phishing alert implementation

we now check when building the string through the `AttributedStringBuilder` if a URL is actually hiding a different link, if so, we create a custom URL that contains both the external and the internal URL to advise the user through an Alert about the risk

Author: Velin92

ElementX/Sources/Application/Application.swift

@@ -11,6 +11,7 @@ import SwiftUI
 struct Application: App {
     @UIApplicationDelegateAdaptor(AppDelegate.self) private var appDelegate
     @Environment(\.openURL) private var openURL
+    @State private var alert: AlertInfo<ApplicationAlertType>?
 
     private var appCoordinator: AppCoordinatorProtocol!
 
@@ -34,13 +35,21 @@ struct Application: App {
                     if appCoordinator.handleDeepLink(url, isExternalURL: false) {
                         return .handled
                     }
+                    
+                    if let confirmationParameters = url.confirmationParameters {
+                        alert = .init(id: .confirmURL,
+                                      title: "Test",
+                                      message: "Test",
+                                      primaryButton: .init(title: "Confirm") { openURL(confirmationParameters.internalURL) },
+                                      secondaryButton: .init(title: L10n.actionCancel, action: nil))
+                        
+                        return .handled
+                    }
 
                     return .systemAction
                 })
-                .onOpenURL {
-                    if !appCoordinator.handleDeepLink($0, isExternalURL: true) {
-                        openURLInSystemBrowser($0)
-                    }
+                .onOpenURL { url in
+                    openURL(url)
                 }
                 .onContinueUserActivity("INStartVideoCallIntent") { userActivity in
                     // `INStartVideoCallIntent` is to be replaced with `INStartCallIntent`
@@ -50,10 +59,17 @@ struct Application: App {
                 .task {
                     appCoordinator.start()
                 }
+                .alert(item: $alert)
         }
     }
 
     // MARK: - Private
+    
+    private func openURL(_ url: URL) {
+        if !appCoordinator.handleDeepLink(url, isExternalURL: true) {
+            openURLInSystemBrowser(url)
+        }
+    }
 
     /// Hide the status bar so it doesn't interfere with the screenshot tests
     private var shouldHideStatusBar: Bool {
@@ -81,3 +97,7 @@ struct Application: App {
         openURL(url)
     }
 }
+
+enum ApplicationAlertType {
+    case confirmURL
+}

ElementX/Sources/Other/Extensions/URL.swift

@@ -101,6 +101,16 @@ extension URL: @retroactive ExpressibleByStringLiteral {
         return nil
     }
 
+    static let confirmationScheme = "confirm"
+    
+    var confirmationParameters: ConfirmURLParameters? {
+        guard scheme == Self.confirmationScheme,
+              let queryItems = URLComponents(url: self, resolvingAgainstBaseURL: true)?.queryItems else {
+            return nil
+        }
+        return ConfirmURLParameters(queryItems: queryItems)
+    }
+    
     // MARK: Mocks
 
     static var mockMXCAudio: URL { "mxc://matrix.org/1234567890AuDiO" }
@@ -110,3 +120,25 @@ extension URL: @retroactive ExpressibleByStringLiteral {
     static var mockMXCAvatar: URL { "mxc://matrix.org/1234567890AvAtAr" }
     static var mockMXCUserAvatar: URL { "mxc://matrix.org/1234567890AvAtArUsEr" }
 }
+
+struct ConfirmURLParameters {
+    let internalURL: URL
+    let externalURL: String
+    
+    var urlQueryItems: [URLQueryItem] {
+        [URLQueryItem(name: "internalURL", value: internalURL.absoluteString),
+         URLQueryItem(name: "externalURL", value: externalURL)]
+    }
+}
+
+extension ConfirmURLParameters {
+    init?(queryItems: [URLQueryItem]) {
+        guard let internalURLString = queryItems.first(where: { $0.name == "internalURL" })?.value,
+              let internalURL = URL(string: internalURLString),
+              let externalURLString = queryItems.first(where: { $0.name == "externalURL" })?.value else {
+            return nil
+        }
+        externalURL = externalURLString
+        self.internalURL = internalURL
+    }
+}

ElementX/Sources/Other/HTMLParsing/AttributedStringBuilder.swift

@@ -42,6 +42,7 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
 
         let mutableAttributedString = NSMutableAttributedString(string: string)
         removeDefaultForegroundColors(mutableAttributedString)
+        detectPhishingAttempts(mutableAttributedString)
         addLinksAndMentions(mutableAttributedString)
         detectPermalinks(mutableAttributedString)
 
@@ -98,6 +99,7 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
 
         let mutableAttributedString = NSMutableAttributedString(attributedString: attributedString)
         removeDefaultForegroundColors(mutableAttributedString)
+        detectPhishingAttempts(mutableAttributedString)
         addLinksAndMentions(mutableAttributedString)
         replaceMarkedBlockquotes(mutableAttributedString)
         replaceMarkedCodeBlocks(mutableAttributedString)
@@ -135,6 +137,23 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
         attributedString.removeAttribute(.foregroundColor, range: .init(location: 0, length: attributedString.length))
     }
 
+    private func detectPhishingAttempts(_ attributedString: NSMutableAttributedString) {
+        attributedString.enumerateAttribute(.link, in: .init(location: 0, length: attributedString.length), options: []) { value, range, _ in
+            guard value != nil, let internalURL = value as? URL else {
+                return
+            }
+            
+            let linkString = attributedString.attributedSubstring(from: range).string
+            guard MatrixEntityRegex.linkRegex.firstMatch(in: linkString) != nil,
+                  // To avoid false positives like [Matrix.org](https://matrix.org)
+                  sanitizeLink(linkString).lowercased() != sanitizeLink(internalURL.absoluteString).lowercased() else {
+                return
+            }
+            
+            handlePhishingAttempt(for: attributedString, in: range, internalURL: internalURL, externalURL: linkString)
+        }
+    }
+    
     // swiftlint:disable:next cyclomatic_complexity
     private func addLinksAndMentions(_ attributedString: NSMutableAttributedString) {
         let string = attributedString.string
@@ -177,19 +196,7 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
                 return nil
             }
 
-            var link = String(string[matchRange])
-            
-            if !link.contains("://") {
-                link.insert(contentsOf: "https://", at: link.startIndex)
-            }
-            
-            // Don't include punctuation characters at the end of links
-            // e.g `https://element.io/blog:` <- which is a valid link but the wrong place
-            while !link.isEmpty,
-                  link.rangeOfCharacter(from: .punctuationCharacters, options: .backwards)?.upperBound == link.endIndex {
-                link = String(link.dropLast())
-            }
-            
+            let link = sanitizeLink(String(string[matchRange]))
             return TextParsingMatch(type: .link(urlString: link), range: match.range)
         })
 
@@ -278,7 +285,8 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
     func detectPermalinks(_ attributedString: NSMutableAttributedString) {
         attributedString.enumerateAttribute(.link, in: .init(location: 0, length: attributedString.length), options: []) { value, range, _ in
             if value != nil {
-                if let url = value as? URL, let matrixEntity = parseMatrixEntityFrom(uri: url.absoluteString) {
+                if let url = value as? URL,
+                   let matrixEntity = parseMatrixEntityFrom(uri: url.absoluteString) {
                     switch matrixEntity.id {
                     case .user(let userID):
                         mentionBuilder.handleUserMention(for: attributedString, in: range, url: url, userID: userID, userDisplayName: nil)
@@ -303,6 +311,42 @@ struct AttributedStringBuilder: AttributedStringBuilderProtocol {
         }
     }
 
+    private func sanitizeLink(_ string: String) -> String {
+        var link = string
+        if !link.contains("://") {
+            link.insert(contentsOf: "https://", at: link.startIndex)
+        }
+        
+        // Don't include punctuation characters at the end of links
+        // e.g `https://element.io/blog:` <- which is a valid link but the wrong place
+        while !link.isEmpty,
+              link.rangeOfCharacter(from: .punctuationCharacters, options: .backwards)?.upperBound == link.endIndex {
+            link = String(link.dropLast())
+        }
+        
+        return link
+    }
+    
+    private func handlePhishingAttempt(for attributedString: NSMutableAttributedString,
+                                       in range: NSRange,
+                                       internalURL: URL,
+                                       externalURL: String) {
+        // Let's remove the existing link attribute
+        attributedString.removeAttribute(.link, range: range)
+        
+        var urlComponents = URLComponents()
+        urlComponents.scheme = URL.confirmationScheme
+        urlComponents.host = ""
+        let parameters = ConfirmURLParameters(internalURL: internalURL, externalURL: externalURL)
+        urlComponents.queryItems = parameters.urlQueryItems
+        
+        guard let finalURL = urlComponents.url else {
+            return
+        }
+        
+        attributedString.addAttribute(.link, value: finalURL, range: range)
+    }
+        
     private func removeDTCoreTextArtifacts(_ attributedString: NSMutableAttributedString) {
         guard attributedString.length > 0 else {
             return

UnitTests/Sources/AttributedStringBuilderTests.swift

@@ -136,9 +136,9 @@ class AttributedStringBuilderTests: XCTestCase {
     }
 
     func testRenderHTMLStringWithLinkInHeader() {
-        let h1HTMLString = "<h1><a href=\"https://www.matrix.org/\">Matrix.org</a></h1>"
-        let h2HTMLString = "<h2><a href=\"https://www.matrix.org/\">Matrix.org</a></h2>"
-        let h3HTMLString = "<h3><a href=\"https://www.matrix.org/\">Matrix.org</a></h3>"
+        let h1HTMLString = "<h1><a href=\"https://matrix.org/\">Matrix.org</a></h1>"
+        let h2HTMLString = "<h2><a href=\"https://matrix.org/\">Matrix.org</a></h2>"
+        let h3HTMLString = "<h3><a href=\"https://matrix.org/\">Matrix.org</a></h3>"
 
         guard let h1AttributedString = attributedStringBuilder.fromHTML(h1HTMLString),
               let h2AttributedString = attributedStringBuilder.fromHTML(h2HTMLString),
@@ -168,9 +168,9 @@ class AttributedStringBuilderTests: XCTestCase {
         XCTAssert(h1Font.pointSize > UIFont.preferredFont(forTextStyle: .body).pointSize)
         XCTAssert(h1Font.pointSize <= maxHeaderPointSize)
 
-        XCTAssertEqual(h1AttributedString.runs.first?.link?.host, "www.matrix.org")
-        XCTAssertEqual(h2AttributedString.runs.first?.link?.host, "www.matrix.org")
-        XCTAssertEqual(h3AttributedString.runs.first?.link?.host, "www.matrix.org")
+        XCTAssertEqual(h1AttributedString.runs.first?.link?.host, "matrix.org")
+        XCTAssertEqual(h2AttributedString.runs.first?.link?.host, "matrix.org")
+        XCTAssertEqual(h3AttributedString.runs.first?.link?.host, "matrix.org")
     }
 
     func testRenderHTMLStringWithIFrame() {