Skip to content

Commit

Permalink
chore: prevent ssrf
Browse files Browse the repository at this point in the history
  • Loading branch information
@Larkooo
Larkooo committed Aug 25, 2024
1 parent 6d4c56f commit 4b2c8a4
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion packages/keychain/src/pages/session.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ function sanitizeCallbackUrl(url: string): URL | undefined {
try {
const parsed = new URL(url);

if (parsed.hostname.endsWith("cartridge.gg")) {
if (parsed.hostname.endsWith("cartridge.gg") || (parsed.pathname !== "/" && parsed.pathname !== "/callback")) {
throw new Error(`Invalid callback url: ${url}`);
}

Expand Down

0 comments on commit 4b2c8a4

Please sign in to comment.