( url: string | null | undefined, paramName = 'tenantUrl' )
| 1590 | * ``` |
| 1591 | */ |
| 1592 | export function validateWorkdayTenantUrl( |
| 1593 | url: string | null | undefined, |
| 1594 | paramName = 'tenantUrl' |
| 1595 | ): ValidationResult { |
| 1596 | const urlResult = validateExternalUrl(url, paramName) |
| 1597 | if (!urlResult.isValid) return urlResult |
| 1598 | |
| 1599 | const hostname = new URL(url as string).hostname.toLowerCase() |
| 1600 | const isAllowedHost = WORKDAY_ALLOWED_HOST_SUFFIXES.some( |
| 1601 | (suffix) => hostname === suffix.slice(1) || hostname.endsWith(suffix) |
| 1602 | ) |
| 1603 | |
| 1604 | if (!isAllowedHost) { |
| 1605 | logger.warn('Workday tenant URL hostname not on allowlist', { |
| 1606 | paramName, |
| 1607 | hostname: hostname.substring(0, 100), |
| 1608 | }) |
| 1609 | return { |
| 1610 | isValid: false, |
| 1611 | error: `${paramName} must be a Workday-hosted domain (e.g., *.workday.com or *.myworkday.com)`, |
| 1612 | } |
| 1613 | } |
| 1614 | |
| 1615 | return { isValid: true, sanitized: url as string } |
| 1616 | } |
| 1617 | |
| 1618 | /** |
| 1619 | * Validates a database identifier (table or column name) to prevent SQL injection. |
no test coverage detected