← 返回
未分类 中文

Urlsession Code Review

Reviews URLSession networking code for iOS/macOS. Covers async/await patterns, request building, error handling, caching, and background sessions. Use when r...
审查 iOS/macOS 的 URLSession 网络代码,涵盖 async/await 模式、请求构建、错误处理、缓存和后台会话。适用于代码审查时使用。
anderskev anderskev 来源
未分类 clawhub v1.2.2 3 版本 100000 Key: 无需
★ 0
Stars
📥 490
下载
💾 3
安装
3
版本
#latest

概述

URLSession Code Review

Quick Reference

TopicReference
------------------
Async/Awaitasync-networking.md
Requestsrequest-building.md
Errorserror-handling.md
Cachingcaching.md

Review Checklist

Response Validation

  • [ ] HTTP status codes validated - URLSession does NOT throw on 404/500
  • [ ] Response cast to HTTPURLResponse before checking status
  • [ ] Both transport errors (URLError) and HTTP errors handled

Memory & Resources

  • [ ] Downloaded files moved/deleted (async API doesn't auto-delete)
  • [ ] Sessions with delegates call finishTasksAndInvalidate()
  • [ ] Long-running tasks use [weak self]
  • [ ] Stored Task references cancelled when appropriate

Configuration

  • [ ] timeoutIntervalForResource set (default is 7 days!)
  • [ ] URLCache sized adequately (default 512KB too small)
  • [ ] Sessions reused for connection pooling

Background Sessions

  • [ ] Unique identifier (especially with app extensions)
  • [ ] File-based uploads (not data-based)
  • [ ] Delegate methods used (not completion handlers)

Security

  • [ ] No hardcoded secrets (use Keychain)
  • [ ] Header values sanitized for CRLF injection
  • [ ] Query params via URLComponents (not string concat)

Hard gates (before reporting findings)

Complete in order. Do not advance while a prior gate is open.

  1. ScopePass: You name at least one file under review where URLSession, URLRequest, HTTPURLResponse / URLResponse, URLCache, or URLError appears on a networking path. If none apply, stop with “out of scope.”
  2. HTTP vs transportPass: Before claiming missing HTTP status handling or “404 treated as success,” you cite file:line for the completion/async/for await path that receives response and state whether HTTPURLResponse is cast and statusCode is checked (or cite the helper that does). If you cannot see the handler, say unknown and ask for it—do not assume.
  3. Session lifecyclePass: For a custom URLSession with a delegate, you cite finishTasksAndInvalidate() or the documented long-lived/singleton pattern you rely on; for .shared, say so if the finding depends on configuration. Skip if only ad hoc URLSession.shared one-shots with no delegate issues.
  4. Background or file transfer (if applicable)Pass: If URLSessionConfiguration.background, downloadTask, or app-extension–scoped sessions appear, findings cite identifier uniqueness, delegate vs completion-handler usage, or file URLs as required. If none of those APIs appear, mark N/A and continue.
  5. Severity and checklistPass: Every Critical item includes file:line and names which Review Checklist subsection it violates (e.g. Response Validation, Background Sessions). Lower-severity items still name the file(s) they are drawn from.

Output Format

### Critical
1. [FILE:LINE] Missing HTTP status validation
   - Issue: 404/500 responses not treated as errors
   - Fix: Check `httpResponse.statusCode` is 200-299

版本历史

共 3 个版本

  • v1.2.2 当前
    2026-06-01 20:57 安全 安全
  • v1.2.1
    2026-05-03 07:40 安全 安全
  • v1.2.0
    2026-03-31 05:27 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

dev-programming

YouTube

byungkyu
使用托管OAuth集成YouTube Data API,支持搜索视频、管理播放列表、获取频道数据及评论互动,适用于用户需要时使用此技能。
★ 142 📥 42,139
education

Tutorial Docs

anderskev
教程模式——面向学习的指南,通过引导式实践教学。用于编写教程、学习指南、入门指南等。
★ 0 📥 738
dev-programming

Mcporter

steipete
使用 mcporter CLI 直接列出、配置、认证及调用 MCP 服务器/工具(支持 HTTP 或 stdio),涵盖临时服务器、配置编辑及 CLI/类型生成功能。
★ 198 📥 68,267