Potential fix for code scanning alert no. 89: Incomplete URL substring sanitization

joaquim-verges · github-advanced-security[bot] · web-flow · commit 81ada0773e8f · 2025-04-17T15:54:47.000-07:00
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
Signed-off-by: Joaquim Verges &lt;joaquim.verges@gmail.com&gt;
diff --git a/packages/thirdweb/src/insight/get-nfts.ts b/packages/thirdweb/src/insight/get-nfts.ts
@@ -338,16 +338,22 @@ function replaceIPFSGateway(url?: string) {
   if (!url || typeof url !== "string") {
     return url;
   }
-  if (url.includes("ipfscdn.io")) {
-    const paths = url.split("/");
-    const index = paths.findIndex((path) => path === "ipfs");
-    if (index === -1) {
+  try {
+    const parsedUrl = new URL(url);
+    if (parsedUrl.host === "ipfscdn.io") {
+      const paths = parsedUrl.pathname.split("/");
+      const index = paths.findIndex((path) => path === "ipfs");
+      if (index === -1) {
+        return url;
+      }
+      const ipfsHash = paths.slice(index + 1).join("/");
+      if (ipfsHash) {
+        return `ipfs://${ipfsHash}`;
+      }
       return url;
     }
-    const ipfsHash = paths.slice(index + 1).join("/");
-    if (ipfsHash) {
-      return `ipfs://${ipfsHash}`;
-    }
+  } catch {
+    // If the URL is invalid, return it as is
     return url;
   }
   return url;
