fix(ShadyURL): ignore valid URL with unknown protocol (#436)

Author: fraxken

.changeset/vast-emus-reply.md

@@ -0,0 +1,5 @@
+---
+"@nodesecure/js-x-ray": patch
+---
+
+Ignore valid URL with unknown protocol

workspaces/js-x-ray/src/ShadyURL.ts

@@ -7,6 +7,39 @@ const kShadyLinkRegExps = [
   /(http[s]?:\/\/.*\.(link|xyz|tk|ml|ga|cf|gq|pw|top|club|mw|bd|ke|am|sbs|date|quest|cd|bid|ws|icu|cam|uno|email|stream))$/
 ];
 
+// List of known URI schemes (IANA registered + common ones)
+// See: https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml
+const kKnownProtocols = new Set([
+  // Web
+  "http:", "https:",
+  // File & Data
+  "file:", "data:", "blob:",
+  // FTP
+  "ftp:", "ftps:", "sftp:", "tftp:",
+  // Mail & Messaging
+  "mailto:", "xmpp:", "irc:", "ircs:", "sip:", "sips:", "tel:", "sms:", "mms:",
+  // Remote access
+  "ssh:", "telnet:", "vnc:", "rdp:",
+  // Version control
+  "git:", "svn:", "cvs:", "hg:",
+  // P2P & Torrents
+  "magnet:", "ed2k:", "torrent:",
+  // Crypto & Blockchain
+  "bitcoin:", "ethereum:", "ipfs:", "ipns:",
+  // App-specific
+  "slack:", "discord:", "spotify:", "steam:", "skype:", "zoommtg:", "msteams:",
+  "vscode:", "vscode-insiders:", "jetbrains:",
+  // Mobile & Desktop deep links
+  "intent:", "market:", "itms:", "itms-apps:", "fb:", "twitter:", "instagram:", "whatsapp:", "tg:",
+  // Other common protocols
+  "ws:", "wss:", "ldap:", "ldaps:", "nntp:", "news:", "rtsp:", "rtspu:", "rtsps:",
+  "webcal:", "feed:", "podcast:",
+  // eslint-disable-next-line no-script-url
+  "javascript:", "about:", "view-source:",
+  // Security related
+  "acap:", "cap:", "cid:", "mid:", "urn:", "tag:", "dns:", "geo:", "ni:", "nih:"
+]);
+
 export class ShadyURL {
   static isSafe(
     input: string
@@ -16,6 +49,11 @@ export class ShadyURL {
     }
 
     const parsedUrl = new URL(input);
+    // Unknown protocol, not a real URL
+    if (!kKnownProtocols.has(parsedUrl.protocol)) {
+      return true;
+    }
+
     const hostname = parsedUrl.hostname;
     if (ipaddress.isValid(hostname)) {
       if (this.#isPrivateIPAddress(hostname)) {

workspaces/js-x-ray/test/ShadyURL.spec.ts

@@ -15,6 +15,10 @@ describe("ShadyURL.isSafe()", () => {
       assert.equal(ShadyURL.isSafe(""), true);
     });
 
+    it("should return true for a valid URL but with unknown protocol", () => {
+      assert.equal(ShadyURL.isSafe("unknown://example.com"), true);
+    });
+
     it("should return true for a malformed URL", () => {
       assert.equal(ShadyURL.isSafe("http://"), true);
     });

workspaces/js-x-ray/test/issues/434-shady-link-require.spec.ts

@@ -0,0 +1,16 @@
+// Import Node.js Dependencies
+import { test } from "node:test";
+import assert from "node:assert/strict";
+
+// Import Internal Dependencies
+import { AstAnalyser } from "../../src/index.js";
+
+// Regression test for https://github.com/NodeSecure/js-x-ray/issues/434
+test("it should not return shady-link warning", () => {
+  const { warnings } = new AstAnalyser().analyse(`
+    var debug = require('debug')('express:view');
+  `);
+
+  assert.strictEqual(warnings.length, 0);
+});
+