Home Esplora Aiuto
Accedi
seven
/
bot-28
1
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Albero (Tree): c79d79ff8e
Rami (Branch) Tag
bot-28
/
node
/
node_modules
/
validator
/
lib
/
isURL.js

isURL.js 10 KB
Cronologia Originale

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243 
  1. "use strict";
    2. 

  2. 

  3. Object.defineProperty(exports, "__esModule", {
    4. 

  4.   value: true
    5. 

  5. });
    6. 

  6. exports.default = isURL;
    7. 

  7. var _assertString = _interopRequireDefault(require("./util/assertString"));
    8. 

  8. var _checkHost = _interopRequireDefault(require("./util/checkHost"));
    9. 

  9. var _includesString = _interopRequireDefault(require("./util/includesString"));
    10. 

  10. var _isFQDN = _interopRequireDefault(require("./isFQDN"));
    11. 

  11. var _isIP = _interopRequireDefault(require("./isIP"));
    12. 

  12. var _merge = _interopRequireDefault(require("./util/merge"));
    13. 

  13. function _interopRequireDefault(e) { return e && e.__esModule ? e : { default: e }; }
    14. 

  14. function _slicedToArray(r, e) { return _arrayWithHoles(r) || _iterableToArrayLimit(r, e) || _unsupportedIterableToArray(r, e) || _nonIterableRest(); }
    15. 

  15. function _nonIterableRest() { throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
    16. 

  16. function _unsupportedIterableToArray(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray(r, a) : void 0; } }
    17. 

  17. function _arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
    18. 

  18. function _iterableToArrayLimit(r, l) { var t = null == r ? null : "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (null != t) { var e, n, i, u, a = [], f = !0, o = !1; try { if (i = (t = t.call(r)).next, 0 === l) { if (Object(t) !== t) return; f = !1; } else for (; !(f = (e = i.call(t)).done) && (a.push(e.value), a.length !== l); f = !0); } catch (r) { o = !0, n = r; } finally { try { if (!f && null != t.return && (u = t.return(), Object(u) !== u)) return; } finally { if (o) throw n; } } return a; } }
    19. 

  19. function _arrayWithHoles(r) { if (Array.isArray(r)) return r; }
    20. 

  20. /*
    21. 

  21. options for isURL method
    22. 

  22. 

  23. protocols - valid protocols can be modified with this option.
    24. 

  24. require_tld - If set to false isURL will not check if the URL's host includes a top-level domain.
    25. 

  25. require_protocol - if set to true isURL will return false if protocol is not present in the URL.
    26. 

  26. require_host - if set to false isURL will not check if host is present in the URL.
    27. 

  27. require_port - if set to true isURL will check if port is present in the URL.
    28. 

  28. require_valid_protocol - isURL will check if the URL's protocol is present in the protocols option.
    29. 

  29. allow_underscores - if set to true, the validator will allow underscores in the URL.
    30. 

  30. host_whitelist - if set to an array of strings or regexp, and the domain matches none of the strings
    31. 

  31.                  defined in it, the validation fails.
    32. 

  32. host_blacklist - if set to an array of strings or regexp, and the domain matches any of the strings
    33. 

  33.                  defined in it, the validation fails.
    34. 

  34. allow_trailing_dot - if set to true, the validator will allow the domain to end with
    35. 

  35.                      a `.` character.
    36. 

  36. allow_protocol_relative_urls - if set to true protocol relative URLs will be allowed.
    37. 

  37. allow_fragments - if set to false isURL will return false if fragments are present.
    38. 

  38. allow_query_components - if set to false isURL will return false if query components are present.
    39. 

  39. disallow_auth - if set to true, the validator will fail if the URL contains an authentication
    40. 

  40.                 component, e.g. `http://username:password@example.com`
    41. 

  41. validate_length - if set to false isURL will skip string length validation. `max_allowed_length`
    42. 

  42.                   will be ignored if this is set as `false`.
    43. 

  43. max_allowed_length - if set, isURL will not allow URLs longer than the specified value (default is
    44. 

  44.                      2084 that IE maximum URL length).
    45. 

  45. 

  46. */
    47. 

  47. 

  48. var default_url_options = {
    49. 

  49.   protocols: ['http', 'https', 'ftp'],
    50. 

  50.   require_tld: true,
    51. 

  51.   require_protocol: false,
    52. 

  52.   require_host: true,
    53. 

  53.   require_port: false,
    54. 

  54.   require_valid_protocol: true,
    55. 

  55.   allow_underscores: false,
    56. 

  56.   allow_trailing_dot: false,
    57. 

  57.   allow_protocol_relative_urls: false,
    58. 

  58.   allow_fragments: true,
    59. 

  59.   allow_query_components: true,
    60. 

  60.   validate_length: true,
    61. 

  61.   max_allowed_length: 2084
    62. 

  62. };
    63. 

  63. var wrapped_ipv6 = /^\[([^\]]+)\](?::([0-9]+))?$/;
    64. 

  64. function isURL(url, options) {
    65. 

  65.   (0, _assertString.default)(url);
    66. 

  66.   if (!url || /[\s<>]/.test(url)) {
    67. 

  67.     return false;
    68. 

  68.   }
    69. 

  69.   if (url.indexOf('mailto:') === 0) {
    70. 

  70.     return false;
    71. 

  71.   }
    72. 

  72.   options = (0, _merge.default)(options, default_url_options);
    73. 

  73.   if (options.validate_length && url.length > options.max_allowed_length) {
    74. 

  74.     return false;
    75. 

  75.   }
    76. 

  76.   if (!options.allow_fragments && (0, _includesString.default)(url, '#')) {
    77. 

  77.     return false;
    78. 

  78.   }
    79. 

  79.   if (!options.allow_query_components && ((0, _includesString.default)(url, '?') || (0, _includesString.default)(url, '&'))) {
    80. 

  80.     return false;
    81. 

  81.   }
    82. 

  82.   var protocol, auth, host, hostname, port, port_str, split, ipv6;
    83. 

  83.   split = url.split('#');
    84. 

  84.   url = split.shift();
    85. 

  85.   split = url.split('?');
    86. 

  86.   url = split.shift();
    87. 

  87. 

  88.   // Replaced the 'split("://")' logic with a regex to match the protocol.
    89. 

  89.   // This correctly identifies schemes like `javascript:` which don't use `//`.
    90. 

  90.   // However, we need to be careful not to confuse authentication credentials (user:password@host)
    91. 

  91.   // with protocols. A colon before an @ symbol might be part of auth, not a protocol separator.
    92. 

  92.   var protocol_match = url.match(/^([a-z][a-z0-9+\-.]*):/i);
    93. 

  93.   var had_explicit_protocol = false;
    94. 

  94.   var cleanUpProtocol = function cleanUpProtocol(potential_protocol) {
    95. 

  95.     had_explicit_protocol = true;
    96. 

  96.     protocol = potential_protocol.toLowerCase();
    97. 

  97.     if (options.require_valid_protocol && options.protocols.indexOf(protocol) === -1) {
    98. 

  98.       // The identified protocol is not in the allowed list.
    99. 

  99.       return false;
    100. 

  100.     }
    101. 

  101. 

  102.     // Remove the protocol from the URL string.
    103. 

  103.     return url.substring(protocol_match[0].length);
    104. 

  104.   };
    105. 

  105.   if (protocol_match) {
    106. 

  106.     var potential_protocol = protocol_match[1];
    107. 

  107.     var after_colon = url.substring(protocol_match[0].length);
    108. 

  108. 

  109.     // Check if what follows looks like authentication credentials (user:password@host)
    110. 

  110.     // rather than a protocol. This happens when:
    111. 

  111.     // 1. There's no `//` after the colon (protocols like `http://` have this)
    112. 

  112.     // 2. There's an `@` symbol before any `/`
    113. 

  113.     // 3. The part before `@` contains only valid auth characters (alphanumeric, -, _, ., %, :)
    114. 

  114.     var starts_with_slashes = after_colon.slice(0, 2) === '//';
    115. 

  115.     if (!starts_with_slashes) {
    116. 

  116.       var first_slash_position = after_colon.indexOf('/');
    117. 

  117.       var before_slash = first_slash_position === -1 ? after_colon : after_colon.substring(0, first_slash_position);
    118. 

  118.       var at_position = before_slash.indexOf('@');
    119. 

  119.       if (at_position !== -1) {
    120. 

  120.         var before_at = before_slash.substring(0, at_position);
    121. 

  121.         var valid_auth_regex = /^[a-zA-Z0-9\-_.%:]*$/;
    122. 

  122.         var is_valid_auth = valid_auth_regex.test(before_at);
    123. 

  123.         if (is_valid_auth) {
    124. 

  124.           // This looks like authentication (e.g., user:password@host), not a protocol
    125. 

  125.           if (options.require_protocol) {
    126. 

  126.             return false;
    127. 

  127.           }
    128. 

  128. 

  129.           // Don't consume the colon; let the auth parsing handle it later
    130. 

  130.         } else {
    131. 

  131.           // This looks like a malicious protocol (e.g., javascript:alert();@host)
    132. 

  132.           url = cleanUpProtocol(potential_protocol);
    133. 

  133.           if (url === false) {
    134. 

  134.             return false;
    135. 

  135.           }
    136. 

  136.         }
    137. 

  137.       } else {
    138. 

  138.         // No @ symbol found. Check if this could be a port number instead of a protocol.
    139. 

  139.         // If what's after the colon is numeric (or starts with a digit and contains only
    140. 

  140.         // valid port characters until a path separator), it's likely hostname:port, not a protocol.
    141. 

  141.         var looks_like_port = /^[0-9]/.test(after_colon);
    142. 

  142.         if (looks_like_port) {
    143. 

  143.           // This looks like hostname:port, not a protocol
    144. 

  144.           if (options.require_protocol) {
    145. 

  145.             return false;
    146. 

  146.           }
    147. 

  147.           // Don't consume anything; let it be parsed as hostname:port
    148. 

  148.         } else {
    149. 

  149.           // This is definitely a protocol
    150. 

  150.           url = cleanUpProtocol(potential_protocol);
    151. 

  151.           if (url === false) {
    152. 

  152.             return false;
    153. 

  153.           }
    154. 

  154.         }
    155. 

  155.       }
    156. 

  156.     } else {
    157. 

  157.       // Starts with '//', this is definitely a protocol like http://
    158. 

  158.       url = cleanUpProtocol(potential_protocol);
    159. 

  159.       if (url === false) {
    160. 

  160.         return false;
    161. 

  161.       }
    162. 

  162.     }
    163. 

  163.   } else if (options.require_protocol) {
    164. 

  164.     return false;
    165. 

  165.   }
    166. 

  166. 

  167.   // Handle leading '//' only as protocol-relative when there was NO explicit protocol.
    168. 

  168.   // If there was an explicit protocol, '//' is the normal separator
    169. 

  169.   // and should be stripped unconditionally.
    170. 

  170.   if (url.slice(0, 2) === '//') {
    171. 

  171.     if (!had_explicit_protocol && !options.allow_protocol_relative_urls) {
    172. 

  172.       return false;
    173. 

  173.     }
    174. 

  174.     url = url.slice(2);
    175. 

  175.   }
    176. 

  176.   if (url === '') {
    177. 

  177.     return false;
    178. 

  178.   }
    179. 

  179.   split = url.split('/');
    180. 

  180.   url = split.shift();
    181. 

  181.   if (url === '' && !options.require_host) {
    182. 

  182.     return true;
    183. 

  183.   }
    184. 

  184.   split = url.split('@');
    185. 

  185.   if (split.length > 1) {
    186. 

  186.     if (options.disallow_auth) {
    187. 

  187.       return false;
    188. 

  188.     }
    189. 

  189.     if (split[0] === '') {
    190. 

  190.       return false;
    191. 

  191.     }
    192. 

  192.     auth = split.shift();
    193. 

  193.     if (auth.indexOf(':') >= 0 && auth.split(':').length > 2) {
    194. 

  194.       return false;
    195. 

  195.     }
    196. 

  196.     var _auth$split = auth.split(':'),
    197. 

  197.       _auth$split2 = _slicedToArray(_auth$split, 2),
    198. 

  198.       user = _auth$split2[0],
    199. 

  199.       password = _auth$split2[1];
    200. 

  200.     if (user === '' && password === '') {
    201. 

  201.       return false;
    202. 

  202.     }
    203. 

  203.   }
    204. 

  204.   hostname = split.join('@');
    205. 

  205.   port_str = null;
    206. 

  206.   ipv6 = null;
    207. 

  207.   var ipv6_match = hostname.match(wrapped_ipv6);
    208. 

  208.   if (ipv6_match) {
    209. 

  209.     host = '';
    210. 

  210.     ipv6 = ipv6_match[1];
    211. 

  211.     port_str = ipv6_match[2] || null;
    212. 

  212.   } else {
    213. 

  213.     split = hostname.split(':');
    214. 

  214.     host = split.shift();
    215. 

  215.     if (split.length) {
    216. 

  216.       port_str = split.join(':');
    217. 

  217.     }
    218. 

  218.   }
    219. 

  219.   if (port_str !== null && port_str.length > 0) {
    220. 

  220.     port = parseInt(port_str, 10);
    221. 

  221.     if (!/^[0-9]+$/.test(port_str) || port <= 0 || port > 65535) {
    222. 

  222.       return false;
    223. 

  223.     }
    224. 

  224.   } else if (options.require_port) {
    225. 

  225.     return false;
    226. 

  226.   }
    227. 

  227.   if (options.host_whitelist) {
    228. 

  228.     return (0, _checkHost.default)(host, options.host_whitelist);
    229. 

  229.   }
    230. 

  230.   if (host === '' && !options.require_host) {
    231. 

  231.     return true;
    232. 

  232.   }
    233. 

  233.   if (!(0, _isIP.default)(host) && !(0, _isFQDN.default)(host, options) && (!ipv6 || !(0, _isIP.default)(ipv6, 6))) {
    234. 

  234.     return false;
    235. 

  235.   }
    236. 

  236.   host = host || ipv6;
    237. 

  237.   if (options.host_blacklist && (0, _checkHost.default)(host, options.host_blacklist)) {
    238. 

  238.     return false;
    239. 

  239.   }
    240. 

  240.   return true;
    241. 

  241. }
    242. 

  242. module.exports = exports.default;
    243. 

  243. module.exports.default = exports.default;
    244.