fix: the URL_PATTERN regex had a nested quantifier (/[-a-z\d%_.~+]*)* that caused catastrophic backtracking in the ICU regex engine on Android, running on every keystroke on the main thread

Author: jvsena42

app/src/main/java/to/bitkit/ui/settings/advanced/RgsServerViewModel.kt

@@ -16,6 +16,7 @@ import to.bitkit.data.SettingsStore
 import to.bitkit.di.BgDispatcher
 import to.bitkit.env.Env
 import to.bitkit.repositories.LightningRepo
+import java.net.URI
 import javax.inject.Inject
 
 @HiltViewModel
@@ -26,13 +27,11 @@ class RgsServerViewModel @Inject constructor(
 ) : ViewModel() {
 
     companion object {
-        private val URL_PATTERN = Regex(
-            "^(https?://)?" + // protocol
-                "((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|" + // domain name
-                "((\\d{1,3}\\.){3}\\d{1,3}))" + // IP (v4) address
-                "(:\\d+)?(/[-a-z\\d%_.~+]*)*", // port and path
-            RegexOption.IGNORE_CASE
+        private val HOSTNAME_PATTERN = Regex(
+            "^([a-z\\d]([a-z\\d-]*[a-z\\d])*\\.)+[a-z]{2,}|(\\d{1,3}\\.){3}\\d{1,3}$",
+            RegexOption.IGNORE_CASE,
         )
+        private val PATH_PATTERN = Regex("^(/[a-zA-Z\\d_.~%+-]*)*$")
     }
 
     private val _uiState = MutableStateFlow(RgsServerUiState())
@@ -121,12 +120,25 @@ class RgsServerViewModel @Inject constructor(
     }
 
     private fun isValidURL(data: String): Boolean {
-        // Allow localhost in development mode
-        if (Env.isDebug && data.contains("localhost")) {
-            return true
+        val normalized = if (!data.startsWith("http://") && !data.startsWith("https://")) {
+            "https://$data"
+        } else {
+            data
         }
 
-        return URL_PATTERN.matches(data)
+        return try {
+            val uri = URI(normalized)
+            val hostname = uri.host ?: return false
+
+            if (Env.isDebug && hostname == "localhost") return true
+
+            if (!HOSTNAME_PATTERN.matches(hostname)) return false
+
+            val path = uri.path.orEmpty()
+            path.isEmpty() || PATH_PATTERN.matches(path)
+        } catch (_: Throwable) {
+            false
+        }
     }
 }
 

app/src/test/java/to/bitkit/ui/settings/advanced/RgsServerViewModelTest.kt

@@ -14,11 +14,13 @@ import to.bitkit.data.SettingsData
 import to.bitkit.data.SettingsStore
 import to.bitkit.repositories.LightningRepo
 import to.bitkit.test.BaseUnitTest
+import kotlinx.coroutines.withTimeout
 import kotlin.test.assertEquals
 import kotlin.test.assertFalse
 import kotlin.test.assertNotNull
 import kotlin.test.assertNull
 import kotlin.test.assertTrue
+import kotlin.time.Duration.Companion.seconds
 
 @OptIn(ExperimentalCoroutinesApi::class)
 class RgsServerViewModelTest : BaseUnitTest() {
@@ -246,4 +248,48 @@ class RgsServerViewModelTest : BaseUnitTest() {
             cancelAndIgnoreRemainingEvents()
         }
     }
+
+    @Test
+    fun `setRgsUrl does not hang on long urls with special characters`() = test {
+        sut = createSut()
+        advanceUntilIdle()
+
+        withTimeout(2.seconds) {
+            sut.setRgsUrl("https://rapidsync.lightningdevkit/snapshot/" + "a".repeat(100) + "!")
+        }
+
+        assertFalse(sut.uiState.value.canConnect)
+    }
+
+    @Test
+    fun `setRgsUrl does not hang on url that caused ANR`() = test {
+        sut = createSut()
+        advanceUntilIdle()
+
+        withTimeout(2.seconds) {
+            sut.setRgsUrl("https://rapidsync.lightningdevkit/snapshot")
+        }
+
+        assertTrue(sut.uiState.value.canConnect)
+    }
+
+    @Test
+    fun `setRgsUrl accepts valid rgs url with path`() = test {
+        sut = createSut()
+        advanceUntilIdle()
+
+        sut.setRgsUrl("https://rgs.blocktank.to/snapshot")
+
+        assertFalse(sut.uiState.value.canConnect)
+    }
+
+    @Test
+    fun `setRgsUrl accepts ip address url`() = test {
+        sut = createSut()
+        advanceUntilIdle()
+
+        sut.setRgsUrl("https://192.168.1.1:8080/snapshot")
+
+        assertTrue(sut.uiState.value.canConnect)
+    }
 }