fix(ws): stricter check on web socket origins

To avoid CORS vulnerabilities
2026-01-24 16:18:57 -06:00 · 2021-10-11 21:56:56 +08:00
parent 6e0d846b9a
commit 0266bbbfec
1 changed files with 7 additions and 3 deletions
--- a/packages/@vue/cli/lib/ui.js
+++ b/packages/@vue/cli/lib/ui.js
@@ -5,10 +5,14 @@ const shortid = require('shortid')
 function simpleCorsValidation (allowedHost) {
  return function (req, socket) {
    const { host, origin } = req.headers
-    // maybe we should just use strict string equal?
-    const hostRegExp = new RegExp(`^https?://(${host}|${allowedHost}|localhost)(:\\d+)?$`)

-    if (!origin || !hostRegExp.test(origin)) {
+    const safeOrigins = [
+      host,
+      allowedHost,
+      'localhost'
+    ]
+
+    if (!origin || !safeOrigins.includes(new URL(origin).hostname)) {
      socket.destroy()
    }
  }