playwright-core 1.58.0-alpha-2025-12-30 → 1.58.0-alpha-2026-01-01
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -76,6 +76,7 @@ class BrowserContext extends import_channelOwner.ChannelOwner {
|
|
|
76
76
|
this.tracing = import_tracing.Tracing.from(initializer.tracing);
|
|
77
77
|
this.request = import_fetch.APIRequestContext.from(initializer.requestContext);
|
|
78
78
|
this.request._timeoutSettings = this._timeoutSettings;
|
|
79
|
+
this.request._checkUrlAllowed = (url) => this._checkUrlAllowed(url);
|
|
79
80
|
this.clock = new import_clock.Clock(this);
|
|
80
81
|
this._channel.on("bindingCall", ({ binding }) => this._onBinding(import_page.BindingCall.from(binding)));
|
|
81
82
|
this._channel.on("close", () => this._onClose());
|
|
@@ -474,6 +475,37 @@ class BrowserContext extends import_channelOwner.ChannelOwner {
|
|
|
474
475
|
this._onRecorderEventSink = void 0;
|
|
475
476
|
await this._channel.disableRecorder();
|
|
476
477
|
}
|
|
478
|
+
_setAllowedProtocols(protocols) {
|
|
479
|
+
this._allowedProtocols = protocols;
|
|
480
|
+
}
|
|
481
|
+
_checkUrlAllowed(url) {
|
|
482
|
+
if (!this._allowedProtocols)
|
|
483
|
+
return;
|
|
484
|
+
let parsedURL;
|
|
485
|
+
try {
|
|
486
|
+
parsedURL = new URL(url);
|
|
487
|
+
} catch (e) {
|
|
488
|
+
throw new Error(`Access to ${url} is blocked. Invalid URL: ${e.message}`);
|
|
489
|
+
}
|
|
490
|
+
if (!this._allowedProtocols.includes(parsedURL.protocol))
|
|
491
|
+
throw new Error(`Access to "${parsedURL.protocol}" URL is blocked. Allowed protocols: ${this._allowedProtocols.join(", ")}. Attempted URL: ${url}`);
|
|
492
|
+
}
|
|
493
|
+
_setAllowedDirectories(rootDirectories) {
|
|
494
|
+
this._allowedDirectories = rootDirectories;
|
|
495
|
+
}
|
|
496
|
+
_checkFileAccess(filePath) {
|
|
497
|
+
if (!this._allowedDirectories)
|
|
498
|
+
return;
|
|
499
|
+
const path = this._platform.path().resolve(filePath);
|
|
500
|
+
const isInsideDir = (container, child) => {
|
|
501
|
+
const path2 = this._platform.path();
|
|
502
|
+
const rel = path2.relative(container, child);
|
|
503
|
+
return !!rel && !rel.startsWith("..") && !path2.isAbsolute(rel);
|
|
504
|
+
};
|
|
505
|
+
if (this._allowedDirectories.some((root) => isInsideDir(root, path)))
|
|
506
|
+
return;
|
|
507
|
+
throw new Error(`File access denied: ${filePath} is outside allowed roots. Allowed roots: ${this._allowedDirectories.length ? this._allowedDirectories.join(", ") : "none"}`);
|
|
508
|
+
}
|
|
477
509
|
}
|
|
478
510
|
async function prepareStorageState(platform, storageState) {
|
|
479
511
|
if (typeof storageState !== "string")
|
|
@@ -230,6 +230,9 @@ async function convertInputFiles(platform, files, context) {
|
|
|
230
230
|
if (!items.every((item) => typeof item === "string"))
|
|
231
231
|
throw new Error("File paths cannot be mixed with buffers");
|
|
232
232
|
const [localPaths, localDirectory] = await resolvePathsAndDirectoryForInputFiles(platform, items);
|
|
233
|
+
localPaths?.forEach((path) => context._checkFileAccess(path));
|
|
234
|
+
if (localDirectory)
|
|
235
|
+
context._checkFileAccess(localDirectory);
|
|
233
236
|
if (context._connection.isRemote()) {
|
|
234
237
|
const files2 = localDirectory ? (await platform.fs().promises.readdir(localDirectory, { withFileTypes: true, recursive: true })).filter((f) => f.isFile()).map((f) => platform.path().join(f.path, f.name)) : localPaths;
|
|
235
238
|
const { writableStreams, rootDir } = await context._wrapApiCall(async () => context._channel.createTempFiles({
|
package/lib/client/fetch.js
CHANGED
|
@@ -133,6 +133,7 @@ class APIRequestContext extends import_channelOwner.ChannelOwner {
|
|
|
133
133
|
(0, import_assert.assert)(options.maxRedirects === void 0 || options.maxRedirects >= 0, `'maxRedirects' must be greater than or equal to '0'`);
|
|
134
134
|
(0, import_assert.assert)(options.maxRetries === void 0 || options.maxRetries >= 0, `'maxRetries' must be greater than or equal to '0'`);
|
|
135
135
|
const url = options.url !== void 0 ? options.url : options.request.url();
|
|
136
|
+
this._checkUrlAllowed?.(url);
|
|
136
137
|
const method = options.method || options.request?.method();
|
|
137
138
|
let encodedParams = void 0;
|
|
138
139
|
if (typeof options.params === "string")
|
package/lib/client/frame.js
CHANGED
|
@@ -101,6 +101,7 @@ class Frame extends import_channelOwner.ChannelOwner {
|
|
|
101
101
|
}
|
|
102
102
|
async goto(url, options = {}) {
|
|
103
103
|
const waitUntil = verifyLoadState("waitUntil", options.waitUntil === void 0 ? "load" : options.waitUntil);
|
|
104
|
+
this.page().context()._checkUrlAllowed(url);
|
|
104
105
|
return network.Response.fromNullable((await this._channel.goto({ url, ...options, waitUntil, timeout: this._navigationTimeout(options) })).response);
|
|
105
106
|
}
|
|
106
107
|
_setupNavigationWaiter(options) {
|