fix: do not report invalid tlds as valid urls (#1950)

* fix: do not report invalid tlds as valid urls

* chore: update yarn locks of example apps

* chore: remove http references in tests for security hotspots

* fix: failing tests

Author: santhoshvai

examples/ExpoMessaging/yarn.lock

@@ -4584,6 +4584,13 @@ lines-and-columns@^1.1.6:
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
   integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==
 
+linkify-it@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-4.0.1.tgz#01f1d5e508190d06669982ba31a7d9f56a5751ec"
+  integrity sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==
+  dependencies:
+    uc.micro "^1.0.1"
+
 loader-utils@^2.0.0:
   version "2.0.4"
   resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-2.0.4.tgz#8b5cb38b5c34a9a018ee1fc0e6a066d1dfcc528c"
@@ -7049,6 +7056,11 @@ ua-parser-js@^0.7.30:
   resolved "https://registry.yarnpkg.com/ua-parser-js/-/ua-parser-js-0.7.32.tgz#cd8c639cdca949e30fa68c44b7813ef13e36d211"
   integrity sha512-f9BESNVhzlhEFf2CHMSj40NWOjYPl1YKYbrvIr/hFTDEmLq7SRbWvm7FcdcpCYT95zrOhC7gZSxjdnnTpBcwVw==
 
+uc.micro@^1.0.1:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-1.0.6.tgz#9c411a802a409a91fc6cf74081baba34b24499ac"
+  integrity sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==
+
 uglify-es@^3.1.9:
   version "3.3.9"
   resolved "https://registry.yarnpkg.com/uglify-es/-/uglify-es-3.3.9.tgz#0c1c4f0700bed8dbc124cdb304d2592ca203e677"

examples/SampleApp/yarn.lock

@@ -5322,6 +5322,13 @@ lines-and-columns@^1.1.6:
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
   integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==
 
+linkify-it@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-4.0.1.tgz#01f1d5e508190d06669982ba31a7d9f56a5751ec"
+  integrity sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==
+  dependencies:
+    uc.micro "^1.0.1"
+
 loader-utils@^2.0.0:
   version "2.0.4"
   resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-2.0.4.tgz#8b5cb38b5c34a9a018ee1fc0e6a066d1dfcc528c"
@@ -8020,6 +8027,11 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.2.4.tgz#8610b59747de028fda898a8aef0e103f156d0961"
   integrity sha512-V+evlYHZnQkaz8TRBuxTA92yZBPotr5H+WhQ7bD3hZUndx5tGOa1fuCgeSjxAzM1RiN5IzvadIXTVefuuwZCRg==
 
+uc.micro@^1.0.1:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-1.0.6.tgz#9c411a802a409a91fc6cf74081baba34b24499ac"
+  integrity sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==
+
 uglify-es@^3.1.9:
   version "3.3.9"
   resolved "https://registry.yarnpkg.com/uglify-es/-/uglify-es-3.3.9.tgz#0c1c4f0700bed8dbc124cdb304d2592ca203e677"

examples/TypeScriptMessaging/yarn.lock

@@ -4999,6 +4999,13 @@ lines-and-columns@^1.1.6:
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
   integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==
 
+linkify-it@^4.0.1:
+  version "4.0.1"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-4.0.1.tgz#01f1d5e508190d06669982ba31a7d9f56a5751ec"
+  integrity sha512-C7bfi1UZmoj8+PQx22XyeXCuBlokoyWQL5pWSP+EI6nzRylyThouddufc2c1NDIcP9k5agmN9fLpA7VNJfIiqw==
+  dependencies:
+    uc.micro "^1.0.1"
+
 loader-utils@^2.0.0:
   version "2.0.4"
   resolved "https://registry.yarnpkg.com/loader-utils/-/loader-utils-2.0.4.tgz#8b5cb38b5c34a9a018ee1fc0e6a066d1dfcc528c"
@@ -7580,6 +7587,11 @@ [email protected]:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.2.4.tgz#8610b59747de028fda898a8aef0e103f156d0961"
   integrity sha512-V+evlYHZnQkaz8TRBuxTA92yZBPotr5H+WhQ7bD3hZUndx5tGOa1fuCgeSjxAzM1RiN5IzvadIXTVefuuwZCRg==
 
+uc.micro@^1.0.1:
+  version "1.0.6"
+  resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-1.0.6.tgz#9c411a802a409a91fc6cf74081baba34b24499ac"
+  integrity sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==
+
 uglify-es@^3.1.9:
   version "3.3.9"
   resolved "https://registry.yarnpkg.com/uglify-es/-/uglify-es-3.3.9.tgz#0c1c4f0700bed8dbc124cdb304d2592ca203e677"

package/package.json

@@ -72,6 +72,7 @@
     "dayjs": "1.10.5",
     "file-loader": "6.2.0",
     "i18next": "20.2.4",
+    "linkify-it": "^4.0.1",
     "lodash-es": "4.17.21",
     "metro-react-native-babel-preset": "0.66.2",
     "mime-types": "^2.1.34",
@@ -106,6 +107,7 @@
     "@types/react": "17.0.5",
     "@types/react-native": "0.67.3",
     "@types/react-test-renderer": "17.0.1",
+    "@types/linkify-it": "3.0.2",
     "@types/uuid": "^8.3.4",
     "@typescript-eslint/eslint-plugin": "^5.7.0",
     "@typescript-eslint/parser": "^5.7.0",

package/src/components/Message/MessageSimple/utils/parseLinks.test.ts

@@ -2,116 +2,114 @@ import { parseLinksFromText } from './parseLinks';
 
 describe('parseLinksFromText', () => {
   it.each([
-    ['www.getstream.io', 'www.getstream.io'],
-    ['getstream.io', 'getstream.io'],
-    ['scrn://team-chat', 'team-chat'],
-    ['https://localhost', 'localhost'],
+    ['https://www.getstream.io', 'https://www.getstream.io'],
+    ['https://getstream.io', 'https://getstream.io'],
+    ['scrn://team-chat', undefined],
+    ['https://localhost', 'https://localhost'],
     [
       'https://localhost/with/path?and=query&multiple=params',
-      'localhost/with/path?and=query&multiple=params',
+      'https://localhost/with/path?and=query&multiple=params',
+    ],
+    [
+      'https://localhost/with/path?and=query#fragment',
+      'https://localhost/with/path?and=query#fragment',
     ],
-    ['https://localhost/with/path?and=query#fragment', 'localhost/with/path?and=query#fragment'],
-    ['reactnative.stream', 'reactnative.stream'],
+    ['reactnative.stream', undefined],
     [
       'https://zh.wikipedia.org/wiki/挪威牛油危機',
-      'zh.wikipedia.org/wiki/%E6%8C%AA%E5%A8%81%E7%89%9B%E6%B2%B9%E5%8D%B1%E6%A9%9F',
+      'https://zh.wikipedia.org/wiki/%E6%8C%AA%E5%A8%81%E7%89%9B%E6%B2%B9%E5%8D%B1%E6%A9%9F',
     ],
     [
       'https://getstream.io/chat/docs/react-native/?language=javascript',
-      'getstream.io/chat/docs/react-native/?language=javascript',
+      'https://getstream.io/chat/docs/react-native/?language=javascript',
     ],
-    ['127.0.0.1/local_(development)_server', '127.0.0.1/local_(development)_server'],
-    ['https://a.co:8999/ab.php?p=12', 'a.co:8999/ab.php?p=12'],
+    ['127.0.0.1/local_(development)_server', undefined],
+    ['https://a.co:8999/ab.php?p=12', 'https://a.co:8999/ab.php?p=12'],
     [
-      'http://help.apple.com/xcode/mac/current/#/devba7f53ad4',
-      'help.apple.com/xcode/mac/current/#/devba7f53ad4',
+      'https://help.apple.com/xcode/mac/current/#/devba7f53ad4',
+      'https://help.apple.com/xcode/mac/current/#/devba7f53ad4',
     ],
   ])('Returns the encoded value of %p as %p', (link, expected) => {
     const result = parseLinksFromText(link);
-
-    expect(result[0].encoded).toBe(expected);
+    expect(result[0]?.encodedUrl).toBe(expected);
   });
-
   it('parses fqdn', () => {
     const input = `We have put the apim bol,
-temporarily so :sj: we can later put the monitors on my grasp
-on reality right now is
-https://www.contrived-example.com:8080/sub/page.php?p1=1🇳🇴&p2=2#fragment-identifier
-:)`;
-
+  temporarily so :sj: we can later put the monitors on my grasp
+  on reality right now is
+  https://www.contrived-example.com:8080/sub/page.php?p1=1🇳🇴&p2=2#fragment-identifier
+  :)`;
     const result = parseLinksFromText(input);
-
     expect(result).toEqual([
       {
-        encoded:
-          'www.contrived-example.com:8080/sub/page.php?p1=1%F0%9F%87%B3%F0%9F%87%B4&p2=2#fragment-identifier',
+        encodedUrl:
+          'https://www.contrived-example.com:8080/sub/page.php?p1=1%F0%9F%87%B3%F0%9F%87%B4&p2=2#fragment-identifier',
         raw: 'https://www.contrived-example.com:8080/sub/page.php?p1=1🇳🇴&p2=2#fragment-identifier',
-        scheme: 'https://',
       },
     ]);
   });
-
   it.each([
     ['[email protected]'],
     ['[email protected]'],
     ['[email protected]'],
     ['[email protected]'],
   ])('Can parse the email address %p', (email) => {
     const result = parseLinksFromText(email);
-
-    expect(result[0].encoded).toBe(email);
-    expect(result[0].scheme).toBe('mailto:');
+    expect(result[0].encodedUrl).toBe('mailto:' + email);
+    expect(result[0].raw).toBe(email);
   });
-
   it("doesn't double the mailto prefix", () => {
     const input = 'mailto:[email protected]';
-
     const result = parseLinksFromText(input);
-
     expect(result[0]).toEqual({
-      encoded: '[email protected]',
+      encodedUrl: input,
       raw: input,
-      scheme: 'mailto:',
     });
   });
-
   it('Does not falsely parse LINKs from text content', () => {
     const input = `#This string exists to test that we don't produce false positives
-
-Existing links:
-[already a parsed link](https://getstream.io/blog/react-native-how-to-build-bidirectional-infinite-scroll/)
-[even a bogus one]( should not match )
-
-## These should, however, be parsed:
-www.getstream.io
-getstream.io
-`;
+  Existing links:
+  [already a parsed link](https://getstream.io/blog/react-native-how-to-build-bidirectional-infinite-scroll/)
+  [even a bogus one]( should not match )
+  ## These should, however, be parsed:
+  www.getstream.io
+  getstream.io
+  `;
     const result = parseLinksFromText(input);
-
+    console.log({ result });
     expect(result).toHaveLength(2);
   });
-
   it('Encodes incomplete emoji unicode', () => {
     const input = 'https://getstream.io/�';
     const result = parseLinksFromText(input);
-
     expect(result[0]).toEqual({
-      encoded: 'getstream.io/%EF%BF%BD',
-      raw: 'https://getstream.io/�',
-      scheme: 'https://',
+      encodedUrl: 'https://getstream.io/%EF%BF%BD',
+      raw: input,
     });
   });
-
+  it('doest not report invalid tlds as urls', () => {
+    const input = `
+    %
+    % Not links
+    %
+    example.invalid
+    example.invalid/
+    http://.example.com
+    http://-example.com
+    hppt://example.com
+    example.coma
+    -example.coma
+        `;
+    const result = parseLinksFromText(input);
+    expect(result).toHaveLength(0);
+  });
   it('does not parse a decimal number as a URL', () => {
     const input = '123.456';
     const result = parseLinksFromText(input);
-
     expect(result).toHaveLength(0);
   });
-
   it.each([['@user'], ['@user.name']])('does not parse %p as a URL', (input) => {
     const result = parseLinksFromText(input);
-
     expect(result).toHaveLength(0);
   });
 });

package/src/components/Message/MessageSimple/utils/parseLinks.ts

@@ -1,40 +1,8 @@
-/**
- * 📣 Note: Do not use named capture groups, as
- *          it is not yet available in Hermes.
- *
- * These helpers indend to make it easier to skim read
- * the patterns below, but note that some are optional,
- * specified in the patterns these are added to.
- * */
-const emailUserName = '[\\w+\\.~$_-]+';
-const schema = `(\\w{2,15}:\\/\\/)`;
-// something.tld OR 123.123.123.123
-const domain = `((?:\\w+\\.[a-zA-Z]+)+(?:[^:\\/\\s]+)|(?:\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}))`;
-const port = `(:[0-9]{1,5})`;
-const path = `((?:\\/)?[^?\\s]+)`;
-const queryString = `(\\?[^#\\s]+)`;
-const fragment = `(#[\\w_-]+)`;
-
-/**
- * Match any email address, with and without `mailto:`
- */
-const emailPattern = `(mailto:)?((?:${emailUserName})@(?:${domain}))`;
-
-/**
- * Match any string starting with something that seems like it's a schema.
- * */
-const schemePrefixedLinkPattern = `${schema}(\\S+)`;
+import Linkify from 'linkify-it';
 
-/**
- * Match as much as possible of a fqdn, at least with a domain name formed as
- * something.tld
- */
-const fqdnLinkPattern = `${schema}?${domain}${port}?${path}?${queryString}?${fragment}?`;
-
-interface Link {
-  encoded: string;
+interface LinkInfo {
+  encodedUrl: string;
   raw: string;
-  scheme: string;
 }
 
 /**
@@ -49,57 +17,19 @@ const removeMarkdownLinksFromText = (input: string) => input.replace(/\[[\w\s]+\
  * */
 const removeUserNamesFromText = (input: string) => input.replace(/^@\w+\.?\w/, '');
 
-export const parseLinksFromText = (input: string): Link[] => {
-  let matches;
-
+export const parseLinksFromText = (input: string): LinkInfo[] => {
   const strippedInput = [removeMarkdownLinksFromText, removeUserNamesFromText].reduce(
     (acc, fn) => fn(acc),
     input,
   );
 
-  const results: Link[] = [];
-
-  const emailRegExp = new RegExp(emailPattern, 'gi');
-  while ((matches = emailRegExp.exec(input)) !== null) {
-    const [raw, scheme = 'mailto:', displayValue] = matches;
-    results.push({ encoded: encodeURI(displayValue), raw, scheme });
-  }
-
-  /**
-   * The two link patterns are checked with an "or" (`|`)
-   * to avoid overlapping matches being duplicated in the output.
-   * */
-  const linkRegex = new RegExp(`${fqdnLinkPattern}|${schemePrefixedLinkPattern}`, 'gi');
-  while ((matches = linkRegex.exec(strippedInput)) !== null) {
-    const [
-      raw,
-      fqdnScheme = '',
-      fqdnDomainName = '',
-      fqdnPort = '',
-      fqdnPath = '',
-      fqdnQueryStraing = '',
-      fqdnFragment = '',
-      schemePrefixedScheme = '',
-      schemePrefixedPath = '',
-    ] = matches;
-
-    if (schemePrefixedScheme !== '') {
-      results.push({
-        encoded: encodeURI(schemePrefixedPath),
-        raw,
-        scheme: schemePrefixedScheme,
-      });
-      continue;
-    }
+  const linkify = Linkify();
+  const matches = linkify.match(strippedInput) ?? [];
 
-    results.push({
-      encoded: encodeURI(
-        [fqdnDomainName, fqdnPort, fqdnPath, fqdnQueryStraing, fqdnFragment].join(''),
-      ),
-      raw,
-      scheme: fqdnScheme,
-    });
-  }
+  const result: LinkInfo[] = matches.map((match) => {
+    const { raw, url } = match;
+    return { encodedUrl: encodeURI(url), raw };
+  });
 
-  return results;
+  return result;
 };

package/src/components/Message/MessageSimple/utils/renderText.tsx

@@ -109,15 +109,15 @@ export const renderText = <
   if (!text) return null;
 
   let newText = text.trim();
-  const urls = parseLinksFromText(newText);
+  const linkInfos = parseLinksFromText(newText);
 
-  for (const urlInfo of urls) {
-    const displayLink = truncate(urlInfo.encoded, {
+  for (const linkInfo of linkInfos) {
+    const displayLink = truncate(linkInfo.raw, {
       length: 200,
       omission: '...',
     });
-    const markdown = `[${displayLink}](${urlInfo.scheme}${urlInfo.encoded})`;
-    newText = newText.replace(urlInfo.raw, markdown);
+    const markdown = `[${displayLink}](${linkInfo.encodedUrl})`;
+    newText = newText.replace(linkInfo.raw, markdown);
   }
 
   newText = newText.replace(/[<&"'>]/g, '\\$&');