fix(browser): reject explicit zero cdp ports

steipete · steipete · commit 621db8f0b1b4 · 2026-05-29T01:43:05.000-04:00
diff --git a/extensions/browser/src/browser/cdp.helpers.fuzz.test.ts b/extensions/browser/src/browser/cdp.helpers.fuzz.test.ts
@@ -349,6 +349,12 @@ describe("fuzz: parseBrowserHttpUrl", () => {
       expect(() => parseBrowserHttpUrl(url, "test")).toThrow(/must be http\(s\) or ws\(s\)/);
     }
   });
+
+  it("rejects explicitly configured port zero", () => {
+    for (const scheme of ["http", "https", "ws", "wss"]) {
+      expect(() => parseBrowserHttpUrl(`${scheme}://127.0.0.1:0`, "test")).toThrow(/invalid port/);
+    }
+  });
 });
 
 describe("fuzz: redactCdpUrl", () => {
diff --git a/extensions/browser/src/browser/cdp.helpers.ts b/extensions/browser/src/browser/cdp.helpers.ts
@@ -1,3 +1,4 @@
+import { parseBrowserHttpUrl, redactCdpUrl } from "openclaw/plugin-sdk/browser-config";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import WebSocket from "ws";
 import { isLoopbackHost } from "../gateway/net.js";
@@ -6,7 +7,6 @@ import {
   type SsrFPolicy,
   resolvePinnedHostnameWithPolicy,
 } from "../infra/net/ssrf.js";
-import { redactSensitiveText } from "../logging/redact.js";
 import {
   getDirectAgentForCdp,
   withManagedProxyForCdpUrl,
@@ -18,98 +18,7 @@ import { resolveBrowserRateLimitMessage } from "./rate-limit-message.js";
 import { withAllowedHostname } from "./ssrf-policy-helpers.js";
 
 export { isLoopbackHost };
-
-/**
- * Detects whether a raw URL string contains an explicitly written port.
- *
- * WHATWG `URL` normalizes default ports (e.g. `:80` for http, `:443` for
- * https) to an empty `.port` string, making it impossible to distinguish
- * "user wrote :80" from "user omitted the port". This helper inspects the
- * raw string to preserve that intent.
- *
- * Handles IPv6 bracket notation and userinfo (user:pass@host) correctly.
- */
-function hasRawExplicitPort(raw: string): boolean {
-  // Strip scheme (e.g. "http://") and take only the authority portion
-  // (everything before the first /, ?, or #).
-  const authority = raw.replace(/^[a-z][a-z0-9+.-]*:\/\//i, "").split(/[/?#]/, 1)[0] ?? "";
-
-  // Strip userinfo (user:pass@); the colon there is not a port separator.
-  const hostPort = authority.includes("@")
-    ? authority.slice(authority.lastIndexOf("@") + 1)
-    : authority;
-
-  // IPv6: [::1]:9222 has a port after the closing bracket.
-  if (hostPort.startsWith("[")) {
-    return /^\[[^\]]+\]:\d+$/.test(hostPort);
-  }
-
-  // IPv4 / hostname: host:port
-  return /:\d+$/.test(hostPort);
-}
-
-export function parseBrowserHttpUrl(raw: string, label: string) {
-  const trimmed = raw.trim();
-  const parsed = new URL(trimmed);
-  const allowed = ["http:", "https:", "ws:", "wss:"];
-  if (!allowed.includes(parsed.protocol)) {
-    throw new Error(`${label} must be http(s) or ws(s), got: ${parsed.protocol.replace(":", "")}`);
-  }
-
-  const isSecure = parsed.protocol === "https:" || parsed.protocol === "wss:";
-  const port =
-    parsed.port && Number.parseInt(parsed.port, 10) > 0
-      ? Number.parseInt(parsed.port, 10)
-      : isSecure
-        ? 443
-        : 80;
-
-  // WHATWG URL rejects invalid ports (non-numeric, negative, >65535), and
-  // the ternary above falls back to 80/443 for empty or zero parsed.port,
-  // so this defensive guard is unreachable at runtime. Kept as a
-  // belt-and-braces check against parser drift.
-  /* c8 ignore next 3 */
-  if (Number.isNaN(port) || port <= 0 || port > 65535) {
-    throw new Error(`${label} has invalid port: ${parsed.port}`);
-  }
-
-  const normalized = parsed.toString().replace(/\/$/, "");
-  const hasExplicitPort = hasRawExplicitPort(trimmed);
-
-  // When the user explicitly wrote a default port (e.g. :80 for http),
-  // WHATWG normalization drops it from the URL string. Rebuild a
-  // port-preserving normalized form so callers don't need raw-string hacks.
-  // Note: the URL .port setter silently discards protocol-default ports,
-  // so we must inject the port via string surgery on the normalized form.
-  let normalizedWithPort: string;
-  if (hasExplicitPort && !parsed.port) {
-    const proto = parsed.protocol + "//";
-    const rest = normalized.slice(proto.length);
-    // Skip userinfo (user:pass@) if present
-    const atIdx = rest.indexOf("@");
-    const hostStart = atIdx >= 0 ? atIdx + 1 : 0;
-    const hostPart = rest.slice(hostStart);
-    // Find the end of the host: IPv6 brackets, a path slash, or a port colon.
-    const hostLen = hostPart.startsWith("[")
-      ? hostPart.indexOf("]") + 1
-      : (() => {
-          const idx = hostPart.search(/[:/]/);
-          return idx < 0 ? hostPart.length : idx;
-        })();
-    const insertAt = hostStart + hostLen;
-    normalizedWithPort = proto + rest.slice(0, insertAt) + ":" + port + rest.slice(insertAt);
-  } else {
-    normalizedWithPort = normalized;
-  }
-
-  return {
-    parsed,
-    port,
-    hasExplicitPort,
-    normalized,
-    normalizedWithPort,
-  };
-}
+export { parseBrowserHttpUrl, redactCdpUrl };
 
 /**
  * Returns true when the URL uses a WebSocket protocol (ws: or wss:).
@@ -179,24 +88,6 @@ export async function assertCdpEndpointAllowed(
   }
 }
 
-export function redactCdpUrl(cdpUrl: string | null | undefined): string | null | undefined {
-  if (typeof cdpUrl !== "string") {
-    return cdpUrl;
-  }
-  const trimmed = cdpUrl.trim();
-  if (!trimmed) {
-    return trimmed;
-  }
-  try {
-    const parsed = new URL(trimmed);
-    parsed.username = "";
-    parsed.password = "";
-    return redactSensitiveText(parsed.toString().replace(/\/$/, ""));
-  } catch {
-    return redactSensitiveText(trimmed);
-  }
-}
-
 type CdpResponse = {
   id: number;
   result?: unknown;
diff --git a/extensions/browser/src/browser/client-fetch.loopback-auth.test.ts b/extensions/browser/src/browser/client-fetch.loopback-auth.test.ts
@@ -208,6 +208,22 @@ describe("fetchBrowserJson loopback auth", () => {
     expect(headers.get("authorization")).toBe("Bearer loopback-token");
   });
 
+  it("does not treat explicit port zero as the default loopback bridge port", async () => {
+    mocks.resolveBrowserControlAuth.mockReturnValueOnce({
+      token: undefined,
+      password: undefined,
+    });
+    mocks.getBridgeAuthForPort.mockReturnValueOnce({ token: "bridge-token" });
+    const fetchMock = stubJsonFetchOk();
+
+    await fetchBrowserJson<{ ok: boolean }>("http://127.0.0.1:0/");
+
+    const init = requireFetchInit(fetchMock);
+    const headers = new Headers(init?.headers);
+    expect(mocks.getBridgeAuthForPort).not.toHaveBeenCalled();
+    expect(headers.get("authorization")).toBeNull();
+  });
+
   it("preserves dispatcher timeout context without no-retry hint", async () => {
     mocks.dispatch.mockRejectedValueOnce(new Error("Chrome CDP handshake timeout"));
 
diff --git a/extensions/browser/src/browser/client-fetch.ts b/extensions/browser/src/browser/client-fetch.ts
@@ -1,3 +1,4 @@
+import { parseBrowserHttpUrl } from "openclaw/plugin-sdk/browser-config";
 import { parseFiniteNumber } from "openclaw/plugin-sdk/number-runtime";
 import { fetchWithSsrFGuard } from "openclaw/plugin-sdk/ssrf-runtime";
 import { normalizeOptionalString } from "openclaw/plugin-sdk/string-coerce-runtime";
@@ -68,13 +69,7 @@ function withLoopbackBrowserAuthImpl(
   // Sandbox bridge servers can run with per-process ephemeral auth on dynamic ports.
   // Fall back to the in-memory registry if config auth is not available.
   try {
-    const parsed = new URL(url);
-    const port =
-      parsed.port && Number.parseInt(parsed.port, 10) > 0
-        ? Number.parseInt(parsed.port, 10)
-        : parsed.protocol === "https:"
-          ? 443
-          : 80;
+    const { port } = parseBrowserHttpUrl(url, "browser control URL");
     const bridgeAuth = deps.getBridgeAuthForPort(port);
     if (bridgeAuth?.token) {
       headers.set("Authorization", `Bearer ${bridgeAuth.token}`);
diff --git a/extensions/browser/src/browser/profiles.test.ts b/extensions/browser/src/browser/profiles.test.ts
@@ -125,6 +125,7 @@ describe("getUsedPorts", () => {
   it("ignores invalid cdpUrl values", () => {
     const profiles = {
       bad: { cdpUrl: "notaurl" },
+      portZero: { cdpUrl: "http://127.0.0.1:0" },
     };
     const used = getUsedPorts(profiles);
     expect(used.size).toBe(0);
diff --git a/extensions/browser/src/browser/profiles.ts b/extensions/browser/src/browser/profiles.ts
@@ -1,3 +1,5 @@
+import { parseBrowserHttpUrl } from "openclaw/plugin-sdk/browser-config";
+
 /**
  * CDP port allocation for browser profiles.
  *
@@ -66,16 +68,7 @@ export function getUsedPorts(
       continue;
     }
     try {
-      const parsed = new URL(rawUrl);
-      const port =
-        parsed.port && Number.parseInt(parsed.port, 10) > 0
-          ? Number.parseInt(parsed.port, 10)
-          : parsed.protocol === "https:"
-            ? 443
-            : 80;
-      if (isValidTcpPort(port)) {
-        used.add(port);
-      }
+      used.add(parseBrowserHttpUrl(rawUrl, "browser.profiles.*.cdpUrl").port);
     } catch {
       // ignore invalid URLs
     }
diff --git a/src/plugin-sdk/browser-cdp.ts b/src/plugin-sdk/browser-cdp.ts
@@ -1,5 +1,18 @@
 import { redactSensitiveText } from "../logging/redact.js";
 
+function hasRawExplicitPort(raw: string): boolean {
+  const authority = raw.replace(/^[a-z][a-z0-9+.-]*:\/\//i, "").split(/[/?#]/, 1)[0] ?? "";
+  const hostPort = authority.includes("@")
+    ? authority.slice(authority.lastIndexOf("@") + 1)
+    : authority;
+
+  if (hostPort.startsWith("[")) {
+    return /^\[[^\]]+\]:\d+$/.test(hostPort);
+  }
+
+  return /:\d+$/.test(hostPort);
+}
+
 export function parseBrowserHttpUrl(raw: string, label: string) {
   const trimmed = raw.trim();
   const parsed = new URL(trimmed);
@@ -9,21 +22,45 @@ export function parseBrowserHttpUrl(raw: string, label: string) {
   }
 
   const isSecure = parsed.protocol === "https:" || parsed.protocol === "wss:";
-  const port =
-    parsed.port && Number.parseInt(parsed.port, 10) > 0
-      ? Number.parseInt(parsed.port, 10)
-      : isSecure
-        ? 443
-        : 80;
+  const hasExplicitPort = hasRawExplicitPort(trimmed);
+  const port = parsed.port ? Number.parseInt(parsed.port, 10) : isSecure ? 443 : 80;
 
+  if (hasExplicitPort && !parsed.port) {
+    const defaultPort = isSecure ? 443 : 80;
+    if (port !== defaultPort) {
+      throw new Error(`${label} has invalid port: ${parsed.port}`);
+    }
+  }
   if (Number.isNaN(port) || port <= 0 || port > 65_535) {
     throw new Error(`${label} has invalid port: ${parsed.port}`);
   }
 
+  const normalized = parsed.toString().replace(/\/$/, "");
+  let normalizedWithPort: string;
+  if (hasExplicitPort && !parsed.port) {
+    const proto = parsed.protocol + "//";
+    const rest = normalized.slice(proto.length);
+    const atIdx = rest.indexOf("@");
+    const hostStart = atIdx >= 0 ? atIdx + 1 : 0;
+    const hostPart = rest.slice(hostStart);
+    const hostLen = hostPart.startsWith("[")
+      ? hostPart.indexOf("]") + 1
+      : (() => {
+          const idx = hostPart.search(/[:/]/);
+          return idx < 0 ? hostPart.length : idx;
+        })();
+    const insertAt = hostStart + hostLen;
+    normalizedWithPort = proto + rest.slice(0, insertAt) + ":" + port + rest.slice(insertAt);
+  } else {
+    normalizedWithPort = normalized;
+  }
+
   return {
     parsed,
     port,
-    normalized: parsed.toString().replace(/\/$/, ""),
+    hasExplicitPort,
+    normalized,
+    normalizedWithPort,
   };
 }
 
diff --git a/src/plugin-sdk/browser-subpaths.test.ts b/src/plugin-sdk/browser-subpaths.test.ts
@@ -20,6 +20,15 @@ describe("plugin-sdk browser subpaths", () => {
     expect(redactCdpUrl(parsed.normalized)).toBe("http://127.0.0.1:9222");
   });
 
+  it("preserves explicit default ports and rejects explicit port zero", () => {
+    const parsed = parseBrowserHttpUrl("http://127.0.0.1:80/json/version", "browser.cdpUrl");
+    expect(parsed.hasExplicitPort).toBe(true);
+    expect(parsed.normalizedWithPort).toBe("http://127.0.0.1:80/json/version");
+    expect(() => parseBrowserHttpUrl("http://127.0.0.1:0", "browser.cdpUrl")).toThrow(
+      /invalid port/,
+    );
+  });
+
   it("resolves browser control auth on the dedicated auth subpath", () => {
     expect(resolveBrowserControlAuth).toBeTypeOf("function");
   });
