Commit d9667da
security: fix Solid server auto-trust hostname matching
Replace String.includes() with exact hostname matching via URL parsing.
The previous substring check allowed malicious domains containing the
trusted substring to pass (e.g. evil-solid.social.attacker.com matched
solid.social). Now uses new URL().hostname with exact match or subdomain
check (hostname.endsWith('.' + trusted)). Also removes the never-matching
'/.well-known/solid' entry since origins don't contain paths.
Co-Authored-By: claude-flow <ruv@ruv.net>1 parent b83f414 commit d9667da
1 file changed
Lines changed: 12 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
330 | 330 | | |
331 | 331 | | |
332 | 332 | | |
333 | | - | |
334 | | - | |
| 333 | + | |
| 334 | + | |
| 335 | + | |
| 336 | + | |
| 337 | + | |
| 338 | + | |
| 339 | + | |
| 340 | + | |
335 | 341 | | |
336 | 342 | | |
337 | 343 | | |
338 | | - | |
339 | | - | |
| 344 | + | |
340 | 345 | | |
341 | 346 | | |
342 | | - | |
| 347 | + | |
| 348 | + | |
| 349 | + | |
343 | 350 | | |
344 | 351 | | |
345 | 352 | | |
| |||
0 commit comments