* Normalizes the vault URL and runs an early structural SSRF check via the * shared `validateExternalUrl` policy (hosted Sim blocks localhost/private/HTTP; * self-hosted allows http://localhost only). * * The authoritative SSRF boundary is enforced at request time: every vault * request goes th
(rawUrl: string | undefined)
| 36 | * must be exposed through a public URL. |
| 37 | */ |
| 38 | function resolveVaultEndpoint(rawUrl: string | undefined): string { |
| 39 | let url = (rawUrl || DEFAULT_VAULT_URL).trim().replace(/\/+$/, '') |
| 40 | if (url && !url.startsWith('https://') && !url.startsWith('http://')) { |
| 41 | url = `https://${url}` |
| 42 | } |
| 43 | const validation = validateExternalUrl(url, 'vaultUrl') |
| 44 | if (!validation.isValid) { |
| 45 | throw new Error(validation.error || 'Invalid vault URL') |
| 46 | } |
| 47 | return url |
| 48 | } |
| 49 | |
| 50 | /** |
| 51 | * Lists entries in a single vault directory (non-recursive). |
no test coverage detected