[maps-ios] MAPSIOS-2192: stop parsing source attributions through NSAttributedString HTML importer (#14087)

OdNairy · claude · github-actions[bot] · commit cd39e929a4a4 · 2026-05-29T07:43:51.000Z
## Summary Closes [MAPSIOS-2192](https://mapbox.atlassian.net/browse/MAPSIOS-2192). - Source `attribution` strings reach the SDK from per-source TileJSON and are operator-controlled. Routing them through `NSAttributedString.fromHTML(_:)` / `NSAttributedString(data:options:[.documentType: .html])` caused the WebKit-backed importer to silently fetch any `<img src>`, `<link>`, or CSS `url()` subresource referenced in those strings — zero-interaction on `Snapshotter.start(...)`, one-tap on the info-button path. - Replaced both HTML parsing paths in `Attribution.swift` with a synchronous regex-based extractor: cached `NSRegularExpression`s for `<a href>` and stray-tag stripping, a tiny entity table for the few entities (`&copy;`, `&amp;`, …) that actually appear in tileset attribution, a 16 KiB hard cap as defense in depth. - Added a scheme allow-list in `Attribution.init(title:url:)` — only `http`/`https` URLs remain `actionable`, so `javascript:`, `data:`, `file:` etc. can no longer reach the system URL opener. - Dropped `import WebKit` (it was only present for the HTML importer); added explicit `import UIKit` since UIKit had been pulled in transitively. - `Attribution.parse` is now synchronous; the old completion-based shape is kept as a thin synchronous shim so `MapboxMap.loadAttributions` keeps its `AttributionDataSource` callback signature. ## Regression coverage - Five existing `AttributionTests` are simplified to the synchronous API and continue to pass. - New behavioural tests cover the scheme allow-list (`testAttributionRejectsNonWebSchemes`), `<img>`-outside-anchor (`testAttributionRejectsMaliciousImg`), mixed HTML + plain text (`testAttributionMixedHTMLAndText`) and the input-length hard cap (`testAttributionHardCapRejectsHugeInput`). - `testAttributionParseDoesNotPerformNetworkIO` binds a local `NWListener` and uses an inverted `XCTestExpectation` to assert that parsing an attribution string with `<img src=…>` produces no outbound connection. Requires the `NSAllowsLocalNetworking` ATS exemption added to `MapboxTestHost/Info.plist`. ## Verification Performed locally (iPhone 17 Pro sim, iOS 26.5, Xcode 26.5): - `grep -rn 'import WebKit\|fromHTML\|documentType.*html' Sources/MapboxMaps/` → empty. - `xcodebuild -scheme MapboxMaps … build` → `** BUILD SUCCEEDED **`. - `xcodebuild test … -only-testing:MapboxMapsTests/AttributionTests` → all 13 tests pass; `testAttributionParseDoesNotPerformNetworkIO` passes in ~3 s (inverted expectation completes its timeout window with no listener hits). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> GitOrigin-RevId: 1567c1f7861aa6587171440b6a8ee27f47914e8a
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,8 @@ Mapbox welcomes participation and contributions from everyone.
 
 ### Bug fixes 🐞
 * Fix bug when tap on a view annotation triggered tap handler on Map view itself.
+* Source attribution strings are no longer parsed through `NSAttributedString`'s HTML importer, which silently fetched remote subresources referenced by attacker-influenced TileJSON `attribution` fields. Attribution markup is now extracted with a restricted in-process parser, and only `http`/`https` URLs are surfaced as actionable links.
+
 ## 11.24.3 - 27 May, 2026
 
 ## 11.24.2 - 20 May, 2026
diff --git a/Sources/MapboxMaps/Foundation/MapboxMap.swift b/Sources/MapboxMaps/Foundation/MapboxMap.swift
@@ -1590,7 +1590,7 @@ extension MapboxMap {
 
 extension MapboxMap: AttributionDataSource {
     func loadAttributions(completion: @escaping ([Attribution]) -> Void) {
-        Attribution.parse(__map.getAttributions(), completion: completion)
+        completion(Attribution.parse(__map.getAttributions()))
     }
 }
 
diff --git a/Sources/MapboxMaps/Snapshot/Snapshotter.swift b/Sources/MapboxMaps/Snapshot/Snapshotter.swift
@@ -150,15 +150,13 @@ public class Snapshotter: StyleManager {
             guard let self = self else { return }
 
             // Render attributions over the snapshot
-            Attribution.parse(snapshot.attributions()) { [weak self] attributions in
-                self?.overlaySnapshotWith(
-                    attributions: attributions,
-                    snapshotImage: uiImage,
-                    options: options,
-                    overlayDescriptor: overlayDescriptor,
-                    completion: completion
-                )
-            }
+            self.overlaySnapshotWith(
+                attributions: Attribution.parse(snapshot.attributions()),
+                snapshotImage: uiImage,
+                options: options,
+                overlayDescriptor: overlayDescriptor,
+                completion: completion
+            )
         }
     }
 
diff --git a/Sources/MapboxMaps/Style/Attribution.swift b/Sources/MapboxMaps/Style/Attribution.swift
@@ -1,5 +1,5 @@
 import Foundation
-import WebKit
+import UIKit
 internal import MapboxCommon_Private
 
 struct Attribution: Hashable {
@@ -60,7 +60,7 @@ struct Attribution: Hashable {
     internal init(title: String, url: URL?) {
         self.title = title
 
-        guard let url = url else {
+        guard let url, Self.isWebScheme(url) else {
             self.kind = .nonActionable
             return
         }
@@ -95,86 +95,131 @@ struct Attribution: Hashable {
         return NSAttributedString(string: attributionText, attributes: attributes)
     }
 
-    /// Parse the raw attribution strings from sources asynchronously
-    /// - Parameter rawAttributions: Array of HTML strings
-    /// - Parameter completion: A block that will be passed the result of parsing.
-    internal static func parse(_ rawAttributions: [String], completion: @escaping ([Attribution]) -> Void) {
-#if compiler(>=5.6.0) && canImport(_Concurrency)
-        Task { @MainActor in
-            let attributons = await parseAsync(rawAttributions)
-            completion(attributons)
-        }
-#else
-        completion(parseSynchronously(rawAttributions))
-#endif
-    }
-
-#if compiler(>=5.6.0) && canImport(_Concurrency)
-    /// Parse the raw attribution strings from sources asynchronously
-    /// - Parameter rawAttributions: Array of HTML strings
-    /// - Returns: Array of Attribution structs
-    private static func parseAsync(_ rawAttributions: [String]) async -> [Attribution] {
+    /// Parse the raw attribution strings from sources.
+    ///
+    /// Each string is treated as a restricted HTML fragment containing only
+    /// `<a href="...">text</a>` anchors and surrounding plain text. No HTML
+    /// importer is invoked — anchors are extracted with a regex and the
+    /// remaining markup is stripped. This is deliberate: handing these
+    /// strings (which originate from operator-controlled TileJSON
+    /// `attribution` fields) to `NSAttributedString`'s HTML reader would
+    /// cause the WebKit-backed importer to fetch any referenced subresource.
+    ///
+    /// Invariants this parser deliberately enforces (see MAPSIOS-2192):
+    /// - Only anchors with **quoted** `href` (`"…"` or `'…'`) are
+    ///   recognised. Unquoted forms like `<a href=javascript:alert(1)>x</a>`
+    ///   do not match `anchorRegex` and fall through to the plain-text
+    ///   path, where the whole string becomes a single `.nonActionable`
+    ///   Attribution. Quoting is universal in real tileset attribution, so
+    ///   rejecting unquoted hrefs avoids a tolerant URL extractor that
+    ///   could be tricked into surfacing dangerous schemes as actionable.
+    /// - Only `http`/`https` URLs become `.actionable`; every other scheme
+    ///   (`javascript:`, `data:`, `file:`, …) downgrades to `.nonActionable`
+    ///   in `init(title:url:)`.
+    /// - `<img>`, `<link>`, `<style>` and other non-anchor markup never
+    ///   reaches an HTML parser, so no subresource fetching can originate
+    ///   from this code path.
+    ///
+    /// - Parameter rawAttributions: Array of attribution strings.
+    /// - Returns: Deduplicated array of Attribution structs.
+    internal static func parse(_ rawAttributions: [String]) -> [Attribution] {
+        var seen: Set<Attribution> = []
         var result: [Attribution] = []
 
-        for attributionString in rawAttributions {
-            guard let attributedString = try? await NSAttributedString.fromHTML(attributionString).0 else {
-                continue
+        for raw in rawAttributions {
+            for attribution in parseOne(raw) where seen.insert(attribution).inserted {
+                result.append(attribution)
             }
-
-            result.append(contentsOf: attributedString.attributions)
         }
 
-        // Disallow duplicates.
-        // swiftlint:disable:next force_cast
-        return NSOrderedSet(array: result).array as! [Attribution]
+        return result
     }
-#endif
 
-    /// Parse the raw attribution strings from sources synchronously.
-    /// Known for intermittent crashes - https://developer.apple.com/forums/thread/115405?answerId=356326022#356326022
-    ///
-    /// - Parameter rawAttributions: Array of HTML strings
-    /// - Returns: Array of Attribution structs
-    private static func parseSynchronously(_ rawAttributions: [String]) -> [Attribution] {
-        let options: [NSAttributedString.DocumentReadingOptionKey: Any] = [
-            .characterEncoding: NSNumber(value: String.Encoding.utf8.rawValue),
-            .documentType: NSAttributedString.DocumentType.html
-        ]
+    // MARK: - Internals
+
+    /// Defense-in-depth cap on attribution string size; real attribution
+    /// strings are tens of characters.
+    private static let maxInputLength = 16 * 1024
+
+    private static let anchorRegex: NSRegularExpression = {
+        let pattern = #"<a\b[^>]*\bhref\s*=\s*(?:"([^"]*)"|'([^']*)')[^>]*>(.*?)</a>"#
+        // swiftlint:disable:next force_try
+        return try! NSRegularExpression(pattern: pattern, options: [.caseInsensitive, .dotMatchesLineSeparators])
+    }()
+
+    private static let tagRegex: NSRegularExpression = {
+        // swiftlint:disable:next force_try
+        return try! NSRegularExpression(pattern: "<[^>]+>", options: [.dotMatchesLineSeparators])
+    }()
+
+    private static let trimCharacterSet = CharacterSet(charactersIn: "©").union(.whitespacesAndNewlines)
+
+    /// `&amp;` must be decoded last so we don't double-decode `&amp;copy;`.
+    private static let htmlEntities: [(String, String)] = [
+        ("&copy;", "©"),
+        ("&lt;", "<"),
+        ("&gt;", ">"),
+        ("&quot;", "\""),
+        ("&apos;", "'"),
+        ("&#39;", "'"),
+        ("&nbsp;", " "),
+        ("&amp;", "&")
+    ]
 
-        let attributions = rawAttributions
-            .compactMap { $0.data(using: .utf8) }
-            .compactMap { try? NSAttributedString(data: $0, options: options, documentAttributes: nil) }
-            .flatMap(\.attributions)
+    private static func parseOne(_ raw: String) -> [Attribution] {
+        guard !raw.isEmpty else { return [] }
 
-        // Disallow duplicates.
-        // swiftlint:disable:next force_cast
-        return NSOrderedSet(array: attributions).array as! [Attribution]
-    }
-}
+        guard raw.utf8.count <= maxInputLength else {
+            Log.warning(
+                "Attribution string exceeds \(maxInputLength)-byte hard cap (\(raw.utf8.count) bytes); dropping. " +
+                "Real tileset attribution strings are tens of characters — investigate the source.",
+                category: "Attribution"
+            )
+            return []
+        }
 
-fileprivate extension NSAttributedString {
-    var attributions: [Attribution] {
-        let characterSet = CharacterSet(charactersIn: "©").union(.whitespacesAndNewlines)
-        var attributions: [Attribution] = []
+        let fullRange = NSRange(raw.startIndex..., in: raw)
+        let matches = anchorRegex.matches(in: raw, options: [], range: fullRange)
 
-        enumerateAttribute(.link,
-                           in: NSRange(location: 0, length: length),
-                           options: []) { (value: Any?, range: NSRange, _: UnsafeMutablePointer<ObjCBool>) in
-            guard range.location != NSNotFound else {
-                return
-            }
+        guard !matches.isEmpty else {
+            let title = normalize(stripTags(raw))
+            return title.isEmpty ? [] : [Attribution(title: title, url: nil)]
+        }
 
-            let substring = attributedSubstring(from: range).string
-            let trimmedString = substring.trimmingCharacters(in: characterSet)
+        var attributions: [Attribution] = []
+        for match in matches {
+            guard let innerRange = Range(match.range(at: 3), in: raw) else { continue }
+            let title = normalize(stripTags(String(raw[innerRange])))
+            guard !title.isEmpty else { continue }
+
+            let hrefRange = Range(match.range(at: 1), in: raw) ?? Range(match.range(at: 2), in: raw)
+            let url = hrefRange
+                .map { decodeEntities(String(raw[$0])) }
+                .flatMap(URL.init(string:))
+            attributions.append(Attribution(title: title, url: url))
+        }
+        return attributions
+    }
 
-            guard !trimmedString.isEmpty else {
-                return
-            }
+    private static func stripTags(_ s: String) -> String {
+        let range = NSRange(s.startIndex..., in: s)
+        return tagRegex.stringByReplacingMatches(in: s, options: [], range: range, withTemplate: "")
+    }
 
-            let attribution = Attribution(title: trimmedString, url: value as? URL)
-            attributions.append(attribution)
+    private static func decodeEntities(_ s: String) -> String {
+        var out = s
+        for (entity, replacement) in htmlEntities where out.contains(entity) {
+            out = out.replacingOccurrences(of: entity, with: replacement)
         }
+        return out
+    }
 
-        return attributions
+    private static func normalize(_ s: String) -> String {
+        decodeEntities(s).trimmingCharacters(in: trimCharacterSet)
+    }
+
+    private static func isWebScheme(_ url: URL) -> Bool {
+        guard let scheme = url.scheme?.lowercased() else { return false }
+        return scheme == "https" || scheme == "http"
     }
 }
diff --git a/Sources/MapboxTestHost/Info.plist b/Sources/MapboxTestHost/Info.plist
@@ -4,6 +4,14 @@
 <dict>
 	<key>MBXAccessToken</key>
 	<string>MAPBOX_ACCESS_TOKEN</string>
+	<!-- Required by AttributionTests.testAttributionParseDoesNotPerformNetworkIO,
+	     which binds a local NWListener on 127.0.0.1 to verify that
+	     Attribution.parse performs no outbound network IO. -->
+	<key>NSAppTransportSecurity</key>
+	<dict>
+		<key>NSAllowsLocalNetworking</key>
+		<true/>
+	</dict>
 	<key>UIFileSharingEnabled</key>
 	<true/>
 </dict>
diff --git a/Tests/MapboxMapsTests/Style/AttributionTests.swift b/Tests/MapboxMapsTests/Style/AttributionTests.swift

Original file line number	Diff line number	Diff line change
`@@ -1590,7 +1590,7 @@ extension MapboxMap {`
`1590`	`1590`
`1591`	`1591`	`extension MapboxMap: AttributionDataSource {`
`1592`	`1592`	`func loadAttributions(completion: @escaping ([Attribution]) -> Void) {`
`1593`		`- Attribution.parse(__map.getAttributions(), completion: completion)`
	`1593`	`+ completion(Attribution.parse(__map.getAttributions()))`
`1594`	`1594`	`}`
`1595`	`1595`	`}`
`1596`	`1596`