Does 'sanitizing' url in `FUtilities parseUrl:` accidentally corrupt host?

[mortenbekditlevsen]

Regarding FirebaseDatabase.

In the referenced line:

firebase-ios-sdk/FirebaseDatabase/Sources/Utilities/FUtilities.m

Line 158 in aab84c8

[url stringByReplacingOccurrencesOfString:originalPathString

it appears as if the host may be corrupted in case the path is a substring of the host.

For instance:

- (void)testUrlParsedWithPathPartOfHost {
  FParsedUrl *parsedUrl = [FUtilities parseUrl:@"https://sample.firebaseio.com/a"];
  XCTAssertEqualObjects(parsedUrl.repoInfo.host, @"sample.firebaseio.com");
  XCTAssertEqualObjects(parsedUrl.repoInfo.namespace, @"sample");
  XCTAssertTrue(parsedUrl.repoInfo.secure);
  XCTAssertEqualObjects(parsedUrl.path, [FPath pathWithString:@"a"]);
}

Since 'a' is part of 'sample', it will replace it with 'smple'.
This could be an issue in the API: FIRDatabaseReference referenceFromURL: that parses a user-supplied URL.

[google-oss-bot]

I found a few problems with this issue:

• I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.
• This issue does not seem to follow the issue template. Make sure you provide all the required information.

[paulb777]

Thanks for the report @mortenbekditlevsen! I've proposed a PR to address at #8880

[mortenbekditlevsen]

Thank you @paulb777 ! ❤️