BUG: zat validate is too aggressive when checking for insecure URLs | Community
Skip to main content

BUG: zat validate is too aggressive when checking for insecure URLs

  • May 18, 2022
  • 2 replies
  • 0 views
Chris63

In requests.rb, there is:

def find_address_containing_http(file_content)
file_content.scan(URI.regexp(['http'])).map(&:compact).map(&:last)
end
 
This regex is far too aggressive: it looks a URL anywhere in the code, without regard for _why_ that URL is being used. For example, an xmlns value would be an insecure URL (e.g. 
 
I can't validate (or package) my app because of this code. Is there a way I can tell the validation to ignore those sections?

    2 replies

    Greg29
    • Greg29
    • May 18, 2022

    Hi Chris! I just tested this in a sample app and I received some warnings about insecure HTTP requests, but it did validate the app successfully. Are you receiving any other errors at the same time that may be preventing validation/package? If so, could you share the error messages that you receive?

    Also, I would recommend looking at a tool that is currently in beta, called ZCLI, for app development. When I ran the same validate command there, I didn't even receive the warnings. There are a few things that need to be ironed out with ZCLI before it's production ready, but it might handle some things better than ZAT does, so it's worth a shot!

    Chris63
    • Chris63
    • Author
    • May 19, 2022

    Thanks for the suggestion Greg. I can confirm that ZCLI doesn't have the same issue.

    Terms & ConditionsCookie settingsAccessibility statement