npm - browserclaw - Versions diffs - 0.3.1 → 0.3.3 - Mend

browserclaw 0.3.1 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -742,7 +742,7 @@ async function getPageForTargetId(opts) {
   const found = await findPageByTargetId(browser, opts.targetId, opts.cdpUrl);
   if (!found) {
     if (pages.length === 1) return first;
-    throw new Error(`Tab not found (targetId: ${opts.targetId}). Use browser.tabs() to list open tabs.`);
+    throw new Error("tab not found");
   }
   return found;
 }
@@ -1387,7 +1387,20 @@ var InvalidBrowserNavigationUrlError = class extends Error {
 function withBrowserNavigationPolicy(ssrfPolicy) {
   return { ssrfPolicy };
 }
+var NETWORK_NAVIGATION_PROTOCOLS = /* @__PURE__ */ new Set(["http:", "https:"]);
+var SAFE_NON_NETWORK_URLS = /* @__PURE__ */ new Set(["about:blank"]);
 async function assertBrowserNavigationAllowed(opts) {
+  const rawUrl = String(opts.url ?? "").trim();
+  let parsed;
+  try {
+    parsed = new URL(rawUrl);
+  } catch {
+    throw new InvalidBrowserNavigationUrlError(`Invalid URL: "${rawUrl}"`);
+  }
+  if (!NETWORK_NAVIGATION_PROTOCOLS.has(parsed.protocol)) {
+    if (SAFE_NON_NETWORK_URLS.has(parsed.href)) return;
+    throw new InvalidBrowserNavigationUrlError(`Navigation blocked: unsupported protocol "${parsed.protocol}"`);
+  }
   const policy = opts.ssrfPolicy;
   if (policy?.allowPrivateNetwork) return;
   const allowedHostnames = [
@@ -1395,18 +1408,12 @@ async function assertBrowserNavigationAllowed(opts) {
     ...policy?.hostnameAllowlist ?? []
   ];
   if (allowedHostnames.length) {
-    let parsed;
-    try {
-      parsed = new URL(opts.url);
-    } catch {
-      throw new InvalidBrowserNavigationUrlError(`Invalid URL: "${opts.url}"`);
-    }
     const hostname = parsed.hostname.toLowerCase();
     if (allowedHostnames.some((h) => h.toLowerCase() === hostname)) return;
   }
-  if (await isInternalUrlResolved(opts.url, opts.lookupFn)) {
+  if (await isInternalUrlResolved(rawUrl, opts.lookupFn)) {
     throw new InvalidBrowserNavigationUrlError(
-      `Navigation to internal/loopback address blocked: "${opts.url}". Use ssrfPolicy: { allowPrivateNetwork: true } if this is intentional.`
+      `Navigation to internal/loopback address blocked: "${rawUrl}". Use ssrfPolicy: { allowPrivateNetwork: true } if this is intentional.`
     );
   }
 }