Extract verifyLocation method

gcatanese · gcatanese · commit a1aa98a9caf0 · 2025-08-14T10:07:00.000+02:00
diff --git a/src/__tests__/httpURLConnectionClient.spec.ts b/src/__tests__/httpURLConnectionClient.spec.ts
@@ -0,0 +1,62 @@
+import HttpURLConnectionClient from "../httpClient/httpURLConnectionClient";
+
+describe("HttpURLConnectionClient", () => {
+    let client: HttpURLConnectionClient;
+
+    beforeEach(() => {
+        client = new HttpURLConnectionClient();
+    });
+
+    describe("verifyLocation", () => {
+        test.each([
+            "https://example.adyen.com/path",
+            "https://sub.adyen.com",
+            "http://another.adyen.com/a/b/c?q=1",
+            "https://checkout-test.adyen.com",
+        ])("should return true for valid adyen.com domain: %s", (location) => {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore - testing a private method
+            expect(client.verifyLocation(location)).toBe(true);
+        });
+
+        test.each([
+            "https://example.ADYEN.com/path",
+            "HTTPS://sub.adyen.COM",
+        ])("should be case-insensitive for valid adyen.com domain: %s", (location) => {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore - testing a private method
+            expect(client.verifyLocation(location)).toBe(true);
+        });
+
+        test.each([
+            "https://adyen.com.evil.com/path",
+            "https://evil-adyen.com",
+            "http://adyen.co",
+            "https://www.google.com",
+            "https://adyen.com-scam.com",
+        ])("should return false for invalid domain: %s", (location) => {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore - testing a private method
+            expect(client.verifyLocation(location)).toBe(false);
+        });
+
+        test.each([
+            "https://adyen.com.another.domain/path",
+            "https://myadyen.com.org",
+        ])("should return false for domains that contain but do not end with adyen.com: %s", (location) => {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore - testing a private method
+            expect(client.verifyLocation(location)).toBe(false);
+        });
+
+        test.each([
+            "not a url",
+            "adyen.com",
+            "//adyen.com/path",
+        ])("should return false for malformed URLs: %s", (location) => {
+            // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+            // @ts-ignore - testing a private method
+            expect(client.verifyLocation(location)).toBe(false);
+        });
+    });
+});
diff --git a/src/httpClient/httpURLConnectionClient.ts b/src/httpClient/httpURLConnectionClient.ts
@@ -55,9 +55,9 @@ class HttpURLConnectionClient implements ClientInterface {
      * @throws {ApiException} when an error occurs
      */
     public request(
-        endpoint: string, 
-        json: string, 
-        config: Config, 
+        endpoint: string,
+        json: string,
+        config: Config,
         isApiRequired: boolean,
         requestOptions: IRequest.Options,
     ): Promise<string> {
@@ -181,9 +181,7 @@ class HttpURLConnectionClient implements ClientInterface {
                             try {
                                 const url = new URL(location);
 
-                                // allow-list of trusted domains (*.adyen.com)
-                                const allowedHostnameRegex = /^([a-z0-9-]+\.)*adyen\.com$/;
-                                if (!allowedHostnameRegex.test(url.hostname)) {
+                                if (!this.verifyLocation(location)) {
                                     return reject(new Error(`Redirect to host ${url.hostname} is not allowed.`));
                                 }
 
@@ -197,7 +195,6 @@ class HttpURLConnectionClient implements ClientInterface {
                                 };
                                 const clientRequestFn = url.protocol === "https:" ? httpsRequest : httpRequest;
                                 const redirectedRequest: ClientRequest = clientRequestFn(newRequestOptions);
-                                
                                 const redirectResponse = this.doRequest(redirectedRequest, json);
                                 return resolve(redirectResponse);
                             } catch (err) {
@@ -206,7 +203,7 @@ class HttpURLConnectionClient implements ClientInterface {
                         } else {
                             return reject(new Error(`Redirect status ${res.statusCode} but no Location header`));
                         }
-                    }                    
+                    }
 
                     if (res.statusCode && (res.statusCode < 200 || res.statusCode >= 300)) {
                         // API error handling
@@ -278,6 +275,18 @@ class HttpURLConnectionClient implements ClientInterface {
         }
 
     }
+
+    private verifyLocation(location: string): boolean {
+        try {
+            const url = new URL(location);
+            // allow-list of trusted domains (*.adyen.com)
+            const allowedHostnameRegex = /\.adyen\.com$/i;
+            return allowedHostnameRegex.test(url.hostname);
+        } catch (e) {
+            return false;
+        }
+    }
 }
 
+
 export default HttpURLConnectionClient;
