[Fix] Prevent storing external urls for stores (#3208)

arielj · web-flow · commit b95abc82aac3 · 2023-11-21T19:55:29.000Z
* Prevent storing external urls for stores

* Use sessionStorage instead of localStorage so last-url is not persisted
diff --git a/src/frontend/components/UI/Sidebar/components/SidebarLinks/index.tsx b/src/frontend/components/UI/Sidebar/components/SidebarLinks/index.tsx
@@ -93,7 +93,7 @@ export default function SidebarLinks() {
   }
 
   // if we have a stored last-url, default to the `/last-url` route
-  const lastStore = localStorage.getItem('last-store')
+  const lastStore = sessionStorage.getItem('last-store')
   if (lastStore) {
     defaultStore = lastStore
   }
diff --git a/src/frontend/screens/WebView/index.tsx b/src/frontend/screens/WebView/index.tsx
@@ -20,6 +20,19 @@ interface Props {
   store?: 'epic' | 'gog' | 'amazon'
 }
 
+const validStoredUrl = (url: string, store: 'epic' | 'gog' | 'amazon') => {
+  switch (store) {
+    case 'epic':
+      return url.includes('epicgames.com')
+    case 'gog':
+      return url.includes('gog.com')
+    case 'amazon':
+      return url.includes('gaming.amazon.com')
+    default:
+      return false
+  }
+}
+
 export default function WebView({ store }: Props) {
   const { i18n } = useTranslation()
   const { pathname, search } = useLocation()
@@ -71,9 +84,9 @@ export default function WebView({ store }: Props) {
   let startUrl = urls[pathname]
 
   if (store) {
-    localStorage.setItem('last-store', `/${store}store`)
-    const lastUrl = localStorage.getItem(`last-url-${store}`)
-    if (lastUrl) {
+    sessionStorage.setItem('last-store', `/${store}store`)
+    const lastUrl = sessionStorage.getItem(`last-url-${store}`)
+    if (lastUrl && validStoredUrl(lastUrl, store)) {
       startUrl = lastUrl
     }
   }
@@ -228,7 +241,10 @@ export default function WebView({ store }: Props) {
     const webview = webviewRef.current
     if (webview && store) {
       const onNavigate = () => {
-        localStorage.setItem(`last-url-${store}`, webview.getURL())
+        const url = webview.getURL()
+        if (validStoredUrl(url, store)) {
+          sessionStorage.setItem(`last-url-${store}`, webview.getURL())
+        }
       }
 
       // this one is needed for gog/amazon

Original file line number	Diff line number	Diff line change
`@@ -93,7 +93,7 @@ export default function SidebarLinks() {`
`93`	`93`	`}`
`94`	`94`
`95`	`95`	// if we have a stored last-url, default to the `/last-url` route
`96`		`- const lastStore = localStorage.getItem('last-store')`
	`96`	`+ const lastStore = sessionStorage.getItem('last-store')`
`97`	`97`	`if (lastStore) {`
`98`	`98`	`defaultStore = lastStore`
`99`	`99`	`}`