fix(auth): sanitize authorization URL

superboy-zjc · superboy-zjc · commit d21e51e6ab13 · 2025-08-12T11:26:44.000-07:00
diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
@@ -129,6 +129,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   redirectToAuthorization(authorizationUrl: URL) {
+    if (
+      authorizationUrl.protocol !== "http:" &&
+      authorizationUrl.protocol !== "https:"
+    ) {
+      throw new Error("Authorization URL must be HTTP or HTTPS");
+    }
     window.location.href = authorizationUrl.href;
   }
 

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,12 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {`
`129`	`129`	`}`
`130`	`130`
`131`	`131`	`redirectToAuthorization(authorizationUrl: URL) {`
	`132`	`+ if (`
	`133`	`+ authorizationUrl.protocol !== "http:" &&`
	`134`	`+ authorizationUrl.protocol !== "https:"`
	`135`	`+ ) {`
	`136`	`+ throw new Error("Authorization URL must be HTTP or HTTPS");`
	`137`	`+ }`
`132`	`138`	`window.location.href = authorizationUrl.href;`
`133`	`139`	`}`
`134`	`140`