* Returns true if the URL's hostname contains an env var reference, * meaning domain validation must be deferred until env var resolution. * Only bypasses validation when the hostname itself is unresolvable — * env vars in the path/query do NOT bypass the domain check.
(url: string)
| 51 | * env vars in the path/query do NOT bypass the domain check. |
| 52 | */ |
| 53 | function hasEnvVarInHostname(url: string): boolean { |
| 54 | // If the entire URL is an env var reference, hostname is unknown |
| 55 | if (url.trim().replace(createEnvVarPattern(), '').trim() === '') return true |
| 56 | try { |
| 57 | // Extract the authority portion (between :// and the first /, ?, or # per RFC 3986) |
| 58 | const protocolEnd = url.indexOf('://') |
| 59 | if (protocolEnd === -1) return createEnvVarPattern().test(url) |
| 60 | const afterProtocol = url.substring(protocolEnd + 3) |
| 61 | const authorityEnd = afterProtocol.search(/[/?#]/) |
| 62 | const authority = authorityEnd === -1 ? afterProtocol : afterProtocol.substring(0, authorityEnd) |
| 63 | return createEnvVarPattern().test(authority) |
| 64 | } catch { |
| 65 | return createEnvVarPattern().test(url) |
| 66 | } |
| 67 | } |
| 68 | |
| 69 | /** |
| 70 | * Returns true if the URL's domain is allowed (or no restriction is configured). |
no test coverage detected