fix(nuxt): disallow redirects to more script protocols (#22366)

Co-authored-by: Damian Głowala <48835293+DamianGlowala@users.noreply.github.com>
This commit is contained in:
Daniel Roe 2023-07-30 11:09:16 +01:00 committed by GitHub
parent 2616aadda6
commit 2f734df9b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
10 changed files with 43 additions and 40 deletions

View File

@ -75,7 +75,7 @@
"semver": "7.5.4", "semver": "7.5.4",
"std-env": "3.3.3", "std-env": "3.3.3",
"typescript": "5.1.6", "typescript": "5.1.6",
"ufo": "1.1.2", "ufo": "1.2.0",
"vite": "4.4.7", "vite": "4.4.7",
"vitest": "0.33.0", "vitest": "0.33.0",
"vitest-environment-nuxt": "0.10.2", "vitest-environment-nuxt": "0.10.2",

View File

@ -47,7 +47,7 @@
"pkg-types": "1.0.3", "pkg-types": "1.0.3",
"scule": "1.0.0", "scule": "1.0.0",
"semver": "7.5.4", "semver": "7.5.4",
"ufo": "1.1.2", "ufo": "1.2.0",
"unbuild": "latest" "unbuild": "latest"
}, },
"optionalDependencies": { "optionalDependencies": {

View File

@ -91,7 +91,7 @@
"prompts": "^2.4.2", "prompts": "^2.4.2",
"scule": "^1.0.0", "scule": "^1.0.0",
"strip-literal": "^1.0.1", "strip-literal": "^1.0.1",
"ufo": "^1.1.2", "ufo": "^1.2.0",
"ultrahtml": "^1.3.0", "ultrahtml": "^1.3.0",
"uncrypto": "^0.1.3", "uncrypto": "^0.1.3",
"unctx": "^2.3.1", "unctx": "^2.3.1",

View File

@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu
import type { Ref } from 'vue' import type { Ref } from 'vue'
import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router' import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
import { sanitizeStatusCode } from 'h3' import { sanitizeStatusCode } from 'h3'
import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo' import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo'
import { useNuxtApp, useRuntimeConfig } from '../nuxt' import { useNuxtApp, useRuntimeConfig } from '../nuxt'
import type { NuxtError } from './error' import type { NuxtError } from './error'
@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na
} }
const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true }) const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
if (isExternal && !options?.external) { if (isExternal) {
throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.') if (!options?.external) {
throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.')
}
const protocol = parseURL(toPath).protocol
if (protocol && isScriptProtocol(protocol)) {
throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
} }
if (isExternal && parseURL(toPath).protocol === 'script:') {
throw new Error('Cannot navigate to an URL with script protocol.')
} }
const inMiddleware = isProcessingMiddleware() const inMiddleware = isProcessingMiddleware()

View File

@ -56,7 +56,7 @@
"pkg-types": "^1.0.3", "pkg-types": "^1.0.3",
"postcss-import-resolver": "^2.0.0", "postcss-import-resolver": "^2.0.0",
"std-env": "^3.3.3", "std-env": "^3.3.3",
"ufo": "^1.1.2", "ufo": "^1.2.0",
"unimport": "^3.1.0", "unimport": "^3.1.0",
"untyped": "^1.4.0" "untyped": "^1.4.0"
}, },

View File

@ -30,7 +30,7 @@
"get-port-please": "^3.0.1", "get-port-please": "^3.0.1",
"ofetch": "^1.1.1", "ofetch": "^1.1.1",
"pathe": "^1.1.1", "pathe": "^1.1.1",
"ufo": "^1.1.2" "ufo": "^1.2.0"
}, },
"devDependencies": { "devDependencies": {
"@jest/globals": "29.6.1", "@jest/globals": "29.6.1",

View File

@ -55,7 +55,7 @@
"rollup-plugin-visualizer": "^5.9.2", "rollup-plugin-visualizer": "^5.9.2",
"std-env": "^3.3.3", "std-env": "^3.3.3",
"strip-literal": "^1.0.1", "strip-literal": "^1.0.1",
"ufo": "^1.1.2", "ufo": "^1.2.0",
"unplugin": "^1.4.0", "unplugin": "^1.4.0",
"vite": "^4.4.7", "vite": "^4.4.7",
"vite-node": "^0.33.0", "vite-node": "^0.33.0",

View File

@ -49,7 +49,7 @@
"pug-plain-loader": "^1.1.0", "pug-plain-loader": "^1.1.0",
"std-env": "^3.3.3", "std-env": "^3.3.3",
"time-fix-plugin": "^2.0.7", "time-fix-plugin": "^2.0.7",
"ufo": "^1.1.2", "ufo": "^1.2.0",
"unplugin": "^1.4.0", "unplugin": "^1.4.0",
"url-loader": "^4.1.1", "url-loader": "^4.1.1",
"vue-bundle-renderer": "^1.0.3", "vue-bundle-renderer": "^1.0.3",

View File

@ -126,8 +126,8 @@ importers:
specifier: 5.1.6 specifier: 5.1.6
version: 5.1.6 version: 5.1.6
ufo: ufo:
specifier: 1.1.2 specifier: 1.2.0
version: 1.1.2 version: 1.2.0
vite: vite:
specifier: 4.4.7 specifier: 4.4.7
version: 4.4.7(@types/node@18.17.0) version: 4.4.7(@types/node@18.17.0)
@ -326,8 +326,8 @@ importers:
specifier: 7.5.4 specifier: 7.5.4
version: 7.5.4 version: 7.5.4
ufo: ufo:
specifier: 1.1.2 specifier: 1.2.0
version: 1.1.2 version: 1.2.0
unbuild: unbuild:
specifier: latest specifier: latest
version: 1.2.1 version: 1.2.1
@ -455,8 +455,8 @@ importers:
specifier: ^1.0.1 specifier: ^1.0.1
version: 1.0.1 version: 1.0.1
ufo: ufo:
specifier: ^1.1.2 specifier: ^1.2.0
version: 1.1.2 version: 1.2.0
ultrahtml: ultrahtml:
specifier: ^1.3.0 specifier: ^1.3.0
version: 1.3.0 version: 1.3.0
@ -543,8 +543,8 @@ importers:
specifier: ^3.3.3 specifier: ^3.3.3
version: 3.3.3 version: 3.3.3
ufo: ufo:
specifier: ^1.1.2 specifier: ^1.2.0
version: 1.1.2 version: 1.2.0
unimport: unimport:
specifier: ^3.1.0 specifier: ^3.1.0
version: 3.1.0(rollup@3.26.3) version: 3.1.0(rollup@3.26.3)
@ -643,8 +643,8 @@ importers:
specifier: ^1.1.1 specifier: ^1.1.1
version: 1.1.1 version: 1.1.1
ufo: ufo:
specifier: ^1.1.2 specifier: ^1.2.0
version: 1.1.2 version: 1.2.0
vue: vue:
specifier: ^3.3.4 specifier: ^3.3.4
version: 3.3.4 version: 3.3.4
@ -752,8 +752,8 @@ importers:
specifier: ^1.0.1 specifier: ^1.0.1
version: 1.0.1 version: 1.0.1
ufo: ufo:
specifier: ^1.1.2 specifier: ^1.2.0
version: 1.1.2 version: 1.2.0
unplugin: unplugin:
specifier: ^1.4.0 specifier: ^1.4.0
version: 1.4.0 version: 1.4.0
@ -882,8 +882,8 @@ importers:
specifier: ^2.0.7 specifier: ^2.0.7
version: 2.0.7(webpack@5.88.2) version: 2.0.7(webpack@5.88.2)
ufo: ufo:
specifier: ^1.1.2 specifier: ^1.2.0
version: 1.1.2 version: 1.2.0
unplugin: unplugin:
specifier: ^1.4.0 specifier: ^1.4.0
version: 1.4.0 version: 1.4.0
@ -966,7 +966,7 @@ importers:
devDependencies: devDependencies:
ufo: ufo:
specifier: latest specifier: latest
version: 1.1.2 version: 1.2.0
unplugin: unplugin:
specifier: latest specifier: latest
version: 1.4.0 version: 1.4.0
@ -5026,7 +5026,7 @@ packages:
enhanced-resolve: 5.15.0 enhanced-resolve: 5.15.0
mlly: 1.4.0 mlly: 1.4.0
pathe: 1.1.1 pathe: 1.1.1
ufo: 1.1.2 ufo: 1.2.0
dev: false dev: false
/fast-deep-equal@3.1.3: /fast-deep-equal@3.1.3:
@ -5470,7 +5470,7 @@ packages:
destr: 2.0.0 destr: 2.0.0
iron-webcrypto: 0.7.0 iron-webcrypto: 0.7.0
radix3: 1.0.1 radix3: 1.0.1
ufo: 1.1.2 ufo: 1.2.0
uncrypto: 0.1.3 uncrypto: 0.1.3
/happy-dom@10.5.2: /happy-dom@10.5.2:
@ -6211,7 +6211,7 @@ packages:
mlly: 1.4.0 mlly: 1.4.0
node-forge: 1.3.1 node-forge: 1.3.1
pathe: 1.1.1 pathe: 1.1.1
ufo: 1.1.2 ufo: 1.2.0
/loader-runner@4.3.0: /loader-runner@4.3.0:
resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==} resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
@ -6580,7 +6580,7 @@ packages:
acorn: 8.10.0 acorn: 8.10.0
pathe: 1.1.1 pathe: 1.1.1
pkg-types: 1.0.3 pkg-types: 1.0.3
ufo: 1.1.2 ufo: 1.2.0
/mri@1.2.0: /mri@1.2.0:
resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==} resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
@ -6686,7 +6686,7 @@ packages:
serve-static: 1.15.0 serve-static: 1.15.0
source-map-support: 0.5.21 source-map-support: 0.5.21
std-env: 3.3.3 std-env: 3.3.3
ufo: 1.1.2 ufo: 1.2.0
uncrypto: 0.1.3 uncrypto: 0.1.3
unenv: 1.5.2 unenv: 1.5.2
unimport: 3.1.0(rollup@3.26.3) unimport: 3.1.0(rollup@3.26.3)
@ -6884,7 +6884,7 @@ packages:
dependencies: dependencies:
destr: 2.0.0 destr: 2.0.0
node-fetch-native: 1.2.0 node-fetch-native: 1.2.0
ufo: 1.1.2 ufo: 1.2.0
/ohash@1.1.2: /ohash@1.1.2:
resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==} resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==}
@ -8547,8 +8547,8 @@ packages:
resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==} resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==}
dev: true dev: true
/ufo@1.1.2: /ufo@1.2.0:
resolution: {integrity: sha512-TrY6DsjTQQgyS3E3dBaOXf0TpPD8u9FVrVYmKVegJuFw51n/YB9XPt+U6ydzFG5ZIN7+DIjPbNmXoBj9esYhgQ==} resolution: {integrity: sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==}
/ultrahtml@1.3.0: /ultrahtml@1.3.0:
resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==} resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==}
@ -8730,7 +8730,7 @@ packages:
mri: 1.2.0 mri: 1.2.0
node-fetch-native: 1.2.0 node-fetch-native: 1.2.0
ofetch: 1.1.1 ofetch: 1.1.1
ufo: 1.1.2 ufo: 1.2.0
transitivePeerDependencies: transitivePeerDependencies:
- supports-color - supports-color
@ -9056,7 +9056,7 @@ packages:
/vue-bundle-renderer@1.0.3: /vue-bundle-renderer@1.0.3:
resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==} resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==}
dependencies: dependencies:
ufo: 1.1.2 ufo: 1.2.0
/vue-component-type-helpers@1.6.5: /vue-component-type-helpers@1.6.5:
resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==} resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==}

View File

@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
for (const outputDir of ['.output', '.output-inline']) { for (const outputDir of ['.output', '.output-inline']) {
it('default client bundle size', async () => { it('default client bundle size', async () => {
const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public')) const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"') expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"')
expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(` expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
[ [
"_nuxt/entry.js", "_nuxt/entry.js",
@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
const serverDir = join(rootDir, '.output/server') const serverDir = join(rootDir, '.output/server')
const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir) const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"') expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"')
const modules = await analyzeSizes('node_modules/**/*', serverDir) const modules = await analyzeSizes('node_modules/**/*', serverDir)
expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"') expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')