moonlink.js icon indicating copy to clipboard operation
moonlink.js copied to clipboard
verified publisher icon Ecliptia

Potential fix for code scanning alert no. 435: Incomplete URL substring sanitization

Open 1Lucas1apk opened this issue 8 months ago • 0 comments

Potential fix for https://github.com/Ecliptia/moonlink.js/security/code-scanning/435

To fix the issue, the match function should parse the URL and validate its host explicitly. Instead of checking if 'spotify.com' is a substring of the URL, the function should use a URL parser to extract the host and compare it against a whitelist of allowed hosts. This ensures that only valid Spotify URLs are matched.

The url parameter should be parsed using the URL class, which is built into Node.js. The host of the parsed URL can then be compared against a predefined list of allowed Spotify hosts, such as open.spotify.com and api.spotify.com.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

1Lucas1apk avatar Apr 28 '25 17:04 1Lucas1apk