fix(nuxt): disallow redirects to more script protocols (#22366)

Co-authored-by: Damian Głowala <48835293+DamianGlowala@users.noreply.github.com>
2024-11-22 05:35:13 +00:00 · 2023-07-30 11:09:16 +01:00 · 2023-07-30 11:09:16 +01:00 · 2f734df9b5
commit 2f734df9b5
parent 2616aadda6
10 changed files with 43 additions and 40 deletions
--- a/package.json
+++ b/package.json
@ -75,7 +75,7 @@
    "semver": "7.5.4",
    "std-env": "3.3.3",
    "typescript": "5.1.6",
-    "ufo": "1.1.2",
+    "ufo": "1.2.0",
    "vite": "4.4.7",
    "vitest": "0.33.0",
    "vitest-environment-nuxt": "0.10.2",
--- a/packages/nuxi/package.json
+++ b/packages/nuxi/package.json
@ -47,7 +47,7 @@
    "pkg-types": "1.0.3",
    "scule": "1.0.0",
    "semver": "7.5.4",
-    "ufo": "1.1.2",
+    "ufo": "1.2.0",
    "unbuild": "latest"
  },
  "optionalDependencies": {
--- a/packages/nuxt/package.json
+++ b/packages/nuxt/package.json
@ -91,7 +91,7 @@
    "prompts": "^2.4.2",
    "scule": "^1.0.0",
    "strip-literal": "^1.0.1",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
    "ultrahtml": "^1.3.0",
    "uncrypto": "^0.1.3",
    "unctx": "^2.3.1",
--- a/packages/nuxt/src/app/composables/router.ts
+++ b/packages/nuxt/src/app/composables/router.ts
@ -2,7 +2,7 @@ import { getCurrentInstance, hasInjectionContext, inject, onUnmounted } from 'vu
 import type { Ref } from 'vue'
 import type { NavigationFailure, NavigationGuard, RouteLocationNormalized, RouteLocationPathRaw, RouteLocationRaw, Router, useRoute as _useRoute, useRouter as _useRouter } from '#vue-router'
 import { sanitizeStatusCode } from 'h3'
-import { hasProtocol, joinURL, parseURL, withQuery } from 'ufo'
+import { hasProtocol, isScriptProtocol, joinURL, parseURL, withQuery } from 'ufo'

 import { useNuxtApp, useRuntimeConfig } from '../nuxt'
 import type { NuxtError } from './error'
@ -133,11 +133,14 @@ export const navigateTo = (to: RouteLocationRaw | undefined | null, options?: Na
  }

  const isExternal = options?.external || hasProtocol(toPath, { acceptRelative: true })
-  if (isExternal && !options?.external) {
-    throw new Error('Navigating to external URL is not allowed by default. Use `navigateTo (url, { external: true })`.')
+  if (isExternal) {
+    if (!options?.external) {
+      throw new Error('Navigating to an external URL is not allowed by default. Use `navigateTo(url, { external: true })`.')
+    }
+    const protocol = parseURL(toPath).protocol
+    if (protocol && isScriptProtocol(protocol)) {
+      throw new Error(`Cannot navigate to a URL with '${protocol}' protocol.`)
    }
-  if (isExternal && parseURL(toPath).protocol === 'script:') {
-    throw new Error('Cannot navigate to an URL with script protocol.')
  }

  const inMiddleware = isProcessingMiddleware()
--- a/packages/schema/package.json
+++ b/packages/schema/package.json
@ -56,7 +56,7 @@
    "pkg-types": "^1.0.3",
    "postcss-import-resolver": "^2.0.0",
    "std-env": "^3.3.3",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
    "unimport": "^3.1.0",
    "untyped": "^1.4.0"
  },
--- a/packages/test-utils/package.json
+++ b/packages/test-utils/package.json
@ -30,7 +30,7 @@
    "get-port-please": "^3.0.1",
    "ofetch": "^1.1.1",
    "pathe": "^1.1.1",
-    "ufo": "^1.1.2"
+    "ufo": "^1.2.0"
  },
  "devDependencies": {
    "@jest/globals": "29.6.1",
--- a/packages/vite/package.json
+++ b/packages/vite/package.json
@ -55,7 +55,7 @@
    "rollup-plugin-visualizer": "^5.9.2",
    "std-env": "^3.3.3",
    "strip-literal": "^1.0.1",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
    "unplugin": "^1.4.0",
    "vite": "^4.4.7",
    "vite-node": "^0.33.0",
--- a/packages/webpack/package.json
+++ b/packages/webpack/package.json
@ -49,7 +49,7 @@
    "pug-plain-loader": "^1.1.0",
    "std-env": "^3.3.3",
    "time-fix-plugin": "^2.0.7",
-    "ufo": "^1.1.2",
+    "ufo": "^1.2.0",
    "unplugin": "^1.4.0",
    "url-loader": "^4.1.1",
    "vue-bundle-renderer": "^1.0.3",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -126,8 +126,8 @@ importers:
        specifier: 5.1.6
        version: 5.1.6
      ufo:
-        specifier: 1.1.2
-        version: 1.1.2
+        specifier: 1.2.0
+        version: 1.2.0
      vite:
        specifier: 4.4.7
        version: 4.4.7(@types/node@18.17.0)
@ -326,8 +326,8 @@ importers:
        specifier: 7.5.4
        version: 7.5.4
      ufo:
-        specifier: 1.1.2
-        version: 1.1.2
+        specifier: 1.2.0
+        version: 1.2.0
      unbuild:
        specifier: latest
        version: 1.2.1
@ -455,8 +455,8 @@ importers:
        specifier: ^1.0.1
        version: 1.0.1
      ufo:
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.2.0
+        version: 1.2.0
      ultrahtml:
        specifier: ^1.3.0
        version: 1.3.0
@ -543,8 +543,8 @@ importers:
        specifier: ^3.3.3
        version: 3.3.3
      ufo:
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.2.0
+        version: 1.2.0
      unimport:
        specifier: ^3.1.0
        version: 3.1.0(rollup@3.26.3)
@ -643,8 +643,8 @@ importers:
        specifier: ^1.1.1
        version: 1.1.1
      ufo:
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.2.0
+        version: 1.2.0
      vue:
        specifier: ^3.3.4
        version: 3.3.4
@ -752,8 +752,8 @@ importers:
        specifier: ^1.0.1
        version: 1.0.1
      ufo:
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.2.0
+        version: 1.2.0
      unplugin:
        specifier: ^1.4.0
        version: 1.4.0
@ -882,8 +882,8 @@ importers:
        specifier: ^2.0.7
        version: 2.0.7(webpack@5.88.2)
      ufo:
-        specifier: ^1.1.2
-        version: 1.1.2
+        specifier: ^1.2.0
+        version: 1.2.0
      unplugin:
        specifier: ^1.4.0
        version: 1.4.0
@ -966,7 +966,7 @@ importers:
    devDependencies:
      ufo:
        specifier: latest
-        version: 1.1.2
+        version: 1.2.0
      unplugin:
        specifier: latest
        version: 1.4.0
@ -5026,7 +5026,7 @@ packages:
      enhanced-resolve: 5.15.0
      mlly: 1.4.0
      pathe: 1.1.1
-      ufo: 1.1.2
+      ufo: 1.2.0
    dev: false

  /fast-deep-equal@3.1.3:
@ -5470,7 +5470,7 @@ packages:
      destr: 2.0.0
      iron-webcrypto: 0.7.0
      radix3: 1.0.1
-      ufo: 1.1.2
+      ufo: 1.2.0
      uncrypto: 0.1.3

  /happy-dom@10.5.2:
@ -6211,7 +6211,7 @@ packages:
      mlly: 1.4.0
      node-forge: 1.3.1
      pathe: 1.1.1
-      ufo: 1.1.2
+      ufo: 1.2.0

  /loader-runner@4.3.0:
    resolution: {integrity: sha512-3R/1M+yS3j5ou80Me59j7F9IMs4PXs3VqRrm0TU3AbKPxlmpoY1TNscJV/oGJXo8qCatFGTfDbY6W6ipGOYXfg==}
@ -6580,7 +6580,7 @@ packages:
      acorn: 8.10.0
      pathe: 1.1.1
      pkg-types: 1.0.3
-      ufo: 1.1.2
+      ufo: 1.2.0

  /mri@1.2.0:
    resolution: {integrity: sha512-tzzskb3bG8LvYGFF/mDTpq3jpI6Q9wc3LEmBaghu+DdCssd1FakN7Bc0hVNmEyGq1bq3RgfkCb3cmQLpNPOroA==}
@ -6686,7 +6686,7 @@ packages:
      serve-static: 1.15.0
      source-map-support: 0.5.21
      std-env: 3.3.3
-      ufo: 1.1.2
+      ufo: 1.2.0
      uncrypto: 0.1.3
      unenv: 1.5.2
      unimport: 3.1.0(rollup@3.26.3)
@ -6884,7 +6884,7 @@ packages:
    dependencies:
      destr: 2.0.0
      node-fetch-native: 1.2.0
-      ufo: 1.1.2
+      ufo: 1.2.0

  /ohash@1.1.2:
    resolution: {integrity: sha512-9CIOSq5945rI045GFtcO3uudyOkYVY1nyfFxVQp+9BRgslr8jPNiSSrsFGg/BNTUFOLqx0P5tng6G32brIPw0w==}
@ -8547,8 +8547,8 @@ packages:
    resolution: {integrity: sha512-8Y75pvTYkLJW2hWQHXxoqRgV7qb9B+9vFEtidML+7koHUFapnVJAZ6cKs+Qjz5Aw3aZWHMC6u0wJE3At+nSGwA==}
    dev: true

-  /ufo@1.1.2:
-    resolution: {integrity: sha512-TrY6DsjTQQgyS3E3dBaOXf0TpPD8u9FVrVYmKVegJuFw51n/YB9XPt+U6ydzFG5ZIN7+DIjPbNmXoBj9esYhgQ==}
+  /ufo@1.2.0:
+    resolution: {integrity: sha512-RsPyTbqORDNDxqAdQPQBpgqhWle1VcTSou/FraClYlHf6TZnQcGslpLcAphNR+sQW4q5lLWLbOsRlh9j24baQg==}

  /ultrahtml@1.3.0:
    resolution: {integrity: sha512-xmXvE8tC8t4PVqy0/g1fe7H9USY/Brr425q4dD/0QbQMQit7siCtb06+SCqE4GfU24nwsZz8Th1g7L7mm1lL5g==}
@ -8730,7 +8730,7 @@ packages:
      mri: 1.2.0
      node-fetch-native: 1.2.0
      ofetch: 1.1.1
-      ufo: 1.1.2
+      ufo: 1.2.0
    transitivePeerDependencies:
      - supports-color

@ -9056,7 +9056,7 @@ packages:
  /vue-bundle-renderer@1.0.3:
    resolution: {integrity: sha512-EfjX+5TTUl70bki9hPuVp+54JiZOvFIfoWBcfXsSwLzKEiDYyHNi5iX8srnqLIv3YRnvxgbntdcG1WPq0MvffQ==}
    dependencies:
-      ufo: 1.1.2
+      ufo: 1.2.0

  /vue-component-type-helpers@1.6.5:
    resolution: {integrity: sha512-iGdlqtajmiqed8ptURKPJ/Olz0/mwripVZszg6tygfZSIL9kYFPJTNY6+Q6OjWGznl2L06vxG5HvNvAnWrnzbg==}
--- a/test/bundle.test.ts
+++ b/test/bundle.test.ts
@ -19,7 +19,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
  for (const outputDir of ['.output', '.output-inline']) {
    it('default client bundle size', async () => {
      const clientStats = await analyzeSizes('**/*.js', join(rootDir, outputDir, 'public'))
-      expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.3k"')
+      expect.soft(roundToKilobytes(clientStats.totalBytes)).toMatchInlineSnapshot('"97.4k"')
      expect(clientStats.files.map(f => f.replace(/\..*\.js/, '.js'))).toMatchInlineSnapshot(`
        [
          "_nuxt/entry.js",
@ -32,7 +32,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
    const serverDir = join(rootDir, '.output/server')

    const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
-    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.4k"')
+    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot('"64.5k"')

    const modules = await analyzeSizes('node_modules/**/*', serverDir)
    expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot('"2330k"')