39 lines
1.1 KiB
JavaScript
39 lines
1.1 KiB
JavaScript
// Allow-list of Microsoft Graph and Entra (Azure AD) login hosts across the
|
|
// public, US Government, DoD, and China sovereign clouds. User-supplied Graph
|
|
// connection URLs are validated against this list so the server cannot be
|
|
// pointed at arbitrary internal endpoints (SSRF).
|
|
|
|
export const ALLOWED_GRAPH_HOSTS = new Set([
|
|
'graph.microsoft.com',
|
|
'graph.microsoft.us',
|
|
'dod-graph.microsoft.us',
|
|
'microsoftgraph.chinacloudapi.cn'
|
|
]);
|
|
|
|
export const ALLOWED_AUTHORITY_HOSTS = new Set([
|
|
'login.microsoftonline.com',
|
|
'login.microsoftonline.us',
|
|
'login.partner.microsoftonline.cn',
|
|
'login.chinacloudapi.cn'
|
|
]);
|
|
|
|
function hostnameOf(url) {
|
|
try {
|
|
const parsed = new URL(String(url));
|
|
if (parsed.protocol !== 'https:') return null;
|
|
return parsed.hostname.toLowerCase();
|
|
} catch {
|
|
return null;
|
|
}
|
|
}
|
|
|
|
export function isAllowedGraphHost(url) {
|
|
const host = hostnameOf(url);
|
|
return Boolean(host && ALLOWED_GRAPH_HOSTS.has(host));
|
|
}
|
|
|
|
export function isAllowedAuthorityHost(url) {
|
|
const host = hostnameOf(url);
|
|
return Boolean(host && ALLOWED_AUTHORITY_HOSTS.has(host));
|
|
}
|