Add documentation for deep link intent validation

mbarta · mbarta · commit 52c2cf7016f2 · 2025-07-22T09:26:18.000+02:00
diff --git a/navigation-fragments/src/main/java/dev/hotwire/navigation/navigator/NavigatorHost.kt b/navigation-fragments/src/main/java/dev/hotwire/navigation/navigator/NavigatorHost.kt
@@ -71,6 +71,12 @@ open class NavigatorHost : NavHostFragment(), FragmentOnAttachListener {
         }
     }
 
+    /**
+     * Google's Navigation library automatically navigates to deep links provided in the
+     * Activity's Intent. This exposes a vulnerability for malicious Intents to open an arbitrary
+     * webpage outside of the app's domain, allowing javascript injection on the page. Ensure
+     * that deep link intents always match the app's domain.
+     */
     @VisibleForTesting(otherwise = PROTECTED)
     fun ensureDeeplinkStartLocationValid() {
         val extrasBundle = activity.intent.extras?.getBundle(DEEPLINK_EXTRAS_KEY) ?: return

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,12 @@ open class NavigatorHost : NavHostFragment(), FragmentOnAttachListener {`
`71`	`71`	`}`
`72`	`72`	`}`
`73`	`73`
	`74`	`+ /**`
	`75`	`+ * Google's Navigation library automatically navigates to deep links provided in the`
	`76`	`+ * Activity's Intent. This exposes a vulnerability for malicious Intents to open an arbitrary`
	`77`	`+ * webpage outside of the app's domain, allowing javascript injection on the page. Ensure`
	`78`	`+ * that deep link intents always match the app's domain.`
	`79`	`+ */`
`74`	`80`	`@VisibleForTesting(otherwise = PROTECTED)`
`75`	`81`	`fun ensureDeeplinkStartLocationValid() {`
`76`	`82`	`val extrasBundle = activity.intent.extras?.getBundle(DEEPLINK_EXTRAS_KEY) ?: return`