Merge pull request #580 from ForgeRock/SDKS-4732/tv-fix

ryanbas21 · web-flow · commit 3b8616a41e2f · 2026-03-02T14:21:24.000-07:00
fix(token-vault): replace substring URL matching with strict equality
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -13,7 +13,6 @@
   "baseBranch": "master",
   "updateInternalDependencies": "patch",
   "ignore": [
-    "@forgerock/token-vault",
     "autoscript-apps",
     "autoscript-suites",
     "mock-api",
diff --git a/.changeset/fix-url-interception-check.md b/.changeset/fix-url-interception-check.md
@@ -0,0 +1,5 @@
+---
+'@forgerock/token-vault': patch
+---
+
+fix(security): replace substring URL matching with strict equality in evaluateUrlForInterception to prevent URL allow-list bypass via query parameter injection
diff --git a/packages/token-vault/src/lib/network/network.utilities.test.ts b/packages/token-vault/src/lib/network/network.utilities.test.ts
@@ -35,11 +35,11 @@ describe('Test network utility functions', () => {
     expect(evaluateUrlForInterception(url, urls)).toBe(false);
   });
 
-  // Test evaluateUrlForInterception with matching URL containing blob
-  it('evaluateUrlForInterception should return true for matching URLs with blob', () => {
-    const urls = ['https://example.com', 'https://example.com/*'];
-    const url = 'blob:https://example.com/1234';
-    expect(evaluateUrlForInterception(url, urls)).toBe(true);
+  // Test evaluateUrlForInterception rejects URLs containing a valid URL as a query parameter
+  it('evaluateUrlForInterception should return false when valid URL appears as query parameter', () => {
+    const urls = ['https://valid.com'];
+    const url = 'https://evil.com?https://valid.com';
+    expect(evaluateUrlForInterception(url, urls)).toBe(false);
   });
 
   // Test extractOrigins
diff --git a/packages/token-vault/src/lib/network/network.utilities.ts b/packages/token-vault/src/lib/network/network.utilities.ts
@@ -109,7 +109,7 @@ export function evaluateUrlForInterception(url: string, urls: string[]) {
       }
     }
     // Do full URL matching
-    if (url.includes(u)) {
+    if (url === u) {
       return true;
     }
   }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@forgerock/token-vault': patch
 +---
++
 +fix(security): replace substring URL matching with strict equality in evaluateUrlForInterception to prevent URL allow-list bypass via query parameter injection
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ export function evaluateUrlForInterception(url: string, urls: string[]) {`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`	`// Do full URL matching`
`112`		`- if (url.includes(u)) {`
	`112`	`+ if (url === u) {`
`113`	`113`	`return true;`
`114`	`114`	`}`
`115`	`115`	`}`