Skip to content

Commit

Permalink
test: URL potentially trustworthy
Browse files Browse the repository at this point in the history
  • Loading branch information
metcoder95 committed Mar 1, 2022
1 parent 449ff66 commit ab81505
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 5 deletions.
8 changes: 4 additions & 4 deletions lib/fetch/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -410,6 +410,9 @@ function isURLPotentiallyTrustworthy (url) {

// If scheme is data, return true
if (url.protocol === 'data:') return true

// If file, return true
if (url.protocol === 'file:') return true

return isOriginPotentiallyTrustworthy(url.origin)

Expand All @@ -428,15 +431,12 @@ function isURLPotentiallyTrustworthy (url) {
}

// If localhost or variants, return true
if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*:)*?:?0*1$/.test(originAsURL.hostname) ||
if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) ||
(originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) ||
(originAsURL.hostname.endsWith('.localhost'))) {
return true
}

// If file, return true
if (originAsURL.protocol === 'file:') return true

// If any other, return false
return false
}
Expand Down
22 changes: 21 additions & 1 deletion test/fetch/util.js
Original file line number Diff line number Diff line change
Expand Up @@ -112,4 +112,24 @@ test('sameOrigin', (t) => {
})

t.end()
})
})

test('isURLPotentiallyTrustworthy', (t) => {
const valid = ['http://127.0.0.1', 'http://localhost.localhost',
'http://[::1]', 'http://adb.localhost', 'https://something.com', 'wss://hello.com',
'file:///link/to/file.txt', 'data:text/plain;base64,randomstring', 'about:blank', 'about:srcdoc']
const invalid = ['http://121.3.4.5:55', 'null:8080', 'something:8080']

t.plan(valid.length + invalid.length + 1)
t.notOk(util.isURLPotentiallyTrustworthy('string'))

for (const url of valid) {
const instance = new URL(url)
t.ok(util.isURLPotentiallyTrustworthy(instance))
}

for (const url of invalid) {
const instance = new URL(url)
t.notOk(util.isURLPotentiallyTrustworthy(instance))
}
})

0 comments on commit ab81505

Please sign in to comment.