npm package diff
Package: @forge/manifest
Versions: 10.2.0 - 10.2.1-next.0
File: package/out/validators/permissions-validator.js
Index: package/out/validators/permissions-validator.js
===================================================================
--- package/out/validators/permissions-validator.js
+++ package/out/validators/permissions-validator.js
@@ -1,15 +1,29 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
-exports.PermissionsValidator = void 0;
+exports.PermissionsValidator = exports.PROTOCOL_BLOCKLIST = void 0;
const tslib_1 = require("tslib");
const utils_1 = require("../utils");
const text_1 = require("../text");
const egress_types_1 = require("../types/egress-types");
const url_1 = require("url");
const shipyard_scopes_json_1 = tslib_1.__importDefault(require("../scopes/shipyard-scopes.json"));
const deprecated_shipyard_scopes_json_1 = tslib_1.__importDefault(require("../scopes/deprecated-shipyard-scopes.json"));
const scopes_1 = require("../utils/scopes");
+exports.PROTOCOL_BLOCKLIST = [
+ 'javascript:',
+ 'data:',
+ 'vbscript:',
+ 'view-source:',
+ 'resource:',
+ 'about:',
+ 'chrome:',
+ 'livescript:',
+ 'mocha:',
+ 'file:',
+ 'mhtml:',
+ 'smb:'
+];
class PermissionsValidator {
isValidURL(inputURL) {
const protocolRegex = /^(.*?:\/\/)/;
const validURI = /^(\*\.)?[.a-zA-Z0-9_\-\/:~#%?=&]+$/;
@@ -20,8 +34,14 @@
}
if (inputURL === '*') {
return true;
}
+ const customURLSchemeRegex = /^[a-zA-Z]+:(\\\\)?/;
+ if (customURLSchemeRegex.test(inputURL) &&
+ ![...exports.PROTOCOL_BLOCKLIST, 'http'].some((protocol) => inputURL.startsWith(protocol)) &&
+ !allowedProtocols.some((protocol) => inputURL.startsWith(protocol))) {
+ return true;
+ }
if (!inputURL.includes('.') || inputURL.includes(' ')) {
return false;
}
try {