yujunjun/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2025-12-01 13:29:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge commit from fork

Browse Source
This commit is contained in:
2h0ng 2025-10-16 23:58:15 -07:00 committed by GitHub
parent 4f7cb7cd2a
commit bfda4ce7e6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
web/hooks/use-oauth.ts
View File

@ -1,5 +1,6 @@
'use client'
import { useEffect } from 'react'
import { validateRedirectUrl } from '@/utils/urlValidation'
export const useOAuthCallback = () => {
useEffect(() => {
@ -18,6 +19,7 @@ export const openOAuthPopup = (url: string, callback: () => void) => {
const left = window.screenX + (window.outerWidth - width) / 2
const top = window.screenY + (window.outerHeight - height) / 2
validateRedirectUrl(url)
const popup = window.open(
url,
'OAuth',

24
web/utils/urlValidation.ts Normal file
View File

@ -0,0 +1,24 @@
/**
* Validates that a URL is safe for redirection.
* Only allows HTTP and HTTPS protocols to prevent XSS attacks.
*
* @param url - The URL string to validate
* @throws Error if the URL has an unsafe protocol
*/
export function validateRedirectUrl(url: string): void {
try {
const parsedUrl = new URL(url);
if (parsedUrl.protocol !== "http:" && parsedUrl.protocol !== "https:") {
throw new Error("Authorization URL must be HTTP or HTTPS");
}
} catch (error) {
if (
error instanceof Error &&
error.message === "Authorization URL must be HTTP or HTTPS"
) {
throw error;
}
// If URL parsing fails, it's also invalid
throw new Error(`Invalid URL: ${url}`);
}
}