mirror of
https://github.com/simstudioai/sim.git
synced 2026-02-05 04:05:14 -05:00
a627faabe7
* feat(timeouts): execution timeout limits * fix type issues * add to docs * update stale exec cleanup route * update more callsites * update tests * address bugbot comments * remove import expression * support streaming and async paths' * fix streaming path * add hitl and workflow handler * make sync path match * consolidate * timeout errors * validation errors typed * import order * Merge staging into feat/timeout-lims Resolved conflicts: - stt/route.ts: Keep both execution timeout and security imports - textract/parse/route.ts: Keep both execution timeout and validation imports - use-workflow-execution.ts: Keep cancellation console entry from feature branch - input-validation.ts: Remove server functions (moved to .server.ts in staging) - tools/index.ts: Keep execution timeout, use .server import for security * make run from block consistent * revert console update change * fix subflow errors * clean up base 64 cache correctly * update docs * consolidate workflow execution and run from block hook code * remove unused constant * fix cleanup base64 sse * fix run from block tracespan
63 lines
1.8 KiB
TypeScript
63 lines
1.8 KiB
TypeScript
import { getBaseUrl } from './urls'
|
|
|
|
/**
|
|
* Checks if a URL is same-origin with the application's base URL.
|
|
* Used to prevent open redirect vulnerabilities.
|
|
*
|
|
* @param url - The URL to validate
|
|
* @returns True if the URL is same-origin, false otherwise (secure default)
|
|
*/
|
|
export function isSameOrigin(url: string): boolean {
|
|
try {
|
|
const targetUrl = new URL(url)
|
|
const appUrl = new URL(getBaseUrl())
|
|
return targetUrl.origin === appUrl.origin
|
|
} catch {
|
|
return false
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Validates a name by removing any characters that could cause issues
|
|
* with variable references or node naming.
|
|
*
|
|
* @param name - The name to validate
|
|
* @returns The validated name with invalid characters removed, trimmed, and collapsed whitespace
|
|
*/
|
|
export function validateName(name: string): string {
|
|
return name
|
|
.replace(/[^a-zA-Z0-9_\s]/g, '') // Remove invalid characters
|
|
.replace(/\s+/g, ' ') // Collapse multiple spaces into single spaces
|
|
}
|
|
|
|
/**
|
|
* Checks if a name contains invalid characters
|
|
*
|
|
* @param name - The name to check
|
|
* @returns True if the name is valid, false otherwise
|
|
*/
|
|
export function isValidName(name: string): boolean {
|
|
return /^[a-zA-Z0-9_\s]*$/.test(name)
|
|
}
|
|
|
|
/**
|
|
* Gets a list of invalid characters in a name
|
|
*
|
|
* @param name - The name to check
|
|
* @returns Array of invalid characters found
|
|
*/
|
|
export function getInvalidCharacters(name: string): string[] {
|
|
const invalidChars = name.match(/[^a-zA-Z0-9_\s]/g)
|
|
return invalidChars ? [...new Set(invalidChars)] : []
|
|
}
|
|
|
|
/**
|
|
* Escapes non-ASCII characters in JSON string for HTTP header safety.
|
|
* Dropbox API requires characters 0x7F and all non-ASCII to be escaped as \uXXXX.
|
|
*/
|
|
export function httpHeaderSafeJson(value: object): string {
|
|
return JSON.stringify(value).replace(/[\u007f-\uffff]/g, (c) => {
|
|
return `\\u${(`0000${c.charCodeAt(0).toString(16)}`).slice(-4)}`
|
|
})
|
|
}
|