mirror of
https://github.com/nuxt/nuxt.git
synced 2024-11-25 15:15:19 +00:00
fix(nuxt): disallow redirects to more script protocols (#22366)
Co-authored-by: Damian Głowala <48835293+DamianGlowala@users.noreply.github.com>
This commit is contained in:
parent
2616aadda6
commit
2f734df9b5
@ -75,7 +75,7 @@
|
|||||||
"semver": "7.5.4",
|
"semver": "7.5.4",
|
||||||
"std-env": "3.3.3",
|
"std-env": "3.3.3",
|
||||||
"typescript": "5.1.6",
|
"typescript": "5.1.6",
|
||||||
"ufo": "1.1.2",
|
"ufo": "1.2.0",
|
||||||
"vite": "4.4.7",
|
"vite": "4.4.7",
|
||||||
"vitest": "0.33.0",
|
"vitest": "0.33.0",
|
||||||
"vitest-environment-nuxt": "0.10.2",
|
"vitest-environment-nuxt": "0.10.2",
|
||||||
|
@ -47,7 +47,7 @@
|
|||||||
"pkg-types": "1.0.3",
|
"pkg-types": "1.0.3",
|
||||||
"scule": "1.0.0",
|
"scule": "1.0.0",
|
||||||
"semver": "7.5.4",
|
"semver": "7.5.4",
|
||||||
"ufo": "1.1.2",
|
"ufo": "1.2.0",
|
||||||
"unbuild": "latest"
|
"unbuild": "latest"
|
||||||
},
|
},
|
||||||
"optionalDependencies": {
|
"optionalDependencies": {
|
||||||
|
@ -91,7 +91,7 @@
|
|||||||
"prompts": "^2.4.2",
|
"prompts": "^2.4.2",
|
||||||
"scule": "^1.0.0",
|
"scule": "^1.0.0",
|
||||||
"strip-literal": "^1.0.1",
|
"strip-literal": "^1.0.1",
|
||||||
"ufo": "^1.1.2",
|
"ufo": "^1.2.0",
|
||||||
"ultrahtml": "^1.3.0",
|
"ultrahtml": "^1.3.0",
|
||||||
"uncrypto": "^0.1.3",
|
"uncrypto": "^0.1.3",
|
||||||
"unctx": "^2.3.1",
|
"unctx": "^2.3.1",
|
||||||
|
@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu
|
|||||||
import type { Ref } from 'vue'
|
import type { Ref } from 'vue'
|
||||||
import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
|
import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
|
||||||
import { sanitizeStatusCode } from 'h3'
|
import { sanitizeStatusCode } from 'h3'
|
||||||
import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo'
|
import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo'
|
||||||
|
|
||||||
import { useNuxtApp, useRuntimeConfig } from '../nuxt'
|
import { useNuxtApp, useRuntimeConfig } from '../nuxt'
|
||||||
import type { NuxtError } from './error'
|
import type { NuxtError } from './error'
|
||||||
@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na
|
|||||||
}
|
}
|
||||||
|
|
||||||
const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
|
const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
|
||||||
if (isExternal && !options?.external) {
|
if (isExternal) {
|
||||||
throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.')
|
if (!options?.external) {
|
||||||
|
throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.')
|
||||||
|
}
|
||||||
|
const protocol = parseURL(toPath).protocol
|
||||||
|
if (protocol && isScriptProtocol(protocol)) {
|
||||||
|
throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
|
||||||
}
|
}
|
||||||
if (isExternal && parseURL(toPath).protocol === 'script:') {
|
|
||||||
throw new Error('Cannot navigate to an URL with script protocol.')
|
|
||||||
}
|
}
|
||||||
|
|
||||||
const inMiddleware = isProcessingMiddleware()
|
const inMiddleware = isProcessingMiddleware()
|
||||||
|
@ -56,7 +56,7 @@
|
|||||||
"pkg-types": "^1.0.3",
|
"pkg-types": "^1.0.3",
|
||||||
"postcss-import-resolver": "^2.0.0",
|
"postcss-import-resolver": "^2.0.0",
|
||||||
"std-env": "^3.3.3",
|
"std-env": "^3.3.3",
|
||||||
"ufo": "^1.1.2",
|
"ufo": "^1.2.0",
|
||||||
"unimport": "^3.1.0",
|
"unimport": "^3.1.0",
|
||||||
"untyped": "^1.4.0"
|
"untyped": "^1.4.0"
|
||||||
},
|
},
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
"get-port-please": "^3.0.1",
|
"get-port-please": "^3.0.1",
|
||||||
"ofetch": "^1.1.1",
|
"ofetch": "^1.1.1",
|
||||||
"pathe": "^1.1.1",
|
"pathe": "^1.1.1",
|
||||||
"ufo": "^1.1.2"
|
"ufo": "^1.2.0"
|
||||||
},
|
},
|
||||||
"devDependencies": {
|
"devDependencies": {
|
||||||
"@jest/globals": "29.6.1",
|
"@jest/globals": "29.6.1",
|
||||||
|
@ -55,7 +55,7 @@
|
|||||||
"rollup-plugin-visualizer": "^5.9.2",
|
"rollup-plugin-visualizer": "^5.9.2",
|
||||||
"std-env": "^3.3.3",
|
"std-env": "^3.3.3",
|
||||||
"strip-literal": "^1.0.1",
|
"strip-literal": "^1.0.1",
|
||||||
"ufo": "^1.1.2",
|
"ufo": "^1.2.0",
|
||||||
"unplugin": "^1.4.0",
|
"unplugin": "^1.4.0",
|
||||||
"vite": "^4.4.7",
|
"vite": "^4.4.7",
|
||||||
"vite-node": "^0.33.0",
|
"vite-node": "^0.33.0",
|
||||||
|
@ -49,7 +49,7 @@
|
|||||||
"pug-plain-loader": "^1.1.0",
|
"pug-plain-loader": "^1.1.0",
|
||||||
"std-env": "^3.3.3",
|
"std-env": "^3.3.3",
|
||||||
"time-fix-plugin": "^2.0.7",
|
"time-fix-plugin": "^2.0.7",
|
||||||
"ufo": "^1.1.2",
|
"ufo": "^1.2.0",
|
||||||
"unplugin": "^1.4.0",
|
"unplugin": "^1.4.0",
|
||||||
"url-loader": "^4.1.1",
|
"url-loader": "^4.1.1",
|
||||||
"vue-bundle-renderer": "^1.0.3",
|
"vue-bundle-renderer": "^1.0.3",
|
||||||
|
@ -126,8 +126,8 @@ importers:
|
|||||||
specifier: 5.1.6
|
specifier: 5.1.6
|
||||||
version: 5.1.6
|
version: 5.1.6
|
||||||
ufo:
|
ufo:
|
||||||
specifier: 1.1.2
|
specifier: 1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
vite:
|
vite:
|
||||||
specifier: 4.4.7
|
specifier: 4.4.7
|
||||||
version: 4.4.7(@types/node@18.17.0)
|
version: 4.4.7(@types/node@18.17.0)
|
||||||
@ -326,8 +326,8 @@ importers:
|
|||||||
specifier: 7.5.4
|
specifier: 7.5.4
|
||||||
version: 7.5.4
|
version: 7.5.4
|
||||||
ufo:
|
ufo:
|
||||||
specifier: 1.1.2
|
specifier: 1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
unbuild:
|
unbuild:
|
||||||
specifier: latest
|
specifier: latest
|
||||||
version: 1.2.1
|
version: 1.2.1
|
||||||
@ -455,8 +455,8 @@ importers:
|
|||||||
specifier: ^1.0.1
|
specifier: ^1.0.1
|
||||||
version: 1.0.1
|
version: 1.0.1
|
||||||
ufo:
|
ufo:
|
||||||
specifier: ^1.1.2
|
specifier: ^1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
ultrahtml:
|
ultrahtml:
|
||||||
specifier: ^1.3.0
|
specifier: ^1.3.0
|
||||||
version: 1.3.0
|
version: 1.3.0
|
||||||
@ -543,8 +543,8 @@ importers:
|
|||||||
specifier: ^3.3.3
|
specifier: ^3.3.3
|
||||||
version: 3.3.3
|
version: 3.3.3
|
||||||
ufo:
|
ufo:
|
||||||
specifier: ^1.1.2
|
specifier: ^1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
unimport:
|
unimport:
|
||||||
specifier: ^3.1.0
|
specifier: ^3.1.0
|
||||||
version: 3.1.0(rollup@3.26.3)
|
version: 3.1.0(rollup@3.26.3)
|
||||||
@ -643,8 +643,8 @@ importers:
|
|||||||
specifier: ^1.1.1
|
specifier: ^1.1.1
|
||||||
version: 1.1.1
|
version: 1.1.1
|
||||||
ufo:
|
ufo:
|
||||||
specifier: ^1.1.2
|
specifier: ^1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
vue:
|
vue:
|
||||||
specifier: ^3.3.4
|
specifier: ^3.3.4
|
||||||
version: 3.3.4
|
version: 3.3.4
|
||||||
@ -752,8 +752,8 @@ importers:
|
|||||||
specifier: ^1.0.1
|
specifier: ^1.0.1
|
||||||
version: 1.0.1
|
version: 1.0.1
|
||||||
ufo:
|
ufo:
|
||||||
specifier: ^1.1.2
|
specifier: ^1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
unplugin:
|
unplugin:
|
||||||
specifier: ^1.4.0
|
specifier: ^1.4.0
|
||||||
version: 1.4.0
|
version: 1.4.0
|
||||||
@ -882,8 +882,8 @@ importers:
|
|||||||
specifier: ^2.0.7
|
specifier: ^2.0.7
|
||||||
version: 2.0.7(webpack@5.88.2)
|
version: 2.0.7(webpack@5.88.2)
|
||||||
ufo:
|
ufo:
|
||||||
specifier: ^1.1.2
|
specifier: ^1.2.0
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
unplugin:
|
unplugin:
|
||||||
specifier: ^1.4.0
|
specifier: ^1.4.0
|
||||||
version: 1.4.0
|
version: 1.4.0
|
||||||
@ -966,7 +966,7 @@ importers:
|
|||||||
devDependencies:
|
devDependencies:
|
||||||
ufo:
|
ufo:
|
||||||
specifier: latest
|
specifier: latest
|
||||||
version: 1.1.2
|
version: 1.2.0
|
||||||
unplugin:
|
unplugin:
|
||||||
specifier: latest
|
specifier: latest
|
||||||
version: 1.4.0
|
version: 1.4.0
|
||||||
@ -5026,7 +5026,7 @@ packages:
|
|||||||
enhanced-resolve: 5.15.0
|
enhanced-resolve: 5.15.0
|
||||||
mlly: 1.4.0
|
mlly: 1.4.0
|
||||||
pathe: 1.1.1
|
pathe: 1.1.1
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
dev: false
|
dev: false
|
||||||
|
|
||||||
/fast-deep-equal@3.1.3:
|
/fast-deep-equal@3.1.3:
|
||||||
@ -5470,7 +5470,7 @@ packages:
|
|||||||
destr: 2.0.0
|
destr: 2.0.0
|
||||||
iron-webcrypto: 0.7.0
|
iron-webcrypto: 0.7.0
|
||||||
radix3: 1.0.1
|
radix3: 1.0.1
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
uncrypto: 0.1.3
|
uncrypto: 0.1.3
|
||||||
|
|
||||||
/happy-dom@10.5.2:
|
/happy-dom@10.5.2:
|
||||||
@ -6211,7 +6211,7 @@ packages:
|
|||||||
mlly: 1.4.0
|
mlly: 1.4.0
|
||||||
node-forge: 1.3.1
|
node-forge: 1.3.1
|
||||||
pathe: 1.1.1
|
pathe: 1.1.1
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
|
|
||||||
/loader-runner@4.3.0:
|
/loader-runner@4.3.0:
|
||||||
resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
|
resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
|
||||||
@ -6580,7 +6580,7 @@ packages:
|
|||||||
acorn: 8.10.0
|
acorn: 8.10.0
|
||||||
pathe: 1.1.1
|
pathe: 1.1.1
|
||||||
pkg-types: 1.0.3
|
pkg-types: 1.0.3
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
|
|
||||||
/mri@1.2.0:
|
/mri@1.2.0:
|
||||||
resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
|
resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
|
||||||
@ -6686,7 +6686,7 @@ packages:
|
|||||||
serve-static: 1.15.0
|
serve-static: 1.15.0
|
||||||
source-map-support: 0.5.21
|
source-map-support: 0.5.21
|
||||||
std-env: 3.3.3
|
std-env: 3.3.3
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
uncrypto: 0.1.3
|
uncrypto: 0.1.3
|
||||||
unenv: 1.5.2
|
unenv: 1.5.2
|
||||||
unimport: 3.1.0(rollup@3.26.3)
|
unimport: 3.1.0(rollup@3.26.3)
|
||||||
@ -6884,7 +6884,7 @@ packages:
|
|||||||
dependencies:
|
dependencies:
|
||||||
destr: 2.0.0
|
destr: 2.0.0
|
||||||
node-fetch-native: 1.2.0
|
node-fetch-native: 1.2.0
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
|
|
||||||
/ohash@1.1.2:
|
/ohash@1.1.2:
|
||||||
resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==}
|
resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==}
|
||||||
@ -8547,8 +8547,8 @@ packages:
|
|||||||
resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==}
|
resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==}
|
||||||
dev: true
|
dev: true
|
||||||
|
|
||||||
/ufo@1.1.2:
|
/ufo@1.2.0:
|
||||||
resolution: {integrity: sha512-TrY6DsjTQQgyS3E3dBaOXf0TpPD8u9FVrVYmKVegJuFw51n/YB9XPt+U6ydzFG5ZIN7+DIjPbNmXoBj9esYhgQ==}
|
resolution: {integrity: sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==}
|
||||||
|
|
||||||
/ultrahtml@1.3.0:
|
/ultrahtml@1.3.0:
|
||||||
resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==}
|
resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==}
|
||||||
@ -8730,7 +8730,7 @@ packages:
|
|||||||
mri: 1.2.0
|
mri: 1.2.0
|
||||||
node-fetch-native: 1.2.0
|
node-fetch-native: 1.2.0
|
||||||
ofetch: 1.1.1
|
ofetch: 1.1.1
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
transitivePeerDependencies:
|
transitivePeerDependencies:
|
||||||
- supports-color
|
- supports-color
|
||||||
|
|
||||||
@ -9056,7 +9056,7 @@ packages:
|
|||||||
/vue-bundle-renderer@1.0.3:
|
/vue-bundle-renderer@1.0.3:
|
||||||
resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==}
|
resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==}
|
||||||
dependencies:
|
dependencies:
|
||||||
ufo: 1.1.2
|
ufo: 1.2.0
|
||||||
|
|
||||||
/vue-component-type-helpers@1.6.5:
|
/vue-component-type-helpers@1.6.5:
|
||||||
resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==}
|
resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==}
|
||||||
|
@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
|
|||||||
for (const outputDir of ['.output', '.output-inline']) {
|
for (const outputDir of ['.output', '.output-inline']) {
|
||||||
it('default client bundle size', async () => {
|
it('default client bundle size', async () => {
|
||||||
const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
|
const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
|
||||||
expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"')
|
expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"')
|
||||||
expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
|
expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
|
||||||
[
|
[
|
||||||
"_nuxt/entry.js",
|
"_nuxt/entry.js",
|
||||||
@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
|
|||||||
const serverDir = join(rootDir, '.output/server')
|
const serverDir = join(rootDir, '.output/server')
|
||||||
|
|
||||||
const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
|
const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
|
||||||
expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"')
|
expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"')
|
||||||
|
|
||||||
const modules = await analyzeSizes('node_modules/**/*', serverDir)
|
const modules = await analyzeSizes('node_modules/**/*', serverDir)
|
||||||
expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')
|
expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')
|
||||||
|
Loading…
Reference in New Issue
Block a user