From 4912fb286c64be909df991a5455075604de3b9c3 Mon Sep 17 00:00:00 2001 From: Johann150 Date: Thu, 10 Nov 2022 21:16:55 +0100 Subject: [PATCH] server: handle invalid URLs in comparison --- .../backend/src/server/api/common/compare-url.ts | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/server/api/common/compare-url.ts b/packages/backend/src/server/api/common/compare-url.ts index 083f9fffb..2d35dbd97 100644 --- a/packages/backend/src/server/api/common/compare-url.ts +++ b/packages/backend/src/server/api/common/compare-url.ts @@ -4,12 +4,20 @@ import { URL } from 'node:url'; * Compares two URLs for OAuth. The first parameter is the trusted URL * which decides how the comparison is conducted. * + * Invalid URLs are never equal. + * * Implements the current draft-ietf-oauth-security-topics-21 ยง 4.1.3 * (published 2022-09-27) */ export function compareUrl(trusted: string, untrusted: string): boolean { - let trustedUrl = new URL(trusted); - let untrustedUrl = new URL(untrusted); + let trustedUrl, untrustedUrl; + + try { + trustedUrl = new URL(trusted); + untrustedUrl = new URL(untrusted); + } catch { + return false; + } // Excerpt from RFC 8252: //> Loopback redirect URIs use the "http" scheme and are constructed with