Merge pull request #19 from browserstack/fix/DEVA11Y-479-block-file-scheme

sunny-se · web-flow · commit 576f0d556116 · 2026-05-29T09:44:43.000+05:30
fix(security): restrict download URL override to HTTPS only [DEVA11Y-479]
diff --git a/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift b/Plugins/BrowserStackAccessibilityLint/BrowserStackAccessibilityLint.swift
@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {
     guard let urlString = urlString, !urlString.isEmpty else {
         return nil
     }
-    if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {
-        return url
+    guard let url = URL(string: urlString), let scheme = url.scheme else {
+        throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")
+    }
+    guard scheme.lowercased() == "https" else {
+        throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")
     }
-    return URL(fileURLWithPath: urlString)
+    return url
 }
 
 private func sanitizeArguments(_ arguments: [String]) -> [String] {

Original file line number	Diff line number	Diff line change
`@@ -100,10 +100,13 @@ private func parseOverride(urlString: String?) throws -> URL? {`
`100`	`100`	`guard let urlString = urlString, !urlString.isEmpty else {`
`101`	`101`	`return nil`
`102`	`102`	`}`
`103`		`- if let url = URL(string: urlString), let scheme = url.scheme, ["http", "https", "file"].contains(scheme.lowercased()) {`
`104`		`- return url`
	`103`	`+ guard let url = URL(string: urlString), let scheme = url.scheme else {`
	`104`	`+ throw PluginError("Invalid download URL: \(urlString). Only HTTPS URLs are supported.")`
	`105`	`+ }`
	`106`	`+ guard scheme.lowercased() == "https" else {`
	`107`	`+ throw PluginError("Unsupported URL scheme '\(scheme)' in download URL. Only HTTPS is allowed.")`
`105`	`108`	`}`
`106`		`- return URL(fileURLWithPath: urlString)`
	`109`	`+ return url`
`107`	`110`	`}`
`108`	`111`
`109`	`112`	`private func sanitizeArguments(_ arguments: [String]) -> [String] {`