Require user-supplied URLs to be http protocol

2026-01-26 15:12:47 -05:00 · 2020-06-20 23:02:47 -07:00
parent 23e195ba03
commit 1217eeb92f
3 changed files with 11 additions and 0 deletions
--- a/src/node/index.js
+++ b/src/node/index.js
@@ -2,6 +2,7 @@ import fs from 'fs'
 import yargs from 'yargs'
 import { app, shell, session, BrowserWindow } from 'electron'

+import { ensureValidURL } from '../util'
 import { pollPublicData, pollSpreadsheetData, StreamIDGenerator } from './data'
 import StreamWindow from './StreamWindow'
 import initWebServer from './server'
@@ -79,6 +80,7 @@ async function main() {
    } else if (msg.type === 'reload-view') {
      streamWindow.reloadView(msg.viewIdx)
    } else if (msg.type === 'browse') {
+      ensureValidURL(msg.url)
      if (!browseWindow || browseWindow.isDestroyed()) {
        browseWindow = new BrowserWindow({
          webPreferences: {
--- a/src/node/viewStateMachine.js
+++ b/src/node/viewStateMachine.js
@@ -1,6 +1,8 @@
 import isEqual from 'lodash/isEqual'
 import { Machine, assign } from 'xstate'

+import { ensureValidURL } from '../util'
+
 const viewStateMachine = Machine(
  {
    id: 'view',
@@ -116,6 +118,7 @@ const viewStateMachine = Machine(
    services: {
      loadPage: async (context, event) => {
        const { content, view } = context
+        ensureValidURL(content.url)
        const wc = view.webContents
        wc.audioMuted = true
        await wc.loadURL(content.url)
--- a/src/util.js
+++ b/src/util.js
@@ -0,0 +1,6 @@
+export function ensureValidURL(urlStr) {
+  const url = new URL(urlStr)
+  if (url.protocol !== 'http:' && url.protocol !== 'https:') {
+    throw new Error(`rejecting attempt to load non-http URL '${urlStr}'`)
+  }
+}