Fix unsafe URL bypass, social auth race condition, and hardcoded App Store ID

[Copilot]

Three medium-severity security issues: unvalidated user-controlled URLs passed to bypassSecurityTrustUrl, a concurrent initialization race in SocialAuthService, and a hardcoded iOS App Store ID aiding attribution fraud reconnaissance.

Changes

Validate URL scheme before bypassSecurityTrustUrl (media-viewer.page.ts)

The media-viewer/:src route accepted any URL scheme and passed it directly to bypassSecurityTrustUrl, exploitable via deep links. Now validates against an allowlist; navigates back and logs an error on invalid input.

const ALLOWED_URL_SCHEMES = ['blob:', 'https:', 'capacitor:'];

map((src): SafeUrl | null => {
  if (!ALLOWED_URL_SCHEMES.some(scheme => src.startsWith(scheme))) {
    console.error(`Blocked media URL with disallowed scheme: ${src}`);
    this.navController.back();
    return null;
  }
  return this.sanitizer.bypassSecurityTrustUrl(src);
}),
filter((src): src is SafeUrl => src !== null),

Fix initialization race condition (social-auth.service.ts)

ensureInitialized$() used a boolean initializing flag that caused concurrent callers to return before SocialLogin.initialize() completed. Replaced with a stored promise so all concurrent callers await the same in-flight initialization.

private async initSocialAuth(): Promise<void> {
  if (this.initialized) return Promise.resolve();
  if (!this.initializationPromise) {
    this.initializationPromise = SocialLogin.initialize({ ... })
      .then(() => { this.initialized = true; })
      .catch((err: unknown) => { this.initializationPromise = undefined; throw err; });
  }
  return this.initializationPromise;
}

Move App Store ID to environment config (apps-flyer.service.ts)

Hardcoded appID: '1536388009' replaced with environment.appsFlyerAppId, defined in both environment.ts and environment.prod.ts.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• accounts.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
• android.clients.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5669 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-90695658 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,10590328538957487188,1677161392518640115,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,12227719290131458132,123970372596049164,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-90695658 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=90695658 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 de/node/bin/node--noprofile sh (dns block)
• clients2.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
• clientservices.googleapis.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
• download.cypress.io
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node node index.js --exec install /doc�� get --global /sh commit.gpgsign (dns block)
• redirector.gvt1.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
• safebrowsingohttpgateway.googleapis.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)
• www.google.com
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5300 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45695334 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,11888773020899626909,13158781441485370164,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,6764469788016304644,12115922278089105067,4 --trace-process-track-uuid=3190708989122997041 node (dns block)
  • Triggering command: /opt/google/chrome/chrome /usr/bin/google-chrome --user-data-dir=/tmp/karma-45695334 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --no-sandbox --js-flags=--max-old-space-size=4096 http://localhost:9876/?id=45695334 --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 /docgen npm (dns block)
  • Triggering command: /proc/self/exe /proc/self/exe --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=5445 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-33534540 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,6098245351063439170,9511589693279506805,262144 --disable-features=PaintHolding --variations-seed-version --pseudonymization-salt-handle=7,i,16365533620647581260,9681406616313523314,4 --trace-process-track-uuid=3190708989122997041 sh (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)