(rawUrl: string, label: string)
| 68 | } |
| 69 | |
| 70 | export function assertSafeZoomInfoUrl(rawUrl: string, label: string): URL { |
| 71 | let parsed: URL |
| 72 | try { |
| 73 | parsed = new URL(rawUrl) |
| 74 | } catch { |
| 75 | throw new Error(`${label} must be a valid URL`) |
| 76 | } |
| 77 | if (parsed.protocol !== 'https:') { |
| 78 | throw new Error(`${label} must use https://`) |
| 79 | } |
| 80 | const host = parsed.hostname.toLowerCase() |
| 81 | if (FORBIDDEN_HOSTS.has(host)) { |
| 82 | throw new Error(`${label} host is not allowed`) |
| 83 | } |
| 84 | if (isPrivateIPv4(host)) { |
| 85 | throw new Error(`${label} host is not allowed (private/loopback range)`) |
| 86 | } |
| 87 | if (host !== 'api.zoominfo.com') { |
| 88 | throw new Error(`${label} host must be api.zoominfo.com`) |
| 89 | } |
| 90 | return parsed |
| 91 | } |
| 92 | |
| 93 | interface CachedToken { |
| 94 | accessToken: string |
no test coverage detected