CodeCow/stack
1
0
Fork 0
mirror of https://github.com/stack-auth/stack.git synced 2026-06-30 21:01:54 +08:00
Code Issues Actions 44 Packages Projects Releases Wiki Activity

address review: reject wildcard input, use shared stringCompare

Browse Source 
Co-Authored-By: mantra <mantra@stack-auth.com>
This commit is contained in:
Devin AI 2026-06-16 21:35:19 +00:00
parent 5e12e98884
commit a363072c0e
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/analytics/clickmaps/clickmap-origins.test.ts
View File

@ -31,4 +31,9 @@ describe("clickmap origin options", () => {
expect(normalizeClickmapOrigin("https://app.dev.stack-auth.com/dashboard")).toMatchInlineSnapshot(`"https://app.dev.stack-auth.com"`);
expect(normalizeClickmapOrigin("javascript:alert(1)")).toMatchInlineSnapshot(`null`);
});
it("rejects wildcard origins to prevent percent-encoded URLs", () => {
expect(normalizeClickmapOrigin("https://**.example.com")).toMatchInlineSnapshot(`null`);
expect(normalizeClickmapOrigin("https://*.stack-auth.com")).toMatchInlineSnapshot(`null`);
});
});

20
apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/analytics/clickmaps/clickmap-origins.ts
View File

@ -1,3 +1,5 @@
import { stringCompare } from "@hexclave/shared/dist/utils/strings";
export type ClickmapOrigin = {
id: string,
origin: string,
@ -9,6 +11,10 @@ export type ClickmapWildcardDomain = {
};
export function normalizeClickmapOrigin(baseUrl: string): string | null {
if (baseUrl.includes("*")) {
return null;
}
let url: URL;
try {
url = new URL(baseUrl);
@ -27,16 +33,6 @@ function isWildcardDomain(baseUrl: string): boolean {
return baseUrl.includes("*");
}
function compareStrings(a: string, b: string): number {
if (a < b) {
return -1;
}
if (a > b) {
return 1;
}
return 0;
}
export function getClickmapOriginOptions(trustedDomains: Record<string, { baseUrl?: string | null }>): {
origins: ClickmapOrigin[],
wildcardDomains: ClickmapWildcardDomain[],
@ -63,7 +59,7 @@ export function getClickmapOriginOptions(trustedDomains: Record<string, { baseUr
}
return {
origins: Array.from(byOrigin.values()).sort((a, b) => compareStrings(a.origin, b.origin)),
wildcardDomains: wildcardDomains.sort((a, b) => compareStrings(a.baseUrl, b.baseUrl)),
origins: Array.from(byOrigin.values()).sort((a, b) => stringCompare(a.origin, b.origin)),
wildcardDomains: wildcardDomains.sort((a, b) => stringCompare(a.baseUrl, b.baseUrl)),
};
}