fix(nuxt): reject cross-origin paths in reloadNuxtApp

(cherry picked from commit d97358675c1239d553155fbdf0f084c12daf7f0e)
Refs: GHSA-c9cv-mq2m-ppp3

Author: danielroe

packages/nuxt/src/app/composables/chunk.ts

@@ -22,7 +22,7 @@ export interface ReloadNuxtAppOptions {
    * The path to reload. If this is different from the current window location it will
    * trigger a navigation and add an entry in the browser history.
    *
-   * URLs with script-like protocols (e.g. `javascript:`, `data:`) are rejected.
+   * Cross-origin paths and URLs with script-like protocols (e.g. `javascript:`, `data:`) are rejected.
    * @default {window.location.pathname}
    */
   path?: string
@@ -33,9 +33,12 @@ export function reloadNuxtApp (options: ReloadNuxtAppOptions = {}) {
   if (import.meta.server) { return }
   const path = options.path || window.location.pathname
 
-  const { protocol } = new URL(path, window.location.href)
-  if (protocol && isScriptProtocol(protocol)) {
-    throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
+  const url = new URL(path, window.location.href)
+  if (url.host !== window.location.host) {
+    throw new Error(`Cannot navigate to a URL with a different host: '${path}'.`)
+  }
+  if (url.protocol && isScriptProtocol(url.protocol)) {
+    throw new Error(`Cannot navigate to a URL with '${url.protocol}' protocol.`)
   }
 
   let handledPath: Record<string, any> = {}

test/nuxt/composables.test.ts

@@ -563,14 +563,27 @@ describe('routing utilities: `navigateTo`', () => {
   })
   it('reloadNuxtApp should disallow paths with data/script URLs', () => {
     const urls = [
-      ['javascript:alert("hi")', 'javascript'],
-      ['data:alert("hi")', 'data'],
-      ['\0data:alert("hi")', 'data'],
+      'javascript:alert("hi")',
+      'data:alert("hi")',
+      '\0data:alert("hi")',
     ]
-    for (const [url, protocol] of urls) {
-      expect(() => reloadNuxtApp({ path: url })).toThrow(`Cannot navigate to a URL with '${protocol}:' protocol.`)
+    for (const url of urls) {
+      expect(() => reloadNuxtApp({ path: url })).toThrow(`Cannot navigate to a URL with a different host: '${url}'.`)
+    }
+  })
+  it('reloadNuxtApp should disallow cross-origin paths', () => {
+    const urls = [
+      '//evil.com',
+      'https://evil.com',
+      '\\\\evil.com',
+    ]
+    for (const url of urls) {
+      expect(() => reloadNuxtApp({ path: url })).toThrow(`Cannot navigate to a URL with a different host: '${url}'.`)
     }
   })
+  it('reloadNuxtApp should allow same-origin paths', () => {
+    expect(() => reloadNuxtApp({ path: '/legit/path' })).not.toThrow()
+  })
   it('navigateTo should replace current navigation state if called within middleware', () => {
     const nuxtApp = useNuxtApp()
     nuxtApp._processingMiddleware = true