Address PR review comments: Add centralized allowlists, specific exceptions, and validation improvements

Nitin Chaudhary · Nitin Chaudhary · commit 6f816dae0876 · 2025-11-03T10:59:48.000+05:30
diff --git a/vnext/Shared/InputValidation.cpp b/vnext/Shared/InputValidation.cpp
@@ -65,7 +65,7 @@ std::string URLValidator::DecodeURL(const std::string &url) {
         char *end;
         long value = strtol(hex, &end, 16);
         if (end == hex + 2 && value >= 0 && value <= 255) {
-          temp += static_cast<char>(value & 0xFF);
+          temp += static_cast<char>(static_cast<unsigned char>(value & 0xFF));
           i += 2;
           continue;
         }
@@ -305,7 +305,7 @@ std::string PathValidator::DecodePath(const std::string &path) {
         char *end;
         long value = strtol(hex, &end, 16);
         if (end == hex + 2 && value >= 0 && value <= 255) {
-          temp += static_cast<char>(value & 0xFF);
+          temp += static_cast<char>(static_cast<unsigned char>(value & 0xFF));
           i += 2;
           continue;
         }
diff --git a/vnext/Shared/InputValidation.h b/vnext/Shared/InputValidation.h
@@ -11,12 +11,54 @@
 
 namespace Microsoft::ReactNative::InputValidation {
 
-// Security exception for validation failures
+// Security exceptions for validation failures
 class ValidationException : public std::runtime_error {
  public:
   explicit ValidationException(const std::string &message) : std::runtime_error(message) {}
 };
 
+// Specific validation exception types
+class InvalidSizeException : public std::logic_error {
+ public:
+  explicit InvalidSizeException(const std::string &message) : std::logic_error(message) {}
+};
+
+class InvalidEncodingException : public std::logic_error {
+ public:
+  explicit InvalidEncodingException(const std::string &message) : std::logic_error(message) {}
+};
+
+class InvalidPathException : public std::logic_error {
+ public:
+  explicit InvalidPathException(const std::string &message) : std::logic_error(message) {}
+};
+
+class InvalidURLException : public std::logic_error {
+ public:
+  explicit InvalidURLException(const std::string &message) : std::logic_error(message) {}
+};
+
+// Centralized allowlists for encodings
+namespace AllowedEncodings {
+static const std::vector<std::string> FILE_READER_ENCODINGS = {
+    "UTF-8", "utf-8", "utf8",
+    "UTF-16", "utf-16", "utf16",
+    "ASCII", "ascii",
+    "ISO-8859-1", "iso-8859-1",
+    "" // Empty is allowed (defaults to UTF-8)
+};
+} // namespace AllowedEncodings
+
+// Centralized URL scheme allowlists
+namespace AllowedSchemes {
+static const std::vector<std::string> HTTP_SCHEMES = {"http", "https"};
+static const std::vector<std::string> WEBSOCKET_SCHEMES = {"ws", "wss"};
+static const std::vector<std::string> FILE_SCHEMES = {"file"};
+static const std::vector<std::string> LINKING_SCHEMES = {"http", "https", "mailto", "tel"};
+static const std::vector<std::string> IMAGE_SCHEMES = {"http", "https"};
+static const std::vector<std::string> DEBUG_SCHEMES = {"http", "https", "file"};
+} // namespace AllowedSchemes
+
 // Logging callback for validation failures (SDL requirement)
 using ValidationLogger = std::function<void(const std::string &category, const std::string &message)>;
 void SetValidationLogger(ValidationLogger logger);
@@ -98,6 +140,7 @@ class SizeValidator {
   static constexpr size_t MAX_CLOSE_REASON = 123; // WebSocket spec
   static constexpr size_t MAX_URL_LENGTH = 2048; // URL max
   static constexpr size_t MAX_HEADER_LENGTH = 8192; // Header max
+  static constexpr size_t MAX_DATA_URI_SIZE = 10 * 1024 * 1024; // 10MB for data URIs
 };
 
 // Encoding Validation - Protects against malformed data (SDL compliant)
diff --git a/vnext/Shared/Modules/FileReaderModule.cpp b/vnext/Shared/Modules/FileReaderModule.cpp
@@ -103,24 +103,9 @@ void FileReaderTurboModule::ReadAsText(
 
   // SDL Compliance: Validate encoding (P1 - CVSS 5.5)
   try {
-    // Allowlist of safe encodings (static to avoid repeated allocations)
-    static const std::vector<std::string> allowedEncodings = {
-        "UTF-8",
-        "utf-8",
-        "utf8",
-        "UTF-16",
-        "utf-16",
-        "utf16",
-        "ASCII",
-        "ascii",
-        "ISO-8859-1",
-        "iso-8859-1",
-        "" // Empty is allowed (defaults to UTF-8)
-    };
-
     if (!encoding.empty()) {
       bool isAllowed = false;
-      for (const auto &allowed : allowedEncodings) {
+      for (const auto &allowed : Microsoft::ReactNative::InputValidation::AllowedEncodings::FILE_READER_ENCODINGS) {
         if (encoding == allowed) {
           isAllowed = true;
           break;
diff --git a/vnext/Shared/Modules/HttpModule.cpp b/vnext/Shared/Modules/HttpModule.cpp
@@ -130,9 +130,12 @@ void HttpTurboModule::SendRequest(
   // SDL Compliance: Validate headers for CRLF injection (P2 - CVSS 4.5)
   try {
     for (auto &entry : headersObj) {
+      std::string headerName = entry.first;
       std::string headerValue = entry.second.AsString();
+      // Validate both header name and value for CRLF injection
+      Microsoft::ReactNative::InputValidation::EncodingValidator::ValidateHeaderValue(headerName);
       Microsoft::ReactNative::InputValidation::EncodingValidator::ValidateHeaderValue(headerValue);
-      headers.emplace(entry.first, std::move(headerValue));
+      headers.emplace(std::move(headerName), std::move(headerValue));
     }
   } catch (const Microsoft::ReactNative::InputValidation::ValidationException &ex) {
     // Call callback with requestId, then send error event
