Sanitizing URLs before invoking open()

Author: geelen

src/lib/node-oauth-client-provider.ts

@@ -9,7 +9,7 @@ import {
 import type { OAuthProviderOptions, StaticOAuthClientMetadata } from './types'
 import { readJsonFile, writeJsonFile, readTextFile, writeTextFile, deleteConfigFile } from './mcp-auth-config'
 import { StaticOAuthClientInformationFull } from './types'
-import { getServerUrlHash, log, debugLog, DEBUG, MCP_REMOTE_VERSION } from './utils'
+import { getServerUrlHash, log, debugLog, DEBUG, MCP_REMOTE_VERSION, sanitizeUrl } from './utils'
 import { randomUUID } from 'node:crypto'
 
 /**
@@ -172,7 +172,7 @@ export class NodeOAuthClientProvider implements OAuthClientProvider {
     if (DEBUG) debugLog('Redirecting to authorization URL', authorizationUrl.toString())
 
     try {
-      await open(authorizationUrl.toString())
+      await open(sanitizeUrl(authorizationUrl.toString()))
       log('Browser opened automatically.')
     } catch (error) {
       log('Could not open browser automatically. Please copy and paste the URL above into your browser.')

src/lib/utils.ts

@@ -704,3 +704,19 @@ export function setupSignalHandlers(cleanup: () => Promise<void>) {
 export function getServerUrlHash(serverUrl: string): string {
   return crypto.createHash('md5').update(serverUrl).digest('hex')
 }
+
+export function sanitizeUrl(raw: string) {
+  const url = new URL(raw)
+  if (url.protocol !== 'https:' && url.protocol !== 'http:') {
+    throw new Error(`Invalid url to pass to open(): ${url}`)
+  }
+  url.hostname = encodeURIComponent(url.hostname)
+  url.pathname = url.pathname.slice(0, 1) + encodeURIComponent(url.pathname.slice(1))
+  url.search = url.search.slice(0, 1) + Array.from(url.searchParams.entries()).map(sanitizeParam).join('&')
+  url.hash = url.hash.slice(0, 1) + encodeURIComponent(url.hash.slice(1))
+  return url.href
+}
+
+function sanitizeParam([k, v]: [string, string]) {
+  return `${encodeURIComponent(k)}${v.length > 0 ? `=${encodeURIComponent(v)}` : ''}`
+}