fix: prevent XSS in mcp server oauth url

2025-09-08 11:05:09 +08:00 · 2025-09-08 11:05:09 +08:00 · 855347caf8
parent 8925606f33
commit 855347caf8
1 changed files with 30 additions and 17 deletions
--- a/web/hooks/use-oauth.ts
+++ b/web/hooks/use-oauth.ts
@ -13,24 +13,37 @@ export const useOAuthCallback = () => {
 }

 export const openOAuthPopup = (url: string, callback: () => void) => {
-  const width = 600
-  const height = 600
-  const left = window.screenX + (window.outerWidth - width) / 2
-  const top = window.screenY + (window.outerHeight - height) / 2
+  try {
+    const parsedUrl = new URL(url)

-  const popup = window.open(
-    url,
-    'OAuth',
-    `width=${width},height=${height},left=${left},top=${top},scrollbars=yes`,
-  )
-
-  const handleMessage = (event: MessageEvent) => {
-    if (event.data?.type === 'oauth_callback') {
-      window.removeEventListener('message', handleMessage)
-      callback()
+    if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:') {
+      console.error('Invalid URL protocol, only http: and https: are allowed')
+      return null
    }
-  }

-  window.addEventListener('message', handleMessage)
-  return popup
+    const width = 600
+    const height = 600
+    const left = window.screenX + (window.outerWidth - width) / 2
+    const top = window.screenY + (window.outerHeight - height) / 2
+
+    const popup = window.open(
+      parsedUrl.toString(), // 使用解析和验证后的 URL
+      'OAuth',
+      `width=${width},height=${height},left=${left},top=${top},scrollbars=yes`,
+    )
+
+    const handleMessage = (event: MessageEvent) => {
+      if (event.data?.type === 'oauth_callback') {
+        window.removeEventListener('message', handleMessage)
+        callback()
+      }
+    }
+
+    window.addEventListener('message', handleMessage)
+    return popup
+  }
+  catch (error) {
+    console.error('Invalid URL:', error)
+    return null
+  }
 }