fix(client): validate urls to improve security

This commit is contained in:
syuilo 2023-02-04 09:10:01 +09:00 committed by ThatOneCalculator
parent 5a481f6286
commit 96e1a93216
No known key found for this signature in database
GPG Key ID: 8703CACD01000000
3 changed files with 4 additions and 0 deletions

View File

@ -67,6 +67,7 @@ const embedId = `embed${Math.random().toString().replace(/\D/,'')}`;
let tweetHeight = $ref(150); let tweetHeight = $ref(150);
const requestUrl = new URL(props.url); const requestUrl = new URL(props.url);
if (!['http:', 'https:'].includes(requestUrl.protocol)) throw new Error('invalid url');
if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') { if (requestUrl.hostname === 'twitter.com' || requestUrl.hostname === 'mobile.twitter.com') {
const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/); const m = requestUrl.pathname.match(/^\/.+\/status(?:es)?\/(\d+)/);

View File

@ -33,6 +33,7 @@ const props = defineProps<{
const self = props.url.startsWith(local); const self = props.url.startsWith(local);
const url = new URL(props.url); const url = new URL(props.url);
if (!['http:', 'https:'].includes(url.protocol)) throw new Error('invalid url');
const el = ref(); const el = ref();
useTooltip(el, (showing) => { useTooltip(el, (showing) => {

View File

@ -70,6 +70,8 @@ async function accept(): Promise<void> {
state = 'accepted'; state = 'accepted';
if (props.callback) { if (props.callback) {
const cbUrl = new URL(props.callback);
if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
location.href = appendQuery(props.callback, query({ location.href = appendQuery(props.callback, query({
session: props.session, session: props.session,
})); }));