fix(ws): stricter check on web socket origins

To avoid CORS vulnerabilities
2026-04-27 15:30:02 -05:00 · 2021-10-11 21:56:56 +08:00
parent a8b74b4980
commit c3be5ee51b
1 changed files with 7 additions and 3 deletions
@@ -6,10 +6,14 @@ const { setNotificationCallback } = require('@vue/cli-ui/apollo-server/util/noti
 function simpleCorsValidation (allowedHost) {
  return function (req, socket) {
    const { host, origin } = req.headers
-    // maybe we should just use strict string equal?
-    const hostRegExp = new RegExp(`^https?://(${host}|${allowedHost}|localhost)(:\\d+)?$`)

-    if (!origin || !hostRegExp.test(origin)) {
+    const safeOrigins = [
+      host,
+      allowedHost,
+      'localhost'
+    ]
+
+    if (!origin || !safeOrigins.includes(new URL(origin).hostname)) {
      socket.destroy()
    }
  }