trace_59bce367ecd34edfaa37e2a04fcd6447

This source file has a known vulnerability sink in it. Traverse the codebase and report the vulnerability. You can report multiple vulnerabilities. Start from apps/ios/Sources/Screen/ScreenWebView.swift and trace how A2UI message-origin checks decide whether a page may invoke bridge actions, then follow ScreenController and NodeAppModel navigation paths to determine whether generic local-network pages can reach agent.request dispatch without the stricter trusted-canvas URL check.

{
  "executiveSummary": "The iOS A2UI bridge has an origin validation vulnerability where non-file URLs are trusted based solely on a broad local-network check (any HTTP URL on RFC 1918/private ranges) rather than being validated against the exact trusted A2UI URL advertised by the gateway. This means any web page served from the local network (including untrusted devices) can dispatch A2UI action messages through the ScreenWebView bridge, which then flow to agent.request events on the gateway — the same privilege level as the bundled scaffold or a capability-backed A2UI URL. The canvas.present and canvas.navigate commands can navigate the webview to arbitrary local-network pages, which then inherit bridge dispatch authority they should not have.",
  "reports": [
    {
      "title": "A2UI bridge accepts messages from any local-network URL instead of requiring exact trusted A2UI URL match",
      "severity": "HIGH",
      "summary": "The CanvasA2UIActionMessageHandler in ScreenWebView.swift trusts any non-file URL that passes the broad isLocalNetworkCanvasURL() check, allowing untrusted local-network pages loaded in the webview to invoke A2UI actions and dispatch agent.request events to the gateway.",
      "rootCauseAnalysis": "In CanvasA2UIActionMessageHandler.userContentController(_:didReceive:), the origin validation branches on url.isFileURL. For file URLs, it requires an exact match via isTrustedCanvasUIURL (which checks against the bundled scaffold HTML). For non-file URLs, it only calls isLocalNetworkCanvasURL, which delegates to LocalNetworkURLSupport.isLocalNetworkHTTPURL — a function that returns true for any HTTP URL on a private/local-network IP range. This is far too broad: it allows any device on the same network to serve a page that can invoke the A2UI bridge. The fix would require an exact match against the specific A2UI URL resolved from the gateway's capability advertisement, similar to how file URLs are checked against the exact scaffold path.",
      "impact": "An attacker on the same local network (or any compromised device on that network) can serve a web page that, when loaded in the ScreenWebView, can invoke A2UI action messages. These messages are processed by handleCanvasA2UIAction, which dispatches agent.request events to the gateway — effectively allowing the attacker to send arbitrary agent messages, interact with the AI agent, and potentially exfiltrate data or trigger privileged actions, all without the user's explicit consent.",
      "attackPath": "1. Attacker runs an HTTP server on a local-network address (e.g., 192.168.1.100).\n2. The webview is navigated to this page (via canvas.present/canvas.navigate from the gateway, or directly if the URL is loaded).\n3. The attacker's page calls window.webkit.messageHandlers.openclawCanvasA2UIAction.postMessage(...) with a crafted A2UI action payload.\n4. CanvasA2UIActionMessageHandler receives the message, sees url is not a file URL, checks isLocalNetworkCanvasURL which