@mintlify/common 1.0.831 → 1.0.833
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +1 -0
- package/dist/index.js +1 -0
- package/dist/isAbsoluteUrl.js +1 -1
- package/dist/isAllowedRedirectUri.d.ts +1 -0
- package/dist/isAllowedRedirectUri.js +35 -0
- package/dist/isAllowedRedirectUri.test.d.ts +1 -0
- package/dist/isAllowedRedirectUri.test.js +41 -0
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +2 -2
package/dist/index.d.ts
CHANGED
package/dist/index.js
CHANGED
package/dist/isAbsoluteUrl.js
CHANGED
|
@@ -20,7 +20,7 @@ export const isAbsoluteUrl = (url) => {
|
|
|
20
20
|
if (!url || typeof url !== 'string')
|
|
21
21
|
return false;
|
|
22
22
|
try {
|
|
23
|
-
if (!URL.canParse(url))
|
|
23
|
+
if (typeof URL.canParse === 'function' && !URL.canParse(url))
|
|
24
24
|
return false;
|
|
25
25
|
const parsedUrl = new URL(url);
|
|
26
26
|
const protocol = parsedUrl.protocol.slice(0, -1);
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export declare function isAllowedRedirectUri(uri: string, allowedDomains: string[]): boolean;
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
const LOOPBACK_HOSTS = ['localhost', '127.0.0.1', '[::1]'];
|
|
2
|
+
const DANGEROUS_PROTOCOLS = new Set([
|
|
3
|
+
'javascript:',
|
|
4
|
+
'data:',
|
|
5
|
+
'vbscript:',
|
|
6
|
+
'file:',
|
|
7
|
+
'about:',
|
|
8
|
+
'blob:',
|
|
9
|
+
]);
|
|
10
|
+
export function isAllowedRedirectUri(uri, allowedDomains) {
|
|
11
|
+
try {
|
|
12
|
+
const parsed = new URL(uri);
|
|
13
|
+
if (DANGEROUS_PROTOCOLS.has(parsed.protocol)) {
|
|
14
|
+
return false;
|
|
15
|
+
}
|
|
16
|
+
if (LOOPBACK_HOSTS.includes(parsed.hostname)) {
|
|
17
|
+
return true;
|
|
18
|
+
}
|
|
19
|
+
return allowedDomains.some((entry) => {
|
|
20
|
+
if (entry.includes('://')) {
|
|
21
|
+
try {
|
|
22
|
+
const allowed = new URL(entry);
|
|
23
|
+
return parsed.protocol === allowed.protocol && parsed.hostname === allowed.hostname;
|
|
24
|
+
}
|
|
25
|
+
catch (_a) {
|
|
26
|
+
return false;
|
|
27
|
+
}
|
|
28
|
+
}
|
|
29
|
+
return parsed.protocol === 'https:' && parsed.hostname === entry;
|
|
30
|
+
});
|
|
31
|
+
}
|
|
32
|
+
catch (_a) {
|
|
33
|
+
return false;
|
|
34
|
+
}
|
|
35
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
export {};
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
import { describe, expect, it } from 'vitest';
|
|
2
|
+
import { isAllowedRedirectUri } from './isAllowedRedirectUri.js';
|
|
3
|
+
describe('isAllowedRedirectUri', () => {
|
|
4
|
+
it('allows loopback addresses', () => {
|
|
5
|
+
expect(isAllowedRedirectUri('http://localhost:3000/callback', [])).toBe(true);
|
|
6
|
+
expect(isAllowedRedirectUri('http://127.0.0.1:8080/callback', [])).toBe(true);
|
|
7
|
+
expect(isAllowedRedirectUri('http://[::1]:3000/callback', [])).toBe(true);
|
|
8
|
+
});
|
|
9
|
+
it('rejects dangerous protocols', () => {
|
|
10
|
+
expect(isAllowedRedirectUri('javascript:alert(1)', [])).toBe(false);
|
|
11
|
+
expect(isAllowedRedirectUri('data:text/html,<h1>hi</h1>', [])).toBe(false);
|
|
12
|
+
expect(isAllowedRedirectUri('vbscript:msgbox', [])).toBe(false);
|
|
13
|
+
expect(isAllowedRedirectUri('file:///etc/passwd', [])).toBe(false);
|
|
14
|
+
expect(isAllowedRedirectUri('about:blank', [])).toBe(false);
|
|
15
|
+
expect(isAllowedRedirectUri('blob:http://example.com/abc', [])).toBe(false);
|
|
16
|
+
});
|
|
17
|
+
it('allows domains in the allowed list (plain hostname)', () => {
|
|
18
|
+
expect(isAllowedRedirectUri('https://example.com/callback', ['example.com'])).toBe(true);
|
|
19
|
+
});
|
|
20
|
+
it('rejects non-https for plain hostname entries', () => {
|
|
21
|
+
expect(isAllowedRedirectUri('http://example.com/callback', ['example.com'])).toBe(false);
|
|
22
|
+
});
|
|
23
|
+
it('allows domains in the allowed list (full URL entry)', () => {
|
|
24
|
+
expect(isAllowedRedirectUri('https://example.com/callback', ['https://example.com'])).toBe(true);
|
|
25
|
+
});
|
|
26
|
+
it('allows matching protocol+hostname for URL entries', () => {
|
|
27
|
+
expect(isAllowedRedirectUri('http://example.com/callback', ['http://example.com'])).toBe(true);
|
|
28
|
+
});
|
|
29
|
+
it('rejects mismatched protocol for URL entries', () => {
|
|
30
|
+
expect(isAllowedRedirectUri('http://example.com/callback', ['https://example.com'])).toBe(false);
|
|
31
|
+
});
|
|
32
|
+
it('rejects domains not in the allowed list', () => {
|
|
33
|
+
expect(isAllowedRedirectUri('https://evil.com/callback', ['example.com'])).toBe(false);
|
|
34
|
+
});
|
|
35
|
+
it('returns false for invalid URIs', () => {
|
|
36
|
+
expect(isAllowedRedirectUri('not-a-url', ['example.com'])).toBe(false);
|
|
37
|
+
});
|
|
38
|
+
it('returns false for invalid entries in allowed domains', () => {
|
|
39
|
+
expect(isAllowedRedirectUri('https://example.com/cb', ['://invalid'])).toBe(false);
|
|
40
|
+
});
|
|
41
|
+
});
|