From 3c00c7f3556c6c262d2041381ea76761436e2420 Mon Sep 17 00:00:00 2001 From: Carlos Fuentes Date: Tue, 1 Mar 2022 23:06:35 +0100 Subject: [PATCH] test: URL potentially trustworthy --- lib/fetch/util.js | 8 ++++---- test/fetch/util.js | 22 +++++++++++++++++++++- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/lib/fetch/util.js b/lib/fetch/util.js index db2887613a9..9f2ec7ba58c 100644 --- a/lib/fetch/util.js +++ b/lib/fetch/util.js @@ -410,6 +410,9 @@ function isURLPotentiallyTrustworthy (url) { // If scheme is data, return true if (url.protocol === 'data:') return true + + // If file, return true + if (url.protocol === 'file:') return true return isOriginPotentiallyTrustworthy(url.origin) @@ -428,15 +431,12 @@ function isURLPotentiallyTrustworthy (url) { } // If localhost or variants, return true - if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*:)*?:?0*1$/.test(originAsURL.hostname) || + if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) || (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) || (originAsURL.hostname.endsWith('.localhost'))) { return true } - // If file, return true - if (originAsURL.protocol === 'file:') return true - // If any other, return false return false } diff --git a/test/fetch/util.js b/test/fetch/util.js index 6ec78e878ac..51f0a31b8c9 100644 --- a/test/fetch/util.js +++ b/test/fetch/util.js @@ -112,4 +112,24 @@ test('sameOrigin', (t) => { }) t.end() -}) \ No newline at end of file +}) + +test('isURLPotentiallyTrustworthy', (t) => { + const valid = ['http://127.0.0.1', 'http://localhost.localhost', + 'http://[::1]', 'http://adb.localhost', 'https://something.com', 'wss://hello.com', + 'file:///link/to/file.txt', 'data:text/plain;base64,randomstring', 'about:blank', 'about:srcdoc'] + const invalid = ['http://121.3.4.5:55', 'null:8080', 'something:8080'] + + t.plan(valid.length + invalid.length + 1) + t.notOk(util.isURLPotentiallyTrustworthy('string')) + + for (const url of valid) { + const instance = new URL(url) + t.ok(util.isURLPotentiallyTrustworthy(instance)) + } + + for (const url of invalid) { + const instance = new URL(url) + t.notOk(util.isURLPotentiallyTrustworthy(instance)) + } +})