From 2f734df9b5c8b9bf34ce473cfb810648320020e8 Mon Sep 17 00:00:00 2001 From: Daniel Roe Date: Sun, 30 Jul 2023 11:09:16 +0100 Subject: [PATCH] fix(nuxt): disallow redirects to more script protocols (#22366) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Damian GÅ‚owala <48835293+DamianGlowala@users.noreply.github.com> --- package.json | 2 +- packages/nuxi/package.json | 2 +- packages/nuxt/package.json | 2 +- packages/nuxt/src/app/composables/router.ts | 15 ++++--- packages/schema/package.json | 2 +- packages/test-utils/package.json | 2 +- packages/vite/package.json | 2 +- packages/webpack/package.json | 2 +- pnpm-lock.yaml | 50 ++++++++++----------- test/bundle.test.ts | 4 +- 10 files changed, 43 insertions(+), 40 deletions(-) diff --git a/package.json b/package.json index 3707b4661b..d9734ddf9a 100644 --- a/package.json +++ b/package.json @@ -75,7 +75,7 @@ "semver": "7.5.4", "std-env": "3.3.3", "typescript": "5.1.6", - "ufo": "1.1.2", + "ufo": "1.2.0", "vite": "4.4.7", "vitest": "0.33.0", "vitest-environment-nuxt": "0.10.2", diff --git a/packages/nuxi/package.json b/packages/nuxi/package.json index 656e3ebc15..f540a3eacb 100644 --- a/packages/nuxi/package.json +++ b/packages/nuxi/package.json @@ -47,7 +47,7 @@ "pkg-types": "1.0.3", "scule": "1.0.0", "semver": "7.5.4", - "ufo": "1.1.2", + "ufo": "1.2.0", "unbuild": "latest" }, "optionalDependencies": { diff --git a/packages/nuxt/package.json b/packages/nuxt/package.json index 34dbc89478..6e21f147fd 100644 --- a/packages/nuxt/package.json +++ b/packages/nuxt/package.json @@ -91,7 +91,7 @@ "prompts": "^2.4.2", "scule": "^1.0.0", "strip-literal": "^1.0.1", - "ufo": "^1.1.2", + "ufo": "^1.2.0", "ultrahtml": "^1.3.0", "uncrypto": "^0.1.3", "unctx": "^2.3.1", diff --git a/packages/nuxt/src/app/composables/router.ts b/packages/nuxt/src/app/composables/router.ts index 131fa17858..905ffe63a8 100644 --- a/packages/nuxt/src/app/composables/router.ts +++ b/packages/nuxt/src/app/composables/router.ts @@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu import type { Ref } from 'vue' import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router' import { sanitizeStatusCode } from 'h3' -import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo' +import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo' import { useNuxtApp, useRuntimeConfig } from '../nuxt' import type { NuxtError } from './error' @@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na } const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true }) - if (isExternal && !options?.external) { - throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.') - } - if (isExternal && parseURL(toPath).protocol === 'script:') { - throw new Error('Cannot navigate to an URL with script protocol.') + if (isExternal) { + if (!options?.external) { + throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.') + } + const protocol = parseURL(toPath).protocol + if (protocol && isScriptProtocol(protocol)) { + throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`) + } } const inMiddleware = isProcessingMiddleware() diff --git a/packages/schema/package.json b/packages/schema/package.json index e04cd214ef..da56b890a2 100644 --- a/packages/schema/package.json +++ b/packages/schema/package.json @@ -56,7 +56,7 @@ "pkg-types": "^1.0.3", "postcss-import-resolver": "^2.0.0", "std-env": "^3.3.3", - "ufo": "^1.1.2", + "ufo": "^1.2.0", "unimport": "^3.1.0", "untyped": "^1.4.0" }, diff --git a/packages/test-utils/package.json b/packages/test-utils/package.json index 08176b7c59..d696e4ad90 100644 --- a/packages/test-utils/package.json +++ b/packages/test-utils/package.json @@ -30,7 +30,7 @@ "get-port-please": "^3.0.1", "ofetch": "^1.1.1", "pathe": "^1.1.1", - "ufo": "^1.1.2" + "ufo": "^1.2.0" }, "devDependencies": { "@jest/globals": "29.6.1", diff --git a/packages/vite/package.json b/packages/vite/package.json index 8b7e94fc2d..fff0a6cb25 100644 --- a/packages/vite/package.json +++ b/packages/vite/package.json @@ -55,7 +55,7 @@ "rollup-plugin-visualizer": "^5.9.2", "std-env": "^3.3.3", "strip-literal": "^1.0.1", - "ufo": "^1.1.2", + "ufo": "^1.2.0", "unplugin": "^1.4.0", "vite": "^4.4.7", "vite-node": "^0.33.0", diff --git a/packages/webpack/package.json b/packages/webpack/package.json index 283bb9c8a2..c6bdebea70 100644 --- a/packages/webpack/package.json +++ b/packages/webpack/package.json @@ -49,7 +49,7 @@ "pug-plain-loader": "^1.1.0", "std-env": "^3.3.3", "time-fix-plugin": "^2.0.7", - "ufo": "^1.1.2", + "ufo": "^1.2.0", "unplugin": "^1.4.0", "url-loader": "^4.1.1", "vue-bundle-renderer": "^1.0.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 407c775edd..3678772043 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -126,8 +126,8 @@ importers: specifier: 5.1.6 version: 5.1.6 ufo: - specifier: 1.1.2 - version: 1.1.2 + specifier: 1.2.0 + version: 1.2.0 vite: specifier: 4.4.7 version: 4.4.7(@types/node@18.17.0) @@ -326,8 +326,8 @@ importers: specifier: 7.5.4 version: 7.5.4 ufo: - specifier: 1.1.2 - version: 1.1.2 + specifier: 1.2.0 + version: 1.2.0 unbuild: specifier: latest version: 1.2.1 @@ -455,8 +455,8 @@ importers: specifier: ^1.0.1 version: 1.0.1 ufo: - specifier: ^1.1.2 - version: 1.1.2 + specifier: ^1.2.0 + version: 1.2.0 ultrahtml: specifier: ^1.3.0 version: 1.3.0 @@ -543,8 +543,8 @@ importers: specifier: ^3.3.3 version: 3.3.3 ufo: - specifier: ^1.1.2 - version: 1.1.2 + specifier: ^1.2.0 + version: 1.2.0 unimport: specifier: ^3.1.0 version: 3.1.0(rollup@3.26.3) @@ -643,8 +643,8 @@ importers: specifier: ^1.1.1 version: 1.1.1 ufo: - specifier: ^1.1.2 - version: 1.1.2 + specifier: ^1.2.0 + version: 1.2.0 vue: specifier: ^3.3.4 version: 3.3.4 @@ -752,8 +752,8 @@ importers: specifier: ^1.0.1 version: 1.0.1 ufo: - specifier: ^1.1.2 - version: 1.1.2 + specifier: ^1.2.0 + version: 1.2.0 unplugin: specifier: ^1.4.0 version: 1.4.0 @@ -882,8 +882,8 @@ importers: specifier: ^2.0.7 version: 2.0.7(webpack@5.88.2) ufo: - specifier: ^1.1.2 - version: 1.1.2 + specifier: ^1.2.0 + version: 1.2.0 unplugin: specifier: ^1.4.0 version: 1.4.0 @@ -966,7 +966,7 @@ importers: devDependencies: ufo: specifier: latest - version: 1.1.2 + version: 1.2.0 unplugin: specifier: latest version: 1.4.0 @@ -5026,7 +5026,7 @@ packages: enhanced-resolve: 5.15.0 mlly: 1.4.0 pathe: 1.1.1 - ufo: 1.1.2 + ufo: 1.2.0 dev: false /fast-deep-equal@3.1.3: @@ -5470,7 +5470,7 @@ packages: destr: 2.0.0 iron-webcrypto: 0.7.0 radix3: 1.0.1 - ufo: 1.1.2 + ufo: 1.2.0 uncrypto: 0.1.3 /happy-dom@10.5.2: @@ -6211,7 +6211,7 @@ packages: mlly: 1.4.0 node-forge: 1.3.1 pathe: 1.1.1 - ufo: 1.1.2 + ufo: 1.2.0 /loader-runner@4.3.0: resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==} @@ -6580,7 +6580,7 @@ packages: acorn: 8.10.0 pathe: 1.1.1 pkg-types: 1.0.3 - ufo: 1.1.2 + ufo: 1.2.0 /mri@1.2.0: resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==} @@ -6686,7 +6686,7 @@ packages: serve-static: 1.15.0 source-map-support: 0.5.21 std-env: 3.3.3 - ufo: 1.1.2 + ufo: 1.2.0 uncrypto: 0.1.3 unenv: 1.5.2 unimport: 3.1.0(rollup@3.26.3) @@ -6884,7 +6884,7 @@ packages: dependencies: destr: 2.0.0 node-fetch-native: 1.2.0 - ufo: 1.1.2 + ufo: 1.2.0 /ohash@1.1.2: resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==} @@ -8547,8 +8547,8 @@ packages: resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==} dev: true - /ufo@1.1.2: - resolution: {integrity: sha512-TrY6DsjTQQgyS3E3dBaOXf0TpPD8u9FVrVYmKVegJuFw51n/YB9XPt+U6ydzFG5ZIN7+DIjPbNmXoBj9esYhgQ==} + /ufo@1.2.0: + resolution: {integrity: sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==} /ultrahtml@1.3.0: resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==} @@ -8730,7 +8730,7 @@ packages: mri: 1.2.0 node-fetch-native: 1.2.0 ofetch: 1.1.1 - ufo: 1.1.2 + ufo: 1.2.0 transitivePeerDependencies: - supports-color @@ -9056,7 +9056,7 @@ packages: /vue-bundle-renderer@1.0.3: resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==} dependencies: - ufo: 1.1.2 + ufo: 1.2.0 /vue-component-type-helpers@1.6.5: resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==} diff --git a/test/bundle.test.ts b/test/bundle.test.ts index 2b4c07ba6e..ad59f13d56 100644 --- a/test/bundle.test.ts +++ b/test/bundle.test.ts @@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM for (const outputDir of ['.output', '.output-inline']) { it('default client bundle size', async () => { const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public')) - expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"') + expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"') expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(` [ "_nuxt/entry.js", @@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM const serverDir = join(rootDir, '.output/server') const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir) - expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"') + expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"') const modules = await analyzeSizes('node_modules/**/*', serverDir) expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')