fix(auth): sanitize authorization URL

superboy-zjc · superboy-zjc · commit c3e3b27a04d9 · 2025-08-06T13:00:08.000-07:00
diff --git a/client/package.json b/client/package.json
@@ -49,7 +49,8 @@
     "serve-handler": "^6.1.6",
     "tailwind-merge": "^2.5.3",
     "tailwindcss-animate": "^1.0.7",
-    "zod": "^3.25.76"
+    "zod": "^3.25.76",
+    "strict-url-sanitise": "^0.0.1"
   },
   "devDependencies": {
     "@eslint/js": "^9.11.1",
diff --git a/client/src/lib/auth.ts b/client/src/lib/auth.ts
@@ -8,6 +8,7 @@ import {
   OAuthMetadata,
 } from "@modelcontextprotocol/sdk/shared/auth.js";
 import { SESSION_KEYS, getServerSpecificKey } from "./constants";
+import { sanitizeUrl } from 'strict-url-sanitise';
 
 export const getClientInformationFromSessionStorage = async ({
   serverUrl,
@@ -129,7 +130,7 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {
   }
 
   redirectToAuthorization(authorizationUrl: URL) {
-    window.location.href = authorizationUrl.href;
+    window.location.href = sanitizeUrl(authorizationUrl.href);
   }
 
   saveCodeVerifier(codeVerifier: string) {

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import {`
`8`	`8`	`OAuthMetadata,`
`9`	`9`	`} from "@modelcontextprotocol/sdk/shared/auth.js";`
`10`	`10`	`import { SESSION_KEYS, getServerSpecificKey } from "./constants";`
	`11`	`+import { sanitizeUrl } from 'strict-url-sanitise';`
`11`	`12`
`12`	`13`	`export const getClientInformationFromSessionStorage = async ({`
`13`	`14`	`serverUrl,`
`@@ -129,7 +130,7 @@ export class InspectorOAuthClientProvider implements OAuthClientProvider {`
`129`	`130`	`}`
`130`	`131`
`131`	`132`	`redirectToAuthorization(authorizationUrl: URL) {`
`132`		`- window.location.href = authorizationUrl.href;`
	`133`	`+ window.location.href = sanitizeUrl(authorizationUrl.href);`
`133`	`134`	`}`
`134`	`135`
`135`	`136`	`saveCodeVerifier(codeVerifier: string) {`