server: handle invalid URLs in comparison

This commit is contained in:
Johann150 2022-11-10 21:16:55 +01:00
parent 1d14ed013a
commit 4912fb286c
Signed by untrusted user: Johann150
GPG key ID: 9EE6577A2A06F8F1

View file

@ -4,12 +4,20 @@ import { URL } from 'node:url';
* Compares two URLs for OAuth. The first parameter is the trusted URL
* which decides how the comparison is conducted.
*
* Invalid URLs are never equal.
*
* Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3
* (published 2022-09-27)
*/
export function compareUrl(trusted: string, untrusted: string): boolean {
let trustedUrl = new URL(trusted);
let untrustedUrl = new URL(untrusted);
let trustedUrl, untrustedUrl;
try {
trustedUrl = new URL(trusted);
untrustedUrl = new URL(untrusted);
} catch {
return false;
}
// Excerpt from RFC 8252:
//> Loopback redirect URIs use the "http" scheme and are constructed with