Skip to content

Commit d9667da

Browse files
DreamLab-AI Mega-Sprintruvnet
andcommitted
security: fix Solid server auto-trust hostname matching
Replace String.includes() with exact hostname matching via URL parsing. The previous substring check allowed malicious domains containing the trusted substring to pass (e.g. evil-solid.social.attacker.com matched solid.social). Now uses new URL().hostname with exact match or subdomain check (hostname.endsWith('.' + trusted)). Also removes the never-matching '/.well-known/solid' entry since origins don't contain paths. Co-Authored-By: claude-flow <ruv@ruv.net>
1 parent b83f414 commit d9667da

1 file changed

Lines changed: 12 additions & 5 deletions

File tree

src/background.js

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -330,16 +330,23 @@ function encodeNip98Header (signedEvent) {
330330
* @returns {boolean}
331331
*/
332332
function isLikelySolidServer (origin) {
333-
// Common Solid server indicators
334-
const solidIndicators = [
333+
let hostname;
334+
try {
335+
hostname = new URL(origin).hostname;
336+
} catch {
337+
return false;
338+
}
339+
340+
const trustedHosts = [
335341
'solid.social',
336342
'solidcommunity.net',
337343
'inrupt.net',
338-
'solidweb.org',
339-
'/.well-known/solid'
344+
'solidweb.org'
340345
];
341346

342-
return solidIndicators.some(indicator => origin.includes(indicator));
347+
return trustedHosts.some(trusted =>
348+
hostname === trusted || hostname.endsWith('.' + trusted)
349+
);
343350
}
344351

345352
async function createNip98AuthHeader (url, method, body = null) {

0 commit comments

Comments
 (0)