@vibedash/client 0.4.0 → 0.4.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/duckdb-singleton.js +15 -0
- package/package.json +1 -1
package/dist/duckdb-singleton.js
CHANGED
|
@@ -30,8 +30,23 @@ async function initDuckDB() {
|
|
|
30
30
|
async loadParquet(name, url, forceReload = false) {
|
|
31
31
|
if (loadedTables.has(name) && !forceReload)
|
|
32
32
|
return;
|
|
33
|
+
// Validate URL origin — only allow same-origin or *.vibedash.xyz
|
|
34
|
+
const parsed = new URL(url, window.location.origin);
|
|
35
|
+
const isSameOrigin = parsed.origin === window.location.origin;
|
|
36
|
+
const isVibedash = parsed.hostname.endsWith(".vibedash.xyz");
|
|
37
|
+
if (!isSameOrigin && !isVibedash) {
|
|
38
|
+
throw new Error("Parquet URL origin not allowed");
|
|
39
|
+
}
|
|
33
40
|
// Fetch the Parquet file and register it
|
|
34
41
|
const response = await fetch(url);
|
|
42
|
+
if (!response.ok) {
|
|
43
|
+
throw new Error(`Failed to fetch Parquet: ${response.status}`);
|
|
44
|
+
}
|
|
45
|
+
// Reject files larger than 100MB to prevent browser OOM
|
|
46
|
+
const contentLength = response.headers.get("Content-Length");
|
|
47
|
+
if (contentLength && parseInt(contentLength, 10) > 100 * 1024 * 1024) {
|
|
48
|
+
throw new Error("Parquet file too large (>100MB)");
|
|
49
|
+
}
|
|
35
50
|
const buffer = await response.arrayBuffer();
|
|
36
51
|
await db.registerFileBuffer(`${name}.parquet`, new Uint8Array(buffer));
|
|
37
52
|
// Drop existing table on force reload so we pick up the new data
|