@@ -29,9 +29,9 @@ const pathProps: SVGAttributes<SVGPathElement> = {
2929 " stroke-linejoin" " round"
3030};
3131
32- let platform = $state ();
33- let hostname = $state ();
34- let session = $state ();
32+ let platform = $state < string | null > ();
33+ let hostname = $state < string | null > ();
34+ let session = $state < string | null > ();
3535let codeScannedDrawerOpen = $state (false );
3636let loggedInDrawerOpen = $state (false );
3737let scannedData: Scanned | undefined = $state (undefined );
@@ -111,11 +111,36 @@ onMount(async () => {
111111 platform = params .get (" platform"
112112 session = params .get (" session"
113113 redirect = params .get (" redirect"
114+ hostname = new URL (redirect as string ).hostname ;
114115 if (! redirect || ! platform || ! session ) {
115116 console .error (" Bad deeplink!"
116117 break ;
117118 }
118- hostname = new URL (redirect as string ).hostname ;
119+ // Validate platform name
120+ if (! / ^ [a-zA-Z0-9 -_. ] + $ / test (platform )) {
121+ console .error (" Invalid platform name format"
122+ return ;
123+ }
124+
125+ // Validate session format (UUID)
126+ if (
127+ ! / ^ [0-9a-f ] {8} -[0-9a-f ] {4} -[0-9a-f ] {4} -[0-9a-f ] {4} -[0-9a-f ] {12} $ / i test (
128+ session ,
129+ )
130+ ) {
131+ console .error (" Invalid session format"
132+ return ;
133+ }
134+
135+ // Validate redirect URL domain
136+ if (
137+ / ^ (?=. {1,253} $ )(?!\- )([a-zA-Z0-9 \- ] {1,63} (?<!\- )\. )+ [a-zA-Z ] {2,} $ / test (
138+ hostname ,
139+ )
140+ ) {
141+ console .error (" Invalid redirect URL format."
142+ return ;
143+ }
119144 codeScannedDrawerOpen = true ;
120145 scanning = false ;
121146 break ;
0 commit comments