External/ignis
1
0
Fork 0
mirror of https://github.com/Nystik-gh/ignis.git synced 2026-06-17 04:35:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

improve url origin checking in shim

Browse Source
This commit is contained in:
Nystik
2026-06-02 17:09:54 +02:00
parent 3833ef2668
commit caaf6b3144
4 changed files with 22 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
packages/shim/src/fs/virtual-files.js
View File

@@ -7,7 +7,13 @@ function normalize(p) {
const virtualFiles = new Map();
export function setVirtualFile(path, content) {
virtualFiles.set(normalize(path), content);
const normalized = normalize(path);
if (normalized.split("/").includes("..")) {
throw new Error(`virtual file path may not contain '..': ${path}`);
}
virtualFiles.set(normalized, content);
}
export function removeVirtualFile(path) {

2
packages/shim/src/globals.js
View File

@@ -138,7 +138,7 @@ function base64ToArrayBuffer(base64) {
return bytes.buffer;
}
function isSameOrigin(url) {
export function isSameOrigin(url) {
if (
!url ||
url.startsWith("/") ||

10
packages/shim/src/request-url.js
View File

@@ -1,6 +1,8 @@
// Override window.requestUrl to proxy external requests through our server, bypassing CORS.
// Obsidian sets window.requestUrl in app.js, so we override it after app.js loads.
import { isSameOrigin } from "./globals.js";
function base64ToArrayBuffer(base64) {
const binary = atob(base64);
const bytes = new Uint8Array(binary.length);
@@ -29,12 +31,8 @@ async function proxyRequestUrl(request) {
request = { url: request };
}
const isSameOrigin =
request.url.startsWith(window.location.origin) ||
request.url.startsWith("/");
// Same-origin requests don't need the proxy
if (isSameOrigin) {
// Same-origin requests don't need the proxy.
if (isSameOrigin(request.url)) {
const res = await fetch(request.url, {
method: request.method || "GET",
headers: request.headers || {},

10
packages/shim/src/virtual-plugin-loader.js
View File

@@ -104,6 +104,12 @@ export async function extractObsidianModule() {
return captured;
}
function assertSameOrigin(url) {
if (new URL(url, location.origin).origin !== location.origin) {
throw new Error(`refusing cross-origin plugin URL: ${url}`);
}
}
// Serialize per-id load/unload so rapid toggles can't race.
const inFlight = new Map();
@@ -128,7 +134,11 @@ export function loadVirtualPlugin(entry) {
return;
}
assertSameOrigin(entry.scriptUrl);
if (entry.cssUrl) {
assertSameOrigin(entry.cssUrl);
const link = document.createElement("link");
link.rel = "stylesheet";
link.href = entry.cssUrl;