Address remaining 5 PR review comments

- WinRTHttpResource: Validate requestId BEFORE casting to prevent overflow bypass
- ImageViewManagerModule: Add MAX_DATA_URI_SIZE validation to prevent DoS (4 functions)
- LinkingManagerModule: Use centralized AllowedSchemes::LINKING_SCHEMES constant
- WebSocketJSExecutor: Add explanatory comment that file:// is debug-only
- InputValidation.h: Add ms-settings to LINKING_SCHEMES for Windows deep linking

Addresses PR feedback from @anupriya13 and Copilot AI review

Author: Nitin Chaudhary

vnext/Microsoft.ReactNative/Modules/ImageViewManagerModule.cpp

@@ -106,8 +106,12 @@ void ImageLoader::Initialize(React::ReactContext const &reactContext) noexcept {
 void ImageLoader::getSize(std::string uri, React::ReactPromise<std::vector<double>> &&result) noexcept {
   // VALIDATE URI - file:// abuse PROTECTION (P0 Critical - CVSS 7.8)
   try {
-    // Allow data: URIs and http/https only
-    if (uri.find("data:") != 0) {
+    if (uri.find("data:") == 0) {
+      // Validate data URI size to prevent DoS through memory exhaustion
+      ::Microsoft::ReactNative::InputValidation::SizeValidator::ValidateSize(
+          uri.length(), ::Microsoft::ReactNative::InputValidation::SizeValidator::MAX_DATA_URI_SIZE, "Data URI");
+    } else {
+      // Allow http/https only for non-data URIs
       ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(uri, {"http", "https"});
     }
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &ex) {
@@ -140,8 +144,12 @@ void ImageLoader::getSizeWithHeaders(
         &&result) noexcept {
   // SDL Compliance: Validate URI for SSRF (P0 Critical - CVSS 7.8)
   try {
-    // Allow data: URIs and http/https only
-    if (uri.find("data:") != 0) {
+    if (uri.find("data:") == 0) {
+      // Validate data URI size to prevent DoS through memory exhaustion
+      ::Microsoft::ReactNative::InputValidation::SizeValidator::ValidateSize(
+          uri.length(), ::Microsoft::ReactNative::InputValidation::SizeValidator::MAX_DATA_URI_SIZE, "Data URI");
+    } else {
+      // Allow http/https only for non-data URIs
       ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(uri, {"http", "https"});
     }
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &ex) {
@@ -172,8 +180,12 @@ void ImageLoader::getSizeWithHeaders(
 void ImageLoader::prefetchImage(std::string uri, React::ReactPromise<bool> &&result) noexcept {
   // VALIDATE URI - file:// abuse PROTECTION (P0 Critical - CVSS 7.8)
   try {
-    // Allow data: URIs and http/https only
-    if (uri.find("data:") != 0) {
+    if (uri.find("data:") == 0) {
+      // Validate data URI size to prevent DoS through memory exhaustion
+      ::Microsoft::ReactNative::InputValidation::SizeValidator::ValidateSize(
+          uri.length(), ::Microsoft::ReactNative::InputValidation::SizeValidator::MAX_DATA_URI_SIZE, "Data URI");
+    } else {
+      // Allow http/https only for non-data URIs
       ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(uri, {"http", "https"});
     }
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &ex) {
@@ -192,8 +204,12 @@ void ImageLoader::prefetchImageWithMetadata(
     React::ReactPromise<bool> &&result) noexcept {
   // SDL Compliance: Validate URI for SSRF (P0 Critical - CVSS 7.8)
   try {
-    // Allow data: URIs and http/https only
-    if (uri.find("data:") != 0) {
+    if (uri.find("data:") == 0) {
+      // Validate data URI size to prevent DoS through memory exhaustion
+      ::Microsoft::ReactNative::InputValidation::SizeValidator::ValidateSize(
+          uri.length(), ::Microsoft::ReactNative::InputValidation::SizeValidator::MAX_DATA_URI_SIZE, "Data URI");
+    } else {
+      // Allow http/https only for non-data URIs
       ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(uri, {"http", "https"});
     }
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &ex) {

vnext/Microsoft.ReactNative/Modules/LinkingManagerModule.cpp

@@ -54,7 +54,7 @@ LinkingManager::~LinkingManager() noexcept {
   try {
     std::string urlUtf8 = Utf16ToUtf8(url);
     ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(
-        urlUtf8, {"http", "https", "mailto", "tel", "ms-settings"});
+        urlUtf8, ::Microsoft::ReactNative::InputValidation::AllowedSchemes::LINKING_SCHEMES);
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &ex) {
     result.Reject(ex.what());
     co_return;
@@ -118,7 +118,7 @@ void LinkingManager::HandleOpenUri(winrt::hstring const &uri) noexcept {
   try {
     std::string uriUtf8 = winrt::to_string(uri);
     ::Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(
-        uriUtf8, {"http", "https", "mailto", "tel", "ms-settings"});
+        uriUtf8, ::Microsoft::ReactNative::InputValidation::AllowedSchemes::LINKING_SCHEMES);
   } catch (const ::Microsoft::ReactNative::InputValidation::ValidationException &) {
     // Silently ignore invalid URIs to prevent crashes
     return;

vnext/Shared/Executors/WebSocketJSExecutor.cpp

@@ -86,6 +86,9 @@ void WebSocketJSExecutor::loadBundle(
     std::unique_ptr<const facebook::react::JSBigString> script,
     std::string sourceURL) {
   // SDL Compliance: Validate source URL (P1 - CVSS 5.5)
+  // NOTE: 'file' scheme is allowed here because WebSocketJSExecutor is ONLY used in development/debugging scenarios.
+  // This executor connects to Metro bundler during development and is never used in production builds.
+  // Production apps use Hermes or Chakra with secure bundle loading that doesn't allow file:// URIs.
   try {
     if (!sourceURL.empty()) {
       Microsoft::ReactNative::InputValidation::URLValidator::ValidateURL(sourceURL, {"http", "https", "file"});

vnext/Shared/InputValidation.h

@@ -41,10 +41,16 @@ class InvalidURLException : public std::logic_error {
 // Centralized allowlists for encodings
 namespace AllowedEncodings {
 static const std::vector<std::string> FILE_READER_ENCODINGS = {
-    "UTF-8", "utf-8", "utf8",
-    "UTF-16", "utf-16", "utf16",
-    "ASCII", "ascii",
-    "ISO-8859-1", "iso-8859-1",
+    "UTF-8",
+    "utf-8",
+    "utf8",
+    "UTF-16",
+    "utf-16",
+    "utf16",
+    "ASCII",
+    "ascii",
+    "ISO-8859-1",
+    "iso-8859-1",
     "" // Empty is allowed (defaults to UTF-8)
 };
 } // namespace AllowedEncodings
@@ -54,7 +60,7 @@ namespace AllowedSchemes {
 static const std::vector<std::string> HTTP_SCHEMES = {"http", "https"};
 static const std::vector<std::string> WEBSOCKET_SCHEMES = {"ws", "wss"};
 static const std::vector<std::string> FILE_SCHEMES = {"file"};
-static const std::vector<std::string> LINKING_SCHEMES = {"http", "https", "mailto", "tel"};
+static const std::vector<std::string> LINKING_SCHEMES = {"http", "https", "mailto", "tel", "ms-settings"};
 static const std::vector<std::string> IMAGE_SCHEMES = {"http", "https"};
 static const std::vector<std::string> DEBUG_SCHEMES = {"http", "https", "file"};
 } // namespace AllowedSchemes

vnext/Shared/Networking/WinRTHttpResource.cpp

@@ -324,11 +324,8 @@ void WinRTHttpResource::SendRequest(
 }
 
 void WinRTHttpResource::AbortRequest(int64_t requestId) noexcept /*override*/ {
-  // SDL Compliance: Validate request ID range (P2 - CVSS 3.5)
-  try {
-    Microsoft::ReactNative::InputValidation::SizeValidator::ValidateInt32Range(
-        static_cast<int32_t>(requestId), 0, INT32_MAX, "Request ID");
-  } catch (const Microsoft::ReactNative::InputValidation::ValidationException &) {
+  // SDL Compliance: Validate request ID range BEFORE casting (P2 - CVSS 3.5)
+  if (requestId < 0 || requestId > INT32_MAX) {
     // Invalid request ID, ignore abort
     return;
   }