fix(client): validate urls to improve security

2023-02-04 09:10:01 +09:00 · 2023-02-04 09:10:01 +09:00 · 788ae2f6ca
commit 788ae2f6ca
parent 572000f868
4 changed files with 4 additions and 0 deletions
--- a/packages/frontend/src/pages/miauth.vue
+++ b/packages/frontend/src/pages/miauth.vue
@ -70,6 +70,7 @@ async function accept(): Promise<void> {
 	state = 'accepted';
 	if (props.callback) {
 		const cbUrl = new URL(props.callback);
+		if (!['http:', 'https:'].includes(cbUrl.protocol)) throw new Error('invalid url');
 		cbUrl.searchParams.set('session', props.session);
 		location.href = cbUrl.href;
 	}