fix: block SSRF via URL validation in browse commands (#17)

Adds validateNavigationUrl() that blocks non-HTTP(S) schemes (file://,
javascript:, data:) and cloud metadata endpoints (169.254.169.254,
metadata.google.internal). Applied to goto, diff, and newTab commands.
Localhost and private IPs remain allowed for local dev QA.

Closes #17

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Garry Tan
2026-03-18 23:27:27 -07:00
parent de196cda5c
commit 56c8c994bf
5 changed files with 88 additions and 1 deletions
+48
View File
@@ -0,0 +1,48 @@
import { describe, it, expect } from 'bun:test';
import { validateNavigationUrl } from '../src/url-validation';
describe('validateNavigationUrl', () => {
it('allows http URLs', () => {
expect(() => validateNavigationUrl('http://example.com')).not.toThrow();
});
it('allows https URLs', () => {
expect(() => validateNavigationUrl('https://example.com/path?q=1')).not.toThrow();
});
it('allows localhost', () => {
expect(() => validateNavigationUrl('http://localhost:3000')).not.toThrow();
});
it('allows 127.0.0.1', () => {
expect(() => validateNavigationUrl('http://127.0.0.1:8080')).not.toThrow();
});
it('allows private IPs', () => {
expect(() => validateNavigationUrl('http://192.168.1.1')).not.toThrow();
});
it('blocks file:// scheme', () => {
expect(() => validateNavigationUrl('file:///etc/passwd')).toThrow(/scheme.*not allowed/i);
});
it('blocks javascript: scheme', () => {
expect(() => validateNavigationUrl('javascript:alert(1)')).toThrow(/scheme.*not allowed/i);
});
it('blocks data: scheme', () => {
expect(() => validateNavigationUrl('data:text/html,<h1>hi</h1>')).toThrow(/scheme.*not allowed/i);
});
it('blocks AWS/GCP metadata endpoint', () => {
expect(() => validateNavigationUrl('http://169.254.169.254/latest/meta-data/')).toThrow(/cloud metadata/i);
});
it('blocks GCP metadata hostname', () => {
expect(() => validateNavigationUrl('http://metadata.google.internal/computeMetadata/v1/')).toThrow(/cloud metadata/i);
});
it('throws on malformed URLs', () => {
expect(() => validateNavigationUrl('not-a-url')).toThrow(/Invalid URL/i);
});
});