Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(nuxt): disallow redirects to more script protocols #22366

Merged
merged 17 commits into from Jul 30, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
Expand Up @@ -75,7 +75,7 @@
"semver": "7.5.4",
"std-env": "3.3.3",
"typescript": "5.1.6",
"ufo": "1.1.2",
"ufo": "1.2.0",
"vite": "4.4.7",
"vitest": "0.33.0",
"vitest-environment-nuxt": "0.10.2",
Expand Down
2 changes: 1 addition & 1 deletion packages/nuxi/package.json
Expand Up @@ -47,7 +47,7 @@
"pkg-types": "1.0.3",
"scule": "1.0.0",
"semver": "7.5.4",
"ufo": "1.1.2",
"ufo": "1.2.0",
"unbuild": "latest"
},
"optionalDependencies": {
Expand Down
2 changes: 1 addition & 1 deletion packages/nuxt/package.json
Expand Up @@ -91,7 +91,7 @@
"prompts": "^2.4.2",
"scule": "^1.0.0",
"strip-literal": "^1.0.1",
"ufo": "^1.1.2",
"ufo": "^1.2.0",
"ultrahtml": "^1.3.0",
"uncrypto": "^0.1.3",
"unctx": "^2.3.1",
Expand Down
15 changes: 9 additions & 6 deletions packages/nuxt/src/app/composables/router.ts
Expand Up @@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu
import type { Ref } from 'vue'
import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
import { sanitizeStatusCode } from 'h3'
import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo'
import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo'

import { useNuxtApp, useRuntimeConfig } from '../nuxt'
import type { NuxtError } from './error'
Expand Down Expand Up @@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na
}

const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
if (isExternal && !options?.external) {
throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.')
}
if (isExternal && parseURL(toPath).protocol === 'script:') {
throw new Error('Cannot navigate to an URL with script protocol.')
if (isExternal) {
if (!options?.external) {
throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.')
}
const protocol = parseURL(toPath).protocol
if (protocol && isScriptProtocol(protocol)) {
throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
}
}

const inMiddleware = isProcessingMiddleware()
Expand Down
2 changes: 1 addition & 1 deletion packages/schema/package.json
Expand Up @@ -56,7 +56,7 @@
"pkg-types": "^1.0.3",
"postcss-import-resolver": "^2.0.0",
"std-env": "^3.3.3",
"ufo": "^1.1.2",
"ufo": "^1.2.0",
"unimport": "^3.1.0",
"untyped": "^1.4.0"
},
Expand Down
2 changes: 1 addition & 1 deletion packages/test-utils/package.json
Expand Up @@ -30,7 +30,7 @@
"get-port-please": "^3.0.1",
"ofetch": "^1.1.1",
"pathe": "^1.1.1",
"ufo": "^1.1.2"
"ufo": "^1.2.0"
},
"devDependencies": {
"@jest/globals": "29.6.1",
Expand Down
2 changes: 1 addition & 1 deletion packages/vite/package.json
Expand Up @@ -55,7 +55,7 @@
"rollup-plugin-visualizer": "^5.9.2",
"std-env": "^3.3.3",
"strip-literal": "^1.0.1",
"ufo": "^1.1.2",
"ufo": "^1.2.0",
"unplugin": "^1.4.0",
"vite": "^4.4.7",
"vite-node": "^0.33.0",
Expand Down
2 changes: 1 addition & 1 deletion packages/webpack/package.json
Expand Up @@ -49,7 +49,7 @@
"pug-plain-loader": "^1.1.0",
"std-env": "^3.3.3",
"time-fix-plugin": "^2.0.7",
"ufo": "^1.1.2",
"ufo": "^1.2.0",
"unplugin": "^1.4.0",
"url-loader": "^4.1.1",
"vue-bundle-renderer": "^1.0.3",
Expand Down
50 changes: 25 additions & 25 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions test/bundle.test.ts
Expand Up @@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
for (const outputDir of ['.output', '.output-inline']) {
it('default client bundle size', async () => {
const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"')
expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"')
expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
[
"_nuxt/entry.js",
Expand All @@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
const serverDir = join(rootDir, '.output/server')

const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"')
expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"')

const modules = await analyzeSizes('node_modules/**/*', serverDir)
expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')
Expand Down