(rawUrl: string, label: string)
| 134 | |
| 135 | /** Validate a URL is https and not pointing to a private/loopback host. */ |
| 136 | export function assertSafeExternalUrl(rawUrl: string, label: string): URL { |
| 137 | let parsed: URL |
| 138 | try { |
| 139 | parsed = new URL(rawUrl) |
| 140 | } catch { |
| 141 | throw new Error(`${label} must be a valid URL`) |
| 142 | } |
| 143 | if (parsed.protocol !== 'https:') { |
| 144 | throw new Error(`${label} must use https://`) |
| 145 | } |
| 146 | const host = parsed.hostname.toLowerCase() |
| 147 | if (FORBIDDEN_HOSTS.has(host) || FORBIDDEN_HOSTS.has(`[${host}]`)) { |
| 148 | throw new Error(`${label} host is not allowed`) |
| 149 | } |
| 150 | if (isPrivateIPv4(host)) { |
| 151 | throw new Error(`${label} host is not allowed (private/loopback range)`) |
| 152 | } |
| 153 | if (isPrivateOrLoopbackIPv6(host)) { |
| 154 | throw new Error(`${label} host is not allowed (IPv6 private/loopback)`) |
| 155 | } |
| 156 | return parsed |
| 157 | } |
| 158 | |
| 159 | interface CachedToken { |
| 160 | accessToken: string |
no test coverage detected