self-hosted/joplin
1
0
Fork 0
mirror of https://github.com/laurent22/joplin.git synced 2025-11-26 22:41:17 +02:00
Code Issues Releases Activity

Desktop: Security: Prevent calling arbitrary commands via x-callback-url

Browse Source
This commit is contained in:
Laurent Cozic
2023-06-14 15:51:35 +01:00
parent 0f9727144f
commit 69826610a2
3 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/lib/callbackUrlUtils.test.ts
View File

@@ -3,13 +3,14 @@ import * as callbackUrlUtils from './callbackUrlUtils';
describe('callbackUrlUtils', () => {
it('should identify valid callback urls', () => {
const url = 'joplin://x-callback-url/123?a=b';
const url = 'joplin://x-callback-url/openFolder?a=b';
expect(callbackUrlUtils.isCallbackUrl(url)).toBe(true);
});
it('should identify invalid callback urls', () => {
expect(callbackUrlUtils.isCallbackUrl('not-joplin://x-callback-url/123?a=b')).toBe(false);
expect(callbackUrlUtils.isCallbackUrl('joplin://xcallbackurl/123?a=b')).toBe(false);
expect(callbackUrlUtils.isCallbackUrl('joplin://x-callback-url/invalidCommand?a=b')).toBe(false);
});
it('should build valid note callback urls', () => {