feat(utils): new isWhitelistedHost

packages/utils/src/index.ts

@@ -7,49 +7,50 @@ export * from './arrayDistinct';
 export * from './arrayPartition';
 export * from './arrayShuffle';
 export * from './arrayToDictionary';
+export * from './asciiUtils';
+export * from './bigNumber';
 export * from './bytesToHumanReadable';
 export * from './cache';
 export * from './capitalizeFirstLetter';
 export * from './cloneObject';
+export * from './convertTaprootXpub';
 export * from './countBytesInString';
 export * from './createCooldown';
 export * from './createDeferred';
 export * from './createDeferredManager';
 export * from './createLazy';
 export * from './createTimeoutPromise';
+export * from './extractUrlsFromText';
 export * from './getLocaleSeparators';
 export * from './getMutex';
 export * from './getNumberFromPixelString';
-export * from './getWeakRandomNumberInRange';
-export * from './getSynchronize';
 export * from './getRandomInt';
+export * from './getSynchronize';
 export * from './getWeakRandomId';
 export * from './getWeakRandomInt';
+export * from './getWeakRandomNumberInRange';
 export * from './hasUppercaseLetter';
 export * from './isArrayMember';
+export * from './isFullPath';
 export * from './isHex';
 export * from './isNotUndefined';
 export * from './isUrl';
+export * from './isWhitelistedHost';
+export * from './logs';
+export * from './logsManager';
 export * from './mergeDeepObject';
 export * from './objectPartition';
 export * from './parseElectrumUrl';
 export * from './parseHostname';
 export * from './promiseAllSequence';
 export * from './redactUserPath';
+export * from './resolveAfter';
 export * from './scheduleAction';
 export * from './splitStringEveryNCharacters';
+export * from './throttler';
 export * from './throwError';
 export * from './topologicalSort';
 export * from './truncateMiddle';
 export * from './typedEventEmitter';
 export * from './urlToOnion';
-export * from './logs';
-export * from './logsManager';
-export * from './bigNumber';
-export * from './throttler';
-export * from './extractUrlsFromText';
-export * from './isFullPath';
-export * from './asciiUtils';
-export * from './resolveAfter';
 export * from './zip';
-export * from './convertTaprootXpub';

packages/utils/src/isWhitelistedHost.ts

@@ -0,0 +1,19 @@
+export const isWhitelistedHost = (
+    hostname: unknown,
+    whitelist: string[] = ['127.0.0.1', 'localhost'],
+) => {
+    if (typeof hostname !== 'string') {
+        return false; // Defensively block the request
+    }
+
+    if (hostname.trim() === '') {
+        return false; // Defensively block the request
+    }
+
+    return whitelist.some(
+        whitelistedUrl =>
+            whitelistedUrl === hostname ||
+            // This needs to be here to allow sub-domains (like btc1.trezor.io, holesky1.trezor.io, ...,
+            hostname.endsWith(`.${whitelistedUrl}`),
+    );
+};

packages/utils/tests/isWhitelistedHost.test.ts

@@ -0,0 +1,21 @@
+import { isWhitelistedHost } from '../src/isWhitelistedHost';
+
+const WHITELISTED = ['trezor.io'];
+
+describe(isWhitelistedHost.name, () => {
+    const dataProvider: Array<{ hostname: string; result: boolean }> = [
+        { hostname: 'trezor.io', result: true },
+        { hostname: '', result: false },
+        { hostname: '    ', result: false },
+        { hostname: 'holesky1.trezor.io', result: true },
+        { hostname: 'tbtc1.trezor.io', result: true },
+        { hostname: 'scam-url.io', result: false },
+        { hostname: 'scam-url-trezor.io', result: false },
+    ];
+
+    dataProvider.forEach(({ hostname, result }) => {
+        it(`The '${hostname}' is ${result ? 'is allowed' : 'is NOT allowed'}`, () => {
+            expect(isWhitelistedHost(hostname, WHITELISTED)).toBe(result);
+        });
+    });
+});