CalvinBackup/gstack
1
0
Fork 0
mirror of https://github.com/garrytan/gstack.git synced 2026-05-05 05:05:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate saved URLs before navigation in restoreState

Browse Source 
Cherry-pick PR #751 by @Gonzih. Prevents navigation to cloud metadata
endpoints or file:// URIs embedded in user-writable state files.

Co-Authored-By: Gonzih <gonzih@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-04-04 21:18:18 -07:00
parent 1351cf7dd4
commit 1c2e56ddd2
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
browse/src/browser-manager.ts
+9 -1
View File
@@ -822,7 +822,15 @@ export class BrowserManager {
this.wirePageEvents(page);
if (saved.url) {
await page.goto(saved.url, { waitUntil: 'domcontentloaded', timeout: 15000 }).catch(() => {});
// Validate the saved URL before navigating — the state file is user-writable and
// a tampered URL could navigate to cloud metadata endpoints or file:// URIs.
try {
await validateNavigationUrl(saved.url);
await page.goto(saved.url, { waitUntil: 'domcontentloaded', timeout: 15000 }).catch(() => {});
} catch {
// Invalid URL in saved state — skip navigation, leave blank page
console.log(`[browse] restoreState: skipping unsafe URL: ${saved.url}`);
}
}
if (saved.storage) {