fix: validate callback urls with starter-kitty validator (#306)

opengovsg · Jul 22, 2024 · d666cf3 · d666cf3
1 parent b8cf312
commit d666cf3
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 9 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -49,6 +49,7 @@
     "@hookform/resolvers": "^3.3.4",
     "@opengovsg/design-system-react": "^1.15.0",
     "@opengovsg/sgid-client": "^2.2.0",
+    "@opengovsg/starter-kitty-validators": "^1.0.1",
     "@paralleldrive/cuid2": "^2.2.2",
     "@prisma/client": "^5.7.1",
     "@sendgrid/mail": "^8.1.3",

diff --git a/src/schemas/url.ts b/src/schemas/url.ts
@@ -1,10 +1,31 @@
 import { z } from 'zod'
 import { HOME } from '~/lib/routes'
-import { isRelativeUrl } from '~/utils/url'
+import { UrlValidator } from '@opengovsg/starter-kitty-validators'
+import { getBaseUrl } from '~/utils/getBaseUrl'
+
+const baseUrl = getBaseUrl()
+
+const validator = new UrlValidator({
+  baseOrigin: new URL(baseUrl).origin,
+  whitelist: {
+    protocols: ['http', 'https'],
+    hosts: [new URL(baseUrl).host],
+  },
+})
 
 export const callbackUrlSchema = z
   .string()
   .optional()
   .default(HOME)
-  .refine((url) => url && isRelativeUrl(url))
-  .catch(HOME)
+  .transform((url, ctx) => {
+    try {
+      return validator.parse(url)
+    } catch (error) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: (error as Error).message,
+      })
+      return z.NEVER
+    }
+  })
+  .catch(new URL(HOME, baseUrl))