No trust evaluation handling after receiving the authentication challenge

[vsonawane-csod]

Check List

Thanks for considering to open an issue. Before you submit your issue, please confirm these boxes are checked.

• I have read the wiki page and cheat sheet, but there is no information I need.
• I have searched in existing issues, but did not find a same one.
• I want to report a problem instead of asking a question. It'd better to use kingfisher tag in Stack Overflow to ask a question.

Issue Description

During our projects security scan, we have received a bug related to Manual Server Trust Authentication Attempts which can cause vulnerability in the app by providing a window for the man-in-middle attack.

What

The security scan shows the below evidence that exposes the URL and also it doesn't seem to perform any kind of trust evaluation after delegate method:

func urlSession(
        _ session: URLSession,
        didReceive challenge: URLAuthenticationChallenge
    ) async -> (URLSession.AuthChallengeDisposition, URLCredential?)

Here is the trace:

{
  "class": "KFSessionDelegate",
  "connectingTo": "our_url_here",
  "firstMethod": "- URLSession:didReceiveChallenge:completionHandler:",
  "secondMethod": "NSURLSessionAuthChallengeUseCredential"
} 

Other Comment

Can you please let me know how to deal with this?

[onevcat]

Kingfisher implements these delegate methods in the image downloader and again delegates them out again to allow library users to customize their own logic. By default, as long as you didn't provide your implementation or set the trustedHosts, a .performDefaultHandling and an nil URLCredential is returned, so I don't see an issue in Kingfisher's implementation.

I am not sure what the issue you are facing now. If it is a warning from your security scan, then I believe it is a false positive and maybe it is better to ask the security scan support team to see if there is a way to prevent this.