions apps/mobile/src/features/inbox/components/SuggestedReviewers.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import { useMemo, useState } from "react";
import {
ActivityIndicator,
Image,
Linking,
Pressable,
ScrollView,
View,
Expand All @@ -13,6 +12,7 @@ import type {
InboxReportActionProperties,
InboxReportActionType,
} from "@/lib/analytics";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { useThemeColors } from "@/lib/theme";
import { useUpdateSuggestedReviewers } from "../hooks/useInboxReports";
import type {
Expand Down Expand Up @@ -159,7 +159,7 @@ export function SuggestedReviewers({
fireAction("click_suggested_reviewer", {
suggested_reviewer_login: reviewer.github_login,
});
Linking.openURL(
openExternalUrl(
`https://github.com/${reviewer.github_login}`,
);
}}
Expand Down
8 changes: 8 additions & 0 deletions apps/mobile/src/features/mcp/components/McpAppHost.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Text } from "@components/text";
import type { McpUiDisplayMode } from "@modelcontextprotocol/ext-apps/app-bridge";
import type { CallToolResult } from "@modelcontextprotocol/sdk/types.js";
import { isSafeExternalUrl } from "@posthog/shared";
import * as WebBrowser from "expo-web-browser";
import { ArrowsIn, ArrowsOut, Warning } from "phosphor-react-native";
import { useCallback, useMemo, useRef, useState } from "react";
Expand All @@ -14,6 +15,7 @@ import {
} from "react-native";
import { useSafeAreaInsets } from "react-native-safe-area-context";
import WebView, { type WebViewMessageEvent } from "react-native-webview";
import { logger } from "@/lib/logger";
import { useThemeColors } from "@/lib/theme";
import { useMcpInstallations } from "../hooks";
import { sandboxProxyHtml } from "../sandbox/sandboxProxyHtml";
Expand All @@ -32,6 +34,8 @@ interface McpAppHostProps {
status: "pending" | "running" | "completed" | "error";
}

const log = logger.scope("McpAppHost");

const INLINE_MIN_HEIGHT = 180;
const INLINE_MAX_HEIGHT = 520;

Expand Down Expand Up @@ -108,6 +112,10 @@ export function McpAppHost(props: McpAppHostProps) {
);

const handleOpenLink = useCallback(async (args: { url: string }) => {
if (!isSafeExternalUrl(args.url)) {
log.warn("Blocked external URL with unsafe scheme", args.url);
return;
}
await WebBrowser.openBrowserAsync(args.url);
}, []);
Comment thread
Gilbert09 marked this conversation as resolved.

Expand Down
5 changes: 3 additions & 2 deletions apps/mobile/src/features/tasks/components/PrStatusBadge.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import { GitMerge, GitPullRequest } from "phosphor-react-native";
import { Linking, Pressable } from "react-native";
import { Pressable } from "react-native";
import { openExternalUrl } from "@/lib/openExternalUrl";
import { toRgba, useThemeColors } from "@/lib/theme";
import { usePrStatus } from "../hooks/usePrStatus";

Expand All @@ -17,7 +18,7 @@ export function PrStatusBadge({ prUrl }: PrStatusBadgeProps) {
const { data: status } = usePrStatus(prUrl);

const handlePress = () => {
Linking.openURL(prUrl).catch(() => {});
openExternalUrl(prUrl);
};

let color: string = themeColors.gray[11];
Expand Down
56 changes: 56 additions & 0 deletions apps/mobile/src/lib/openExternalUrl.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
import { isSafeExternalUrl } from "@posthog/shared";
import { beforeEach, describe, expect, it, vi } from "vitest";

const openURL = vi.fn((_url: string) => Promise.resolve(true));

vi.mock("react-native", () => ({
Linking: { openURL: (url: string) => openURL(url) },
}));

import { openExternalUrl } from "./openExternalUrl";

describe("isSafeExternalUrl in the mobile bundle", () => {
it.each([
"https://github.com/PostHog/code/pull/42",
"http://example.com",
"https://example.com/path?q=1#frag",
"HTTPS://EXAMPLE.COM",
"mailto:hi@posthog.com",
])("allows %s", (url) => {
expect(isSafeExternalUrl(url)).toBe(true);
});

it.each([
"javascript:alert(1)",
"file:///etc/passwd",
"data:text/html,<script>alert(1)</script>",
"smb://server/share",
"ms-msdt:/id",
"vscode://extension",
"//evil.com",
"/relative/path",
"not a url",
"",
" ",
])("blocks %s", (url) => {
expect(isSafeExternalUrl(url)).toBe(false);
});
});

describe("openExternalUrl", () => {
beforeEach(() => {
openURL.mockClear();
});

it.each([
["https://example.com", "https://example.com"],
["javascript:alert(1)", null],
])("opens %s only when safe", (url, expectedCall) => {
openExternalUrl(url);
if (expectedCall === null) {
expect(openURL).not.toHaveBeenCalled();
} else {
expect(openURL).toHaveBeenCalledWith(expectedCall);
}
});
});
Comment thread
Gilbert09 marked this conversation as resolved.
13 changes: 13 additions & 0 deletions apps/mobile/src/lib/openExternalUrl.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
import { isSafeExternalUrl } from "@posthog/shared";
import { Linking } from "react-native";
import { logger } from "@/lib/logger";

const log = logger.scope("openExternalUrl");

export function openExternalUrl(url: string): void {
if (!isSafeExternalUrl(url)) {
log.warn("Blocked external URL with unsafe scheme", url);
return;
}
void Linking.openURL(url).catch(() => {});
}
Loading