Initial
This commit is contained in:
38
server/data/graphHosts.js
Normal file
38
server/data/graphHosts.js
Normal file
@@ -0,0 +1,38 @@
|
||||
// Allow-list of Microsoft Graph and Entra (Azure AD) login hosts across the
|
||||
// public, US Government, DoD, and China sovereign clouds. User-supplied Graph
|
||||
// connection URLs are validated against this list so the server cannot be
|
||||
// pointed at arbitrary internal endpoints (SSRF).
|
||||
|
||||
export const ALLOWED_GRAPH_HOSTS = new Set([
|
||||
'graph.microsoft.com',
|
||||
'graph.microsoft.us',
|
||||
'dod-graph.microsoft.us',
|
||||
'microsoftgraph.chinacloudapi.cn'
|
||||
]);
|
||||
|
||||
export const ALLOWED_AUTHORITY_HOSTS = new Set([
|
||||
'login.microsoftonline.com',
|
||||
'login.microsoftonline.us',
|
||||
'login.partner.microsoftonline.cn',
|
||||
'login.chinacloudapi.cn'
|
||||
]);
|
||||
|
||||
function hostnameOf(url) {
|
||||
try {
|
||||
const parsed = new URL(String(url));
|
||||
if (parsed.protocol !== 'https:') return null;
|
||||
return parsed.hostname.toLowerCase();
|
||||
} catch {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
export function isAllowedGraphHost(url) {
|
||||
const host = hostnameOf(url);
|
||||
return Boolean(host && ALLOWED_GRAPH_HOSTS.has(host));
|
||||
}
|
||||
|
||||
export function isAllowedAuthorityHost(url) {
|
||||
const host = hostnameOf(url);
|
||||
return Boolean(host && ALLOWED_AUTHORITY_HOSTS.has(host));
|
||||
}
|
||||
Reference in New Issue
Block a user