FoundKeyGang/FoundKey
FoundKeyGang
/
FoundKey
7
19
Fork 22
Code Issues 37 Pull Requests 4 Releases Activity

server: handle invalid URLs in comparison

This commit is contained in:
Johann150 2022-11-10 21:16:55 +01:00 committed by Gitea
parent bdcec2b8a7
commit de927e1f30
1 changed files with 10 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
packages/backend/src/server/api/common/compare-url.ts
View File

@ -4,12 +4,20 @@ import { URL } from 'node:url';
* Compares two URLs for OAuth. The first parameter is the trusted URL
* which decides how the comparison is conducted.
*
* Invalid URLs are never equal.
*
* Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3
* (published 2022-09-27)
*/
export function compareUrl(trusted: string, untrusted: string): boolean {
let trustedUrl = new URL(trusted);
let untrustedUrl = new URL(untrusted);
let trustedUrl, untrustedUrl;
try {
trustedUrl = new URL(trusted);
untrustedUrl = new URL(untrusted);
} catch {
return false;
}
// Excerpt from RFC 8252:
//> Loopback redirect URIs use the "http" scheme and are constructed with