Merge pull request #687 from superboy-zjc/main

cliffhall · web-flow · commit 2feac764ff0d · 2025-08-12T16:29:07.000-04:00
fix(auth): sanitize authorization URL
diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
@@ -134,6 +134,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   redirectToAuthorization(authorizationUrl: URL) {
+    if (
+      authorizationUrl.protocol !== "http:" &&
+      authorizationUrl.protocol !== "https:"
+    ) {
+      throw new Error("Authorization URL must be HTTP or HTTPS");
+    }
     window.location.href = authorizationUrl.href;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {`
`134`	`134`	`}`
`135`	`135`
`136`	`136`	`redirectToAuthorization(authorizationUrl: URL) {`
	`137`	`+ if (`
	`138`	`+ authorizationUrl.protocol !== "http:" &&`
	`139`	`+ authorizationUrl.protocol !== "https:"`
	`140`	`+ ) {`
	`141`	`+ throw new Error("Authorization URL must be HTTP or HTTPS");`
	`142`	`+ }`
`137`	`143`	`window.location.href = authorizationUrl.href;`
`138`	`144`	`}`
`139`	`145`