@api-client/core 0.6.7 → 0.6.8

package/build/src/authorization/lib/Utils.js

@@ -25,8 +25,11 @@ export function validateRedirectUri(value) {
     // the redirect URI can have any value, especially for installed apps which 
     // may use custom schemes. We do very basic sanity check for any script content 
     // validation to make sure we are not passing any script.
-    if (result && String(value).startsWith('javascript:')) {
-        result = false;
+    if (result) {
+        const u = String(value).toLowerCase();
+        if (u.startsWith("javascript:") || u.startsWith("data:") || u.startsWith("vbscript:")) {
+            result = false;
+        }
     }
     return result;
 }

package/build/src/authorization/lib/Utils.js.map

@@ -1 +1 @@
-{"version":3,"file":"Utils.js","sourceRoot":"","sources":["../../../../src/authorization/lib/Utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAa,EAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;AAEnF,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAC;AACpC,MAAM,CAAC,MAAM,aAAa,GAAG,QAAQ,CAAC;AACtC,MAAM,CAAC,MAAM,WAAW,GAAG,MAAM,CAAC;AAClC,MAAM,CAAC,MAAM,aAAa,GAAG,QAAQ,CAAC;AACtC,MAAM,CAAC,MAAM,aAAa,GAAG,SAAS,CAAC;AACvC,MAAM,CAAC,MAAM,WAAW,GAAG,SAAS,CAAC;AACrC,MAAM,CAAC,MAAM,SAAS,GAAG,oBAAoB,CAAC;AAC9C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAEvD;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAc;IAChD,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QACvC,MAAM,GAAG,KAAK,CAAC;KAChB;IACD,4EAA4E;IAC5E,gFAAgF;IAChF,yDAAyD;IACzD,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,EAAE;QACrD,MAAM,GAAG,KAAK,CAAC;KAChB;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,UAAU,GAAG,kBAAkB,CAAC;IACtC,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAC9D,KAAK,IAAI,UAAU,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;KAC3C;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,MAAM,QAAQ,GAAG,sCAAsC,CAAC;IACxD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1B,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;KACtE;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,GAAY,EAAE,OAAgB;IACzD,IAAI,CAAC,GAAG,EAAE;QACR,OAAO,EAAE,CAAC;KACX;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,OAAO,EAAE;QACZ,OAAO,MAAM,CAAC;KACf;IACD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;QACrB,IAAI,GAAG,GAAG,OAAO,CAAC;QAClB,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE;YAC/B,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;SACxC;QACD,OAAO,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;KAC1B;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"Utils.js","sourceRoot":"","sources":["../../../../src/authorization/lib/Utils.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,IAAa,EAAU,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;AAEnF,MAAM,CAAC,MAAM,YAAY,GAAG,OAAO,CAAC;AACpC,MAAM,CAAC,MAAM,aAAa,GAAG,QAAQ,CAAC;AACtC,MAAM,CAAC,MAAM,WAAW,GAAG,MAAM,CAAC;AAClC,MAAM,CAAC,MAAM,aAAa,GAAG,QAAQ,CAAC;AACtC,MAAM,CAAC,MAAM,aAAa,GAAG,SAAS,CAAC;AACvC,MAAM,CAAC,MAAM,WAAW,GAAG,SAAS,CAAC;AACrC,MAAM,CAAC,MAAM,SAAS,GAAG,oBAAoB,CAAC;AAC9C,MAAM,CAAC,MAAM,kBAAkB,GAAG,oBAAoB,CAAC;AAEvD;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAAc;IAChD,IAAI,MAAM,GAAG,IAAI,CAAC;IAClB,IAAI,CAAC,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;QACvC,MAAM,GAAG,KAAK,CAAC;KAChB;IACD,4EAA4E;IAC5E,gFAAgF;IAChF,yDAAyD;IACzD,IAAI,MAAM,EAAE;QACV,MAAM,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;QACtC,IAAI,CAAC,CAAC,UAAU,CAAC,aAAa,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE;YACrF,MAAM,GAAG,KAAK,CAAC;SAChB;KACF;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc;IAC5B,MAAM,UAAU,GAAG,kBAAkB,CAAC;IACtC,IAAI,KAAK,GAAG,EAAE,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,EAAE,EAAE;QAC3B,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;QAC9D,KAAK,IAAI,UAAU,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;KAC3C;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa;IAC3B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,MAAM,QAAQ,GAAG,sCAAsC,CAAC;IACxD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1B,IAAI,IAAI,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;KACtE;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,GAAY,EAAE,OAAgB;IACzD,IAAI,CAAC,GAAG,EAAE;QACR,OAAO,EAAE,CAAC;KACX;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3B,IAAI,CAAC,OAAO,EAAE;QACZ,OAAO,MAAM,CAAC;KACf;IACD,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE;QACrB,IAAI,GAAG,GAAG,OAAO,CAAC;QAClB,IAAI,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE;YAC/B,GAAG,GAAG,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;SACxC;QACD,OAAO,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;KAC1B;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@api-client/core",
   "description": "The API Client's core client library. Works in NodeJS and in a ES enabled browser.",
-  "version": "0.6.7",
+  "version": "0.6.8",
   "license": "Apache-2.0",
   "main": "build/index.js",
   "module": "build/index.js",

package/src/authorization/lib/Utils.ts

@@ -27,8 +27,11 @@ export function validateRedirectUri(value: unknown): boolean {
   // the redirect URI can have any value, especially for installed apps which 
   // may use custom schemes. We do very basic sanity check for any script content 
   // validation to make sure we are not passing any script.
-  if (result && String(value).startsWith('javascript:')) {
-    result = false;
+  if (result) {
+    const u = String(value).toLowerCase();
+    if (u.startsWith("javascript:") || u.startsWith("data:") || u.startsWith("vbscript:")) {
+      result = false;
+    }
   }
   return result;
 }