fix(browser): encapsulate explicit-port detection in parseBrowserHttpUrl

Marvae · Marvae · commit 0e26cb08e7a0 · 2026-05-19T00:40:45.000+08:00
The previous implementation checked parsed.parsed.port in resolveProfile,
which missed WHATWG-normalized default ports (:80/:443) and was vulnerable
to false positives on IPv6 hosts and userinfo colons.

Move explicit-port detection into parseBrowserHttpUrl as hasExplicitPort
using a robust raw-string parser that handles:
- IPv6 bracket notation ([::1] vs [::1]:9222)
- userinfo (user:pass@host — colon is not a port)
- WHATWG default-port normalization (:80/:443 → empty .port)

Return normalizedWithPort alongside normalized so callers never need
raw-string URL hacks. resolveProfile now reads:
  explicit URL port → use it
  no URL port + cdpPort → inject cdpPort
  no URL port + no cdpPort → protocol default

Consolidate scattered port-precedence tests into a focused describe block
covering all 9 cases including IPv6, default ports, stale WS, and error.
diff --git a/extensions/browser/src/browser/cdp.helpers.ts b/extensions/browser/src/browser/cdp.helpers.ts
@@ -15,6 +15,38 @@ import { withAllowedHostname } from "./ssrf-policy-helpers.js";
 
 export { isLoopbackHost };
 
+/**
+ * Detects whether a raw URL string contains an explicitly written port.
+ *
+ * WHATWG `URL` normalizes default ports (e.g. `:80` for http, `:443` for
+ * https) to an empty `.port` string, making it impossible to distinguish
+ * "user wrote :80" from "user omitted the port". This helper inspects the
+ * raw string to preserve that intent.
+ *
+ * Handles IPv6 bracket notation and userinfo (user:pass@host) correctly.
+ */
+function hasRawExplicitPort(raw: string): boolean {
+  // Strip scheme (e.g. "http://") and take only the authority portion
+  // (everything before the first /, ?, or #).
+  const authority =
+    raw
+      .replace(/^[a-z][a-z0-9+.-]*:\/\//i, "")
+      .split(/[/?#]/, 1)[0] ?? "";
+
+  // Strip userinfo (user:pass@) — the colon there is NOT a port separator.
+  const hostPort = authority.includes("@")
+    ? authority.slice(authority.lastIndexOf("@") + 1)
+    : authority;
+
+  // IPv6: [::1]:9222 → port after closing bracket
+  if (hostPort.startsWith("[")) {
+    return /^\[[^\]]+\]:\d+$/.test(hostPort);
+  }
+
+  // IPv4 / hostname: host:port
+  return /:\d+$/.test(hostPort);
+}
+
 export function parseBrowserHttpUrl(raw: string, label: string) {
   const trimmed = raw.trim();
   const parsed = new URL(trimmed);
@@ -40,10 +72,42 @@ export function parseBrowserHttpUrl(raw: string, label: string) {
     throw new Error(`${label} has invalid port: ${parsed.port}`);
   }
 
+  const normalized = parsed.toString().replace(/\/$/, "");
+  const hasExplicitPort = hasRawExplicitPort(trimmed);
+
+  // When the user explicitly wrote a default port (e.g. :80 for http),
+  // WHATWG normalization drops it from the URL string. Rebuild a
+  // port-preserving normalized form so callers don't need raw-string hacks.
+  // Note: the URL .port setter silently discards protocol-default ports,
+  // so we must inject the port via string surgery on the normalized form.
+  let normalizedWithPort: string;
+  if (hasExplicitPort && !parsed.port) {
+    const proto = parsed.protocol + "//";
+    const rest = normalized.slice(proto.length);
+    // Skip userinfo (user:pass@) if present
+    const atIdx = rest.indexOf("@");
+    const hostStart = atIdx >= 0 ? atIdx + 1 : 0;
+    const hostPart = rest.slice(hostStart);
+    // Find end of host: IPv6 brackets or first : / /
+    const hostLen = hostPart.startsWith("[")
+      ? hostPart.indexOf("]") + 1
+      : (() => {
+          const idx = hostPart.search(/[:/]/);
+          return idx < 0 ? hostPart.length : idx;
+        })();
+    const insertAt = hostStart + hostLen;
+    normalizedWithPort =
+      proto + rest.slice(0, insertAt) + ":" + port + rest.slice(insertAt);
+  } else {
+    normalizedWithPort = normalized;
+  }
+
   return {
     parsed,
     port,
-    normalized: parsed.toString().replace(/\/$/, ""),
+    hasExplicitPort,
+    normalized,
+    normalizedWithPort,
   };
 }
 
diff --git a/extensions/browser/src/browser/config.test.ts b/extensions/browser/src/browser/config.test.ts
@@ -556,41 +556,218 @@ describe("browser config", () => {
     expect(profile?.cdpIsLoopback).toBe(true);
   });
 
-  it("prefers explicit cdpPort when cdpUrl has no port", () => {
-    // cdpUrl "http://127.0.0.1" (no port) should not override
-    // the explicit cdpPort with default port 80.
-    const resolved = resolveBrowserConfig({
-      profiles: {
-        openclaw: {
-          cdpPort: 18800,
-          cdpUrl: "http://127.0.0.1",
-          color: "#FF4500",
-          driver: "openclaw",
+  describe("cdpPort vs cdpUrl port precedence", () => {
+    it("URL with non-default port wins over cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://127.0.0.1:9222",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
         },
-      },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(9222);
+      expect(profile?.cdpUrl).toBe("http://127.0.0.1:9222");
     });
-    const profile = resolveProfile(resolved, "openclaw");
-    expect(profile?.cdpPort).toBe(18800);
-    expect(profile?.cdpUrl).toBe("http://127.0.0.1:18800");
-  });
 
-  it("prefers cdpPort over stale WebSocket devtools cdpUrl when both are set", () => {
-    const resolved = resolveBrowserConfig({
-      profiles: {
-        "chrome-cdp": {
-          cdpPort: 9222,
-          cdpUrl: "ws://127.0.0.1:9222/devtools/browser/old-stale-id",
-          attachOnly: true,
-          color: "#F59E0B",
+    it("URL with explicit default port :80 wins over cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://127.0.0.1:80",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
         },
-      },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(80);
+      expect(profile?.cdpUrl).toBe("http://127.0.0.1:80");
+    });
+
+    it("URL with explicit default port preserves normalized URL details", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          secure: {
+            cdpPort: 18800,
+            cdpUrl: "https://user:pass@remote-browser.example.com:443/json/version?token=abc#frag",
+            color: "#0066CC",
+            driver: "openclaw",
+          },
+          websocket: {
+            cdpPort: 18800,
+            cdpUrl: "wss://remote-browser.example.com:443/json/version?token=abc",
+            color: "#0066CC",
+            driver: "openclaw",
+          },
+          ipv6: {
+            cdpPort: 18800,
+            cdpUrl: "http://[::1]:80/json/version?token=abc",
+            color: "#0066CC",
+            driver: "openclaw",
+          },
+        },
+      });
+
+      const secure = resolveProfile(resolved, "secure");
+      expect(secure?.cdpPort).toBe(443);
+      expect(secure?.cdpUrl).toBe(
+        "https://user:pass@remote-browser.example.com:443/json/version?token=abc#frag",
+      );
+
+      const websocket = resolveProfile(resolved, "websocket");
+      expect(websocket?.cdpPort).toBe(443);
+      expect(websocket?.cdpUrl).toBe(
+        "wss://remote-browser.example.com:443/json/version?token=abc",
+      );
+
+      const ipv6 = resolveProfile(resolved, "ipv6");
+      expect(ipv6?.cdpPort).toBe(80);
+      expect(ipv6?.cdpUrl).toBe("http://[::1]:80/json/version?token=abc");
+    });
+
+    it("userinfo colons without a URL port defer to cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://user:pass@127.0.0.1/json/version",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(18800);
+      expect(profile?.cdpUrl).toBe("http://user:pass@127.0.0.1:18800/json/version");
+    });
+
+    it("URL without port defers to cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://127.0.0.1",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(18800);
+      expect(profile?.cdpUrl).toBe("http://127.0.0.1:18800");
+    });
+
+    it("URL with non-default port, no cdpPort configured", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpUrl: "http://127.0.0.1:9222",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(9222);
+      expect(profile?.cdpUrl).toBe("http://127.0.0.1:9222");
+    });
+
+    it("URL without port and no cdpPort falls back to protocol default", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpUrl: "https://remote-browser.example.com",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(443);
+      expect(profile?.cdpUrl).toBe("https://remote-browser.example.com");
+    });
+
+    it("no URL + cdpPort constructs URL from defaults", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 9222,
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(9222);
+      expect(profile?.cdpUrl).toContain(":9222");
+    });
+
+    it("no URL + no cdpPort throws", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          bad: {
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      expect(() => resolveProfile(resolved, "bad")).toThrow(
+        'must define cdpPort or cdpUrl',
+      );
+    });
+
+    it("stale WS devtools URL + cdpPort drops path and uses cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          "chrome-cdp": {
+            cdpPort: 9222,
+            cdpUrl: "ws://127.0.0.1:12345/devtools/browser/old-stale-id",
+            attachOnly: true,
+            color: "#F59E0B",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "chrome-cdp");
+      expect(profile?.cdpUrl).toBe("http://127.0.0.1:9222");
+      expect(profile?.cdpPort).toBe(9222);
+    });
+
+    it("IPv6 URL without port defers to cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://[::1]",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(18800);
+      expect(profile?.cdpUrl).toBe("http://[::1]:18800");
+    });
+
+    it("IPv6 URL with explicit port wins over cdpPort", () => {
+      const resolved = resolveBrowserConfig({
+        profiles: {
+          openclaw: {
+            cdpPort: 18800,
+            cdpUrl: "http://[::1]:9222",
+            color: "#FF4500",
+            driver: "openclaw",
+          },
+        },
+      });
+      const profile = resolveProfile(resolved, "openclaw");
+      expect(profile?.cdpPort).toBe(9222);
+      expect(profile?.cdpUrl).toBe("http://[::1]:9222");
     });
-    const profile = resolveProfile(resolved, "chrome-cdp");
-    // cdpPort produces a stable HTTP endpoint; the stale WS session ID is dropped.
-    expect(profile?.cdpUrl).toBe("http://127.0.0.1:9222");
-    expect(profile?.cdpPort).toBe(9222);
-    expect(profile?.cdpIsLoopback).toBe(true);
-    expect(profile?.attachOnly).toBe(true);
   });
 
   it("preserves profile host when dropping stale devtools WS path", () => {
diff --git a/extensions/browser/src/browser/config.ts b/extensions/browser/src/browser/config.ts
@@ -502,13 +502,10 @@ export function resolveProfile(
   } else if (rawProfileUrl) {
     const parsed = parseBrowserHttpUrl(rawProfileUrl, `browser.profiles.${profileName}.cdpUrl`);
     cdpHost = parsed.parsed.hostname;
-    // When the URL has an explicit port, always use it. When the URL omits the
-    // port (e.g. "http://127.0.0.1"), prefer an already-configured cdpPort over
-    // the protocol default (80/443) to avoid binding Chrome to a privileged
-    // port.
-    if (parsed.parsed.port) {
+    // Port precedence: explicit URL port > configured cdpPort > protocol default.
+    if (parsed.hasExplicitPort) {
       cdpPort = parsed.port;
-      cdpUrl = parsed.normalized;
+      cdpUrl = parsed.normalizedWithPort;
     } else if (cdpPort) {
       // URL omitted the port but we have an explicit cdpPort — inject it while
       // preserving the rest of the URL (path, query, credentials, etc.).
