Added support for validating and loading the web-sdk bridge. (#196)

paypal · Apr 17, 2024 · c0c92a9 · c0c92a9
1 parent 864aedb
commit c0c92a9
Show file tree

Hide file tree

Showing 2 changed files with 72 additions and 2 deletions.
diff --git a/server/meta.jsx b/server/meta.jsx
@@ -9,6 +9,7 @@ import {
   SDK_PATH,
   SDK_QUERY_KEYS,
   SDK_SETTINGS,
+  WEB_SDK_BRIDGE_PATH,
 } from "@paypal/sdk-constants";
 import { node, html } from "@krakenjs/jsx-pragmatic";
 import { ATTRIBUTES } from "@krakenjs/belter";
@@ -82,6 +83,14 @@ function validateLegacySDKUrl({ pathname }) {
   }
 }
 
+function validateWebSDKUrl({ pathname }) {
+  if (pathname !== WEB_SDK_BRIDGE_PATH) {
+    throw new Error(
+      `Invalid path for web-sdk bridge url: ${pathname || "undefined"}`
+    );
+  }
+}
+
 function isLegacySDKUrl(hostname: string, pathname: string): boolean {
   const legacyHostnames = [HOST.PAYPALOBJECTS, HOST.PAYPALOBJECTS_CHINA];
 
@@ -114,6 +123,14 @@ function isSDKUrl(hostname: string): boolean {
   return false;
 }
 
+function isWebSDKUrl(hostname: string, pathname: string): boolean {
+  if (isSDKUrl(hostname) && pathname === WEB_SDK_BRIDGE_PATH) {
+    return true;
+  }
+
+  return false;
+}
+
 function isLocalUrl(host: string): boolean {
   const localUrls = [
     HOST.LOCALHOST_8000,
@@ -168,6 +185,8 @@ function validateSDKUrl(sdkUrl: string) {
 
   if (isLegacySDKUrl(hostname, pathname)) {
     validateLegacySDKUrl({ pathname });
+  } else if (isWebSDKUrl(hostname, pathname)) {
+    validateWebSDKUrl({ hostname, pathname });
   } else if (isSDKUrl(hostname)) {
     if (hostname !== HOST.LOCALHOST && protocol !== PROTOCOL.HTTPS) {
       throw new Error(
@@ -248,8 +267,11 @@ function sanitizeSDKUrl(sdkUrl: string): string {
   // eslint-disable-next-line compat/compat
   const url = new URL(sdkUrl);
 
-  // remove query string params for checkout.js
-  if (isLegacySDKUrl(url.hostname, url.pathname)) {
+  // remove query string params for checkout.js and web-sdk
+  if (
+    isLegacySDKUrl(url.hostname, url.pathname) ||
+    isWebSDKUrl(url.hostname, url.pathname)
+  ) {
     url.search = "";
     url.hash = "";
 

diff --git a/server/meta.test.js b/server/meta.test.js
@@ -1221,3 +1221,51 @@ test("should error when invalid characters are found in the subdomain - we allow
     throw new Error(`Expected error to be thrown`);
   }
 });
+
+test("should construct a valid web-sdk bridge url", () => {
+  const sdkUrl = "https://www.paypal.com/web-sdk/v6/bridge";
+
+  const { getSDKLoader } = unpackSDKMeta(
+    Buffer.from(
+      JSON.stringify({
+        url: sdkUrl,
+      })
+    ).toString("base64")
+  );
+
+  const $ = cheerio.load(getSDKLoader());
+  const src = $("script").attr("src");
+
+  if (src !== sdkUrl) {
+    throw new Error(`Expected script url to be ${sdkUrl} - got ${src}`);
+  }
+});
+
+test("should prevent query string parameters and hashs on the web-sdk bridge url", () => {
+  const sdkUrl =
+    "https://www.paypal.com/web-sdk/v6/bridge?name=value#hashvalue";
+
+  const { getSDKLoader } = unpackSDKMeta(
+    Buffer.from(
+      JSON.stringify({
+        url: sdkUrl,
+      })
+    ).toString("base64")
+  );
+
+  const $ = cheerio.load(getSDKLoader());
+  const script = $("script");
+  const src = script.attr("src");
+
+  // eslint-disable-next-line compat/compat
+  const urlObject = new URL(sdkUrl);
+  // we expect the query string params to be stripped out
+  urlObject.search = "";
+  // we expect the hash to be stripped out
+  urlObject.hash = "";
+  const expectedUrl = urlObject.toString();
+
+  if (src !== expectedUrl) {
+    throw new Error(`Expected script url to be ${expectedUrl} - got ${src}`);
+  }
+});