fix(client): validate urls to improve security

This commit is contained in:
syuilo 2023-02-04 09:10:01 +09:00
parent 572000f868
commit 788ae2f6ca
4 changed files with 4 additions and 0 deletions

View file

@ -86,6 +86,7 @@ let tweetHeight = $ref(150);
let unknownUrl = $ref(false); let unknownUrl = $ref(false);
const requestUrl = new URL(props.url); const requestUrl = new URL(props.url);
if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') { if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') {
const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/); const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/);

View file

@ -26,6 +26,7 @@ const props = defineProps<{
}>(); }>();
const requestUrl = new URL(props.url); const requestUrl = new URL(props.url);
if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
let fetching = $ref(true); let fetching = $ref(true);
let title = $ref<string | null>(null); let title = $ref<string | null>(null);

View file

@ -33,6 +33,7 @@ const props = defineProps<{
const self = props.url.startsWith(local); const self = props.url.startsWith(local);
const url = new URL(props.url); const url = new URL(props.url);
if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
const el = ref(); const el = ref();
useTooltip(el, (showing) => { useTooltip(el, (showing) => {

View file

@ -70,6 +70,7 @@ async function accept(): Promise<void> {
state = 'accepted'; state = 'accepted';
if (props.callback) { if (props.callback) {
const cbUrl = new URL(props.callback); const cbUrl = new URL(props.callback);
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
cbUrl.searchParams.set('session', props.session); cbUrl.searchParams.set('session', props.session);
location.href = cbUrl.href; location.href = cbUrl.href;
} }