@seed-ship/mcp-ui-solid 5.5.0 → 5.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/CHANGELOG.md +15 -0
  2. package/dist/services/validation.cjs +3 -2
  3. package/dist/services/validation.cjs.map +1 -1
  4. package/dist/services/validation.d.ts.map +1 -1
  5. package/dist/services/validation.js +3 -2
  6. package/dist/services/validation.js.map +1 -1
  7. package/package.json +1 -1
  8. package/src/services/validation.test.ts +53 -3
  9. package/src/services/validation.ts +11 -3
  10. package/tsconfig.tsbuildinfo +1 -1
package/src/services/validation.ts CHANGED
@@ -568,9 +568,17 @@ export function validateIframeDomain(
568
568
  effectiveWhitelist = [...DEFAULT_IFRAME_DOMAINS, ...options.customDomains]
569
569
  }
570
570
 
571
- const isAllowed = effectiveWhitelist.some(
572
- (allowed) => domain === allowed || domain.endsWith(`.${allowed}`) || allowed === 'localhost'
573
- )
571
+ // SECURITY (v5.5.1) — pre-fix bug: predicate was `allowed === 'localhost'`
572
+ // which trivially returned true for every URL once the whitelist contained
573
+ // 'localhost' (an entry from DEFAULT_IFRAME_DOMAINS), making the entire
574
+ // domain whitelist inoperative. Fixed: only the URL's actual hostname
575
+ // being 'localhost' (or a 127.0.0.x loopback) bypasses the whitelist.
576
+ const isLoopback = domain === 'localhost' || /^127(\.\d{1,3}){3}$/.test(domain)
577
+ const isAllowed =
578
+ isLoopback ||
579
+ effectiveWhitelist.some(
580
+ (allowed) => allowed !== 'localhost' && (domain === allowed || domain.endsWith(`.${allowed}`))
581
+ )
574
582
 
575
583
  if (!isAllowed) {
576
584
  return {