test: URL potentially trustworthy

nodejs · Mar 1, 2022 · ab81505 · ab81505
1 parent 449ff66
commit ab81505
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 5 deletions.
diff --git a/lib/fetch/util.js b/lib/fetch/util.js
@@ -410,6 +410,9 @@ function isURLPotentiallyTrustworthy (url) {
 
   // If scheme is data, return true
   if (url.protocol === 'data:') return true
+
+  // If file, return true
+  if (url.protocol === 'file:') return true
 
   return isOriginPotentiallyTrustworthy(url.origin)
 
@@ -428,15 +431,12 @@ function isURLPotentiallyTrustworthy (url) {
     }
 
     // If localhost or variants, return true
-    if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^(?:0*:)*?:?0*1$/.test(originAsURL.hostname) ||
+    if (/^127(?:\.[0-9]+){0,2}\.[0-9]+$|^\[(?:0*:)*?:?0*1\]$/.test(originAsURL.hostname) ||
      (originAsURL.hostname === 'localhost' || originAsURL.hostname.includes('localhost.')) ||
      (originAsURL.hostname.endsWith('.localhost'))) {
       return true
     }
 
-    // If file, return true
-    if (originAsURL.protocol === 'file:') return true
-
     // If any other, return false
     return false
   }

diff --git a/test/fetch/util.js b/test/fetch/util.js
@@ -112,4 +112,24 @@ test('sameOrigin', (t) => {
   })
 
   t.end()
-})
+})
+
+test('isURLPotentiallyTrustworthy', (t) => {
+  const valid = ['http://127.0.0.1', 'http://localhost.localhost',
+    'http://[::1]', 'http://adb.localhost', 'https://something.com', 'wss://hello.com',
+    'file:///link/to/file.txt', 'data:text/plain;base64,randomstring', 'about:blank', 'about:srcdoc']
+  const invalid = ['http://121.3.4.5:55', 'null:8080', 'something:8080']
+
+  t.plan(valid.length + invalid.length + 1)
+  t.notOk(util.isURLPotentiallyTrustworthy('string'))
+
+  for (const url of valid) {
+    const instance = new URL(url)
+    t.ok(util.isURLPotentiallyTrustworthy(instance))
+  }
+
+  for (const url of invalid) {
+    const instance = new URL(url)
+    t.notOk(util.isURLPotentiallyTrustworthy(instance))
+  }
+})