MCPcopy Index your code
hub / github.com/simstudioai/sim / assertSafeExternalUrl

Function assertSafeExternalUrl

apps/sim/app/api/tools/sap_concur/shared.ts:136–157  ·  view source on GitHub ↗
(rawUrl: string, label: string)

Source from the content-addressed store, hash-verified

134
135/** Validate a URL is https and not pointing to a private/loopback host. */
136export function assertSafeExternalUrl(rawUrl: string, label: string): URL {
137 let parsed: URL
138 try {
139 parsed = new URL(rawUrl)
140 } catch {
141 throw new Error(`${label} must be a valid URL`)
142 }
143 if (parsed.protocol !== 'https:') {
144 throw new Error(`${label} must use https://`)
145 }
146 const host = parsed.hostname.toLowerCase()
147 if (FORBIDDEN_HOSTS.has(host) || FORBIDDEN_HOSTS.has(`[${host}]`)) {
148 throw new Error(`${label} host is not allowed`)
149 }
150 if (isPrivateIPv4(host)) {
151 throw new Error(`${label} host is not allowed (private/loopback range)`)
152 }
153 if (isPrivateOrLoopbackIPv6(host)) {
154 throw new Error(`${label} host is not allowed (IPv6 private/loopback)`)
155 }
156 return parsed
157}
158
159interface CachedToken {
160 accessToken: string

Callers 4

callConcurFunction · 0.90
handleUploadReceiptImageFunction · 0.90

Calls 2

isPrivateIPv4Function · 0.70
isPrivateOrLoopbackIPv6Function · 0.70

Tested by

no test coverage detected