Skip to content

Commit ef83130

Browse files
committed
fix(media-embed): gate provider detection on parsed hostname
Validate each platform against the URL's parsed host before extracting, so a look-alike host (youtube.com.evil.com) or a provider domain in the path (evil.com/youtube.com/...) can no longer render a trusted-looking embed. Dropbox is no longer a special case — all providers share the hostMatches gate. Also consolidates the five Spotify branches and orders Twitch clip before channel.
1 parent 647c498 commit ef83130

2 files changed

Lines changed: 230 additions & 184 deletions

File tree

packages/utils/src/media-embed.test.ts

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,20 @@ describe('getEmbedInfo', () => {
3737
expect(getEmbedInfo('not a url')).toBeNull()
3838
})
3939

40+
it('only embeds when the parsed host belongs to the provider', () => {
41+
// A provider domain in the path or as a subdomain prefix of an attacker host
42+
// must not be treated as that provider.
43+
expect(getEmbedInfo('https://evil.com/youtube.com/watch?v=dQw4w9WgXcQ')).toBeNull()
44+
expect(getEmbedInfo('https://youtube.com.evil.com/watch?v=dQw4w9WgXcQ')).toBeNull()
45+
expect(getEmbedInfo('https://evil.com/open.spotify.com/track/abc123')).toBeNull()
46+
expect(getEmbedInfo('https://vimeo.com.evil.com/123456')).toBeNull()
47+
// Legitimate subdomains of a provider still embed.
48+
expect(getEmbedInfo('https://m.youtube.com/watch?v=dQw4w9WgXcQ')).toEqual({
49+
url: 'https://www.youtube.com/embed/dQw4w9WgXcQ',
50+
type: 'iframe',
51+
})
52+
})
53+
4054
describe('Dropbox', () => {
4155
it('rewrites a Dropbox video share link to a direct streamable URL', () => {
4256
expect(getEmbedInfo('https://www.dropbox.com/s/abc/clip.mp4?dl=0')).toEqual({

0 commit comments

Comments
 (0)