wait-what/FoundKey
1
0
Fork 0
forked from FoundKeyGang/FoundKey
Code Issues Pull requests Projects Releases Packages Wiki Activity

server: handle invalid URLs in comparison

Browse source
This commit is contained in:
Johann150 2022-11-10 21:16:55 +01:00
parent 1d14ed013a
commit 4912fb286c
Signed by untrusted user: Johann150
GPG key ID: 9EE6577A2A06F8F1
1 changed files with 10 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
packages/backend/src/server/api/common/compare-url.ts
View file

@ -4,12 +4,20 @@ import { URL } from 'node:url';
* Compares two URLs for OAuth. The first parameter is the trusted URL * Compares two URLs for OAuth. The first parameter is the trusted URL
* which decides how the comparison is conducted. * which decides how the comparison is conducted.
* *
* Invalid URLs are never equal.
*
* Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3 * Implements the current draft-ietf-oauth-security-topics-21 § 4.1.3
* (published 2022-09-27) * (published 2022-09-27)
*/ */
export function compareUrl(trusted: string, untrusted: string): boolean { export function compareUrl(trusted: string, untrusted: string): boolean {
let trustedUrl = new URL(trusted); let trustedUrl, untrustedUrl;
let untrustedUrl = new URL(untrusted);
try {
trustedUrl = new URL(trusted);
untrustedUrl = new URL(untrusted);
} catch {
return false;
}
// Excerpt from RFC 8252: // Excerpt from RFC 8252:
//> Loopback redirect URIs use the "http" scheme and are constructed with //> Loopback redirect URIs use the "http" scheme and are constructed with