SDK-469 Fix CodeQL string length conflation in deep link check (#1071)

sumeruchat · claude · web-flow · commit 481f525bfdef · 2026-06-02T14:20:31.000+01:00
Co-authored-by: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/swift-sdk/Internal/DeepLinkManager.swift b/swift-sdk/Internal/DeepLinkManager.swift
@@ -93,8 +93,12 @@ class DeepLinkManager: NSObject {
         guard let regex = try? NSRegularExpression(pattern: Const.deepLinkRegex, options: []) else {
             return false
         }
-        
-        return regex.firstMatch(in: urlString, options: [], range: NSMakeRange(0, urlString.count)) != nil
+
+        // Build the range with NSRange(_:in:) so it is in the UTF-16 coordinates
+        // NSRegularExpression expects. urlString.count conflates Swift String length
+        // with NSString length for non-BMP characters (CWE-135, SDK-469).
+        let range = NSRange(urlString.startIndex..<urlString.endIndex, in: urlString)
+        return regex.firstMatch(in: urlString, options: [], range: range) != nil
     }
     
     private lazy var redirectUrlSession: NetworkSessionProtocol = {
diff --git a/tests/unit-tests/DeepLinkTests.swift b/tests/unit-tests/DeepLinkTests.swift
@@ -149,7 +149,26 @@ class DeepLinkTests: XCTestCase {
     func testIsIterableDeepLinkReturnsFalseForEmptyString() {
         XCTAssertFalse(IterableAPI.isIterableDeepLink(""))
     }
-    
+
+    // SDK-469: when the URL contains non-BMP characters (e.g. emoji) BEFORE the
+    // deep-link path segment, String.count under-counts vs NSString.length (each
+    // 👍🏿 is one Character but four UTF-16 code units). A search range built from
+    // String.count stops short of the trailing "/a/..." segment and misses the
+    // match; a range built from NSString.length covers the full string.
+    //
+    // The emoji prefix is long enough that the count deficit pushes the entire
+    // "/a/..." token past the truncated range, so this test FAILS against the old
+    // String.count-based implementation and passes with the NSString.length fix.
+    func testIsIterableDeepLinkMatchesWithNonBMPCharactersBeforePath() {
+        let urlWithEmoji = "https://links.iterable.com/" + String(repeating: "👍🏿", count: 20) + "/a/60402396fbd5433eb35397b47ab2fb83"
+        XCTAssertTrue(IterableAPI.isIterableDeepLink(urlWithEmoji))
+    }
+
+    func testIsIterableDeepLinkHandlesNonBMPCharactersWithoutDeepLinkPath() {
+        let urlWithEmoji = "https://example.com/" + String(repeating: "👍🏿", count: 20) + "/some/path"
+        XCTAssertFalse(IterableAPI.isIterableDeepLink(urlWithEmoji))
+    }
+
     // MARK: - Other Tests
     
     /// this is a service that automatically redirects if that url is hit, make sure we are not actually hitting the url but our servers

Original file line number	Diff line number	Diff line change
`@@ -93,8 +93,12 @@ class DeepLinkManager: NSObject {`
`93`	`93`	`guard let regex = try? NSRegularExpression(pattern: Const.deepLinkRegex, options: []) else {`
`94`	`94`	`return false`
`95`	`95`	`}`
`96`		`-`
`97`		`- return regex.firstMatch(in: urlString, options: [], range: NSMakeRange(0, urlString.count)) != nil`
	`96`	`+`
	`97`	`+ // Build the range with NSRange(_:in:) so it is in the UTF-16 coordinates`
	`98`	`+ // NSRegularExpression expects. urlString.count conflates Swift String length`
	`99`	`+ // with NSString length for non-BMP characters (CWE-135, SDK-469).`
	`100`	`+ let range = NSRange(urlString.startIndex..<urlString.endIndex, in: urlString)`
	`101`	`+ return regex.firstMatch(in: urlString, options: [], range: range) != nil`
`98`	`102`	`}`
`99`	`103`
`100`	`104`	`private lazy var redirectUrlSession: NetworkSessionProtocol = {`