fix(token-vault): replace substring URL matching with strict equality

ryanbas21 · ryanbas21 · commit d319384f0a59 · 2026-02-26T13:35:17.000-07:00
Fixes a security vulnerability where evaluateUrlForInterception used .includes() for URL matching, allowing allow-list bypass via query parameter injection (e.g. https://evil.com?https://valid.com). Replaces .includes() with === for exact string comparison. Blob URLs now require explicit wildcard patterns (blob:https://origin/*). Also removes @forgerock/token-vault from changeset ignore list to enable re-release.
diff --git a/.changeset/config.json b/.changeset/config.json
@@ -13,7 +13,6 @@
   "baseBranch": "master",
   "updateInternalDependencies": "patch",
   "ignore": [
-    "@forgerock/token-vault",
     "autoscript-apps",
     "autoscript-suites",
     "mock-api",
diff --git a/.changeset/fix-url-interception-check.md b/.changeset/fix-url-interception-check.md
@@ -0,0 +1,5 @@
+---
+'@forgerock/token-vault': patch
+---
+
+fix(security): replace substring URL matching with strict equality in evaluateUrlForInterception to prevent URL allow-list bypass via query parameter injection
diff --git a/packages/token-vault/src/lib/network/network.utilities.test.ts b/packages/token-vault/src/lib/network/network.utilities.test.ts
@@ -35,13 +35,27 @@ describe('Test network utility functions', () => {
     expect(evaluateUrlForInterception(url, urls)).toBe(false);
   });
 
-  // Test evaluateUrlForInterception with matching URL containing blob
-  it('evaluateUrlForInterception should return true for matching URLs with blob', () => {
+  // Test evaluateUrlForInterception rejects blob URLs without explicit pattern
+  it('evaluateUrlForInterception should return false for blob URLs without explicit blob pattern', () => {
     const urls = ['https://example.com', 'https://example.com/*'];
     const url = 'blob:https://example.com/1234';
+    expect(evaluateUrlForInterception(url, urls)).toBe(false);
+  });
+
+  // Test evaluateUrlForInterception matches blob URLs with explicit wildcard pattern
+  it('evaluateUrlForInterception should return true for blob URLs with explicit blob wildcard', () => {
+    const urls = ['https://example.com', 'blob:https://example.com/*'];
+    const url = 'blob:https://example.com/1234';
     expect(evaluateUrlForInterception(url, urls)).toBe(true);
   });
 
+  // Test evaluateUrlForInterception rejects URLs containing a valid URL as a query parameter
+  it('evaluateUrlForInterception should return false when valid URL appears as query parameter', () => {
+    const urls = ['https://valid.com'];
+    const url = 'https://evil.com?https://valid.com';
+    expect(evaluateUrlForInterception(url, urls)).toBe(false);
+  });
+
   // Test extractOrigins
   it('extractOrigins should return an array of unique origins from array of URLs', () => {
     const expected = [
diff --git a/packages/token-vault/src/lib/network/network.utilities.ts b/packages/token-vault/src/lib/network/network.utilities.ts
@@ -109,7 +109,7 @@ export function evaluateUrlForInterception(url: string, urls: string[]) {
       }
     }
     // Do full URL matching
-    if (url.includes(u)) {
+    if (url === u) {
       return true;
     }
   }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@forgerock/token-vault': patch
 +---
++
 +fix(security): replace substring URL matching with strict equality in evaluateUrlForInterception to prevent URL allow-list bypass via query parameter injection
Original file line number	Diff line number	Diff line change
`@@ -109,7 +109,7 @@ export function evaluateUrlForInterception(url: string, urls: string[]) {`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`	`// Do full URL matching`
`112`		`- if (url.includes(u)) {`
	`112`	`+ if (url === u) {`
`113`	`113`	`return true;`
`114`	`114`	`}`
`115`	`115`	`}`