Jump to content

Connect SuperML | Leeroopedia MCP: Equip your AI agents with best practices, code verification, and debugging knowledge. Powered by Leeroo — building Organizational Superintelligence. Contact us at founders@leeroo.com.

Implementation:Langgenius Dify URL Validation

From Leeroopedia
Knowledge Sources
Domains Frontend, Utilities
Last Updated 2026-02-12 07:00 GMT

Overview

Validates URLs for safe redirection and detects private/local network addresses to prevent SSRF and XSS attacks.

Description

This module provides two security-focused URL validation functions. validateRedirectUrl ensures that a given URL uses only HTTP or HTTPS protocols, throwing an error for any other scheme (such as javascript: or data:) to prevent XSS attacks via URL injection. It also catches malformed URLs and throws a descriptive error. isPrivateOrLocalAddress checks whether a URL points to a private or local network address, detecting localhost variants (localhost, 127.0.0.1, ::1), RFC 1918 private IPv4 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), and .local domain suffixes. This function is essential for preventing Server-Side Request Forgery (SSRF) by blocking requests to internal infrastructure.

Usage

Use validateRedirectUrl before performing any URL-based redirection, especially with user-provided or externally-sourced URLs (e.g., OAuth callback URLs). Use isPrivateOrLocalAddress when validating webhook URLs, API endpoint configurations, or any user-provided URL that will be fetched server-side.

Code Reference

Source Location

Signature

export function validateRedirectUrl(url: string): void

export function isPrivateOrLocalAddress(url: string): boolean

Import

import { validateRedirectUrl, isPrivateOrLocalAddress } from '@/utils/urlValidation'

I/O Contract

Inputs (validateRedirectUrl)

Name Type Required Description
url string Yes The URL string to validate for safe redirection

Inputs (isPrivateOrLocalAddress)

Name Type Required Description
url string Yes The URL string to check for private/local network addresses

Outputs (validateRedirectUrl)

Name Type Description
(return value) void Returns nothing on success; throws Error if the URL uses an unsafe protocol or is malformed

Outputs (isPrivateOrLocalAddress)

Name Type Description
(return value) boolean true if the URL hostname is a private/local address; false otherwise (also returns false for malformed URLs)

Usage Examples

Validate a Redirect URL

import { validateRedirectUrl } from '@/utils/urlValidation'

// Safe URL - no error thrown
validateRedirectUrl('https://example.com/callback')

// Unsafe URL - throws Error
try {
  validateRedirectUrl('javascript:alert(1)')
} catch (err) {
  // err.message: 'Authorization URL must be HTTP or HTTPS'
}

// Malformed URL - throws Error
try {
  validateRedirectUrl('not-a-valid-url')
} catch (err) {
  // err.message: 'Invalid URL: not-a-valid-url'
}

Check for Private/Local Addresses

import { isPrivateOrLocalAddress } from '@/utils/urlValidation'

isPrivateOrLocalAddress('http://localhost:3000')        // true
isPrivateOrLocalAddress('http://127.0.0.1:8080')        // true
isPrivateOrLocalAddress('http://10.0.1.5/api')          // true
isPrivateOrLocalAddress('http://172.16.0.1/webhook')    // true
isPrivateOrLocalAddress('http://192.168.1.100/hook')    // true
isPrivateOrLocalAddress('http://169.254.169.254/meta')  // true (link-local / cloud metadata)
isPrivateOrLocalAddress('http://myhost.local/api')      // true
isPrivateOrLocalAddress('https://api.example.com/hook') // false

Related Pages

Page Connections

Double-click a node to navigate. Hold to expand connections.
Principle
Implementation
Heuristic
Environment
Retrieved from "https://leeroopedia.com/index.php?title=Implementation:Langgenius_Dify_URL_Validation&oldid=14888"