mirror of
https://github.com/langgenius/dify.git
synced 2026-05-07 02:46:32 +08:00
0e320290e1
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: jyong <718720800@qq.com> Co-authored-by: Yansong Zhang <916125788@qq.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: hj24 <huangjian@dify.ai> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Stephen Zhou <38493346+hyoban@users.noreply.github.com> Co-authored-by: CodingOnStar <hanxujiang@dify.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Ayush Baluni <73417844+aayushbaluni@users.noreply.github.com> Co-authored-by: yyh <92089059+lyzno1@users.noreply.github.com> Co-authored-by: jimcody1995 <jjimcody@gmail.com> Co-authored-by: James <63717587+jamesrayammons@users.noreply.github.com> Co-authored-by: Yunlu Wen <yunlu.wen@dify.ai> Co-authored-by: Stephen Zhou <hi@hyoban.cc> Co-authored-by: Coding On Star <447357187@qq.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: jerryzai <jerryzh8710@protonmail.com> Co-authored-by: NVIDIAN <speedy.hpc@hotmail.com> Co-authored-by: ai-hpc <ai-hpc@users.noreply.github.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: Junghwan <70629228+shaun0927@users.noreply.github.com> Co-authored-by: HeYinKazune <70251095+HeYin-OS@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: yyh <yuanyouhuilyz@gmail.com> Co-authored-by: Jingyi <jingyi.qi@dify.ai> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: sxxtony <166789813+sxxtony@users.noreply.github.com>
66 lines
1.8 KiB
TypeScript
66 lines
1.8 KiB
TypeScript
/**
|
|
* Validates that a URL is safe for redirection.
|
|
* Only allows HTTP and HTTPS protocols to prevent XSS attacks.
|
|
*
|
|
* @param url - The URL string to validate
|
|
* @throws Error if the URL has an unsafe protocol
|
|
*/
|
|
export function validateRedirectUrl(url: string): void {
|
|
try {
|
|
const parsedUrl = new URL(url)
|
|
if (parsedUrl.protocol !== 'http:' && parsedUrl.protocol !== 'https:')
|
|
throw new Error('Authorization URL must be HTTP or HTTPS')
|
|
}
|
|
catch (error) {
|
|
if (
|
|
error instanceof Error
|
|
&& error.message === 'Authorization URL must be HTTP or HTTPS'
|
|
) {
|
|
throw error
|
|
}
|
|
// If URL parsing fails, it's also invalid
|
|
throw new Error(`Invalid URL: ${url}`)
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Check if URL is a private/local network address or cloud debug URL
|
|
* @param url - The URL string to check
|
|
* @returns true if the URL is a private/local address or cloud debug URL
|
|
*/
|
|
export function isPrivateOrLocalAddress(url: string): boolean {
|
|
try {
|
|
const urlObj = new URL(url)
|
|
const hostname = urlObj.hostname.toLowerCase()
|
|
|
|
// Check for localhost
|
|
if (hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1')
|
|
return true
|
|
|
|
// Check for private IP ranges
|
|
const ipv4Regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/
|
|
const ipv4Match = ipv4Regex.exec(hostname)
|
|
if (ipv4Match) {
|
|
const [, a, b] = ipv4Match.map(Number)
|
|
// 10.0.0.0/8
|
|
if (a === 10)
|
|
return true
|
|
// 172.16.0.0/12
|
|
if (a === 172 && b! >= 16 && b! <= 31)
|
|
return true
|
|
// 192.168.0.0/16
|
|
if (a === 192 && b === 168)
|
|
return true
|
|
// 169.254.0.0/16 (link-local)
|
|
if (a === 169 && b === 254)
|
|
return true
|
|
}
|
|
|
|
// Check for .local domains
|
|
return hostname.endsWith('.local')
|
|
}
|
|
catch {
|
|
return false
|
|
}
|
|
}
|