fix(ws): stricter check on web socket origins

To avoid CORS vulnerabilities
vuejs · Oct 11, 2021 · c3be5ee · c3be5ee
1 parent a8b74b4
commit c3be5ee
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/packages/@vue/cli/lib/ui.js b/packages/@vue/cli/lib/ui.js
@@ -6,10 +6,14 @@ const { setNotificationCallback } = require('@vue/cli-ui/apollo-server/util/noti
 function simpleCorsValidation (allowedHost) {
   return function (req, socket) {
     const { host, origin } = req.headers
-    // maybe we should just use strict string equal?
-    const hostRegExp = new RegExp(`^https?://(${host}|${allowedHost}|localhost)(:\\d+)?$`)
 
-    if (!origin || !hostRegExp.test(origin)) {
+    const safeOrigins = [
+      host,
+      allowedHost,
+      'localhost'
+    ]
+
+    if (!origin || !safeOrigins.includes(new URL(origin).hostname)) {
       socket.destroy()
     }
   }