feat: limit port range for Schema Apps to 80-8002

Author: rossiam

.changeset/ten-swans-tap.md

@@ -0,0 +1,6 @@
+---
+"@smartthings/cli": patch
+"@smartthings/cli-lib": patch
+---
+
+Limit port range for Schema Apps to 80-8002.

packages/cli/src/__tests__/lib/commands/schema-util.test.ts

@@ -171,7 +171,7 @@ describe('webHookUrlDef', () => {
 		expect(webHookUrlDef(false, webhookInitialValue)).toBe(generatedARNDef)
 
 		expect(stringDefMock).toHaveBeenCalledTimes(1)
-		expect(stringDefMock).toHaveBeenCalledWith('Webhook URL')
+		expect(stringDefMock).toHaveBeenCalledWith('Webhook URL', { validate: expect.any(Function) })
 		expect(optionalDefMock).toHaveBeenCalledTimes(1)
 		expect(optionalDefMock).toHaveBeenCalledWith(generatedStringDef, expect.any(Function), { initiallyActive: true })
 

packages/cli/src/lib/commands/schema-util.ts

@@ -31,6 +31,7 @@ import {
 	stringTranslateToId,
 	undefinedDef,
 	updateFromUserInput,
+	urlValidateFn,
 } from '@smartthings/cli-lib'
 import { awsHelpText } from '../aws-utils'
 import { chooseOrganization } from './organization-util'
@@ -55,13 +56,16 @@ export const arnDef = (name: string, inChina: boolean, initialValue?: SchemaAppR
 		{ initiallyActive })
 }
 
+// The SmartThings services handling Schema Apps are limited to connecting to apps in the range 80-8002.
+export const schemaOutURLValidate = urlValidateFn({ httpsRequired: true, minPort: 80, maxPort: 8002 })
+
 export const webHookUrlDef = (inChina: boolean, initialValue?: SchemaAppRequest): InputDefinition<string | undefined> => {
 	if (inChina) {
 		return undefinedDef
 	}
 
 	const initiallyActive = initialValue?.hostingType === 'webhook'
-	return optionalDef(stringDef('Webhook URL'),
+	return optionalDef(stringDef('Webhook URL', { validate: schemaOutURLValidate }),
 		(context?: unknown[]) => (context?.[0] as Pick<SchemaAppRequest, 'hostingType'>)?.hostingType === 'webhook',
 		{ initiallyActive })
 }
@@ -133,8 +137,8 @@ export const buildInputDefinition = async (
 		appName: optionalStringDef('App Name', {
 			default: (context?: unknown[]) => (context?.[0] as Pick<SchemaAppRequest, 'partnerName'>)?.partnerName ?? '',
 		}),
-		oAuthAuthorizationUrl: stringDef('OAuth Authorization URL', { validate: httpsURLValidate }),
-		oAuthTokenUrl: stringDef('Partner OAuth Refresh Token URL', { validate: httpsURLValidate }),
+		oAuthAuthorizationUrl: stringDef('OAuth Authorization URL', { validate: schemaOutURLValidate }),
+		oAuthTokenUrl: stringDef('Partner OAuth Refresh Token URL', { validate: schemaOutURLValidate }),
 		icon: optionalStringDef('Icon URL', { validate: httpsURLValidate }),
 		icon2x: optionalStringDef('2x Icon URL', { validate: httpsURLValidate }),
 		icon3x: optionalStringDef('3x Icon URL', { validate: httpsURLValidate }),

packages/lib/src/__tests__/validate-util.test.ts

@@ -1,4 +1,12 @@
-import { emailValidate, httpsURLValidate, integerValidateFn, localhostOrHTTPSValidate, stringValidateFn, urlValidate } from '../validate-util'
+import {
+	emailValidate,
+	httpsURLValidate,
+	integerValidateFn,
+	localhostOrHTTPSValidate,
+	stringValidateFn,
+	urlValidate,
+	urlValidateFn,
+} from '../validate-util'
 
 
 describe('stringValidateFn', () => {
@@ -107,6 +115,25 @@ describe('integerValidateFn', () => {
 	})
 })
 
+describe('urlValidateFn', () => {
+	// We only need to get minPort and maxPort here as other bits are tested via tests of
+	// `urlValidate`, `httpsURLValidate`, and `localhostOrHTTPSValidate` below.
+	it.each([1, 2, 1023])('rejects %s when lower bound is 1024', (port) => {
+		expect(urlValidateFn({ minPort: 1024 })(`https://example.com:${port}`))
+			.toBe('Port must be between 1024 and 65535 inclusive.')
+	})
+
+	it.each([10001, 10002, 65000])('rejects %s when upper bound is 10000', (port) => {
+		expect(urlValidateFn({ maxPort: 10000 })(`https://example.com:${port}`))
+			.toBe('Port must be between 1 and 10000 inclusive.')
+	})
+
+	it.each([22, 79, 8003, 8004])('rejects %s when bounds are 80-8002', (port) => {
+		expect(urlValidateFn({ minPort: 80, maxPort: 8002 })(`https://example.com:${port}`))
+			.toBe('Port must be between 80 and 8002 inclusive.')
+	})
+})
+
 describe('urlValidate', () => {
 	it.each([
 		'http://example.com',

packages/lib/src/validate-util.ts

@@ -89,13 +89,27 @@ type URLValidateFnOptions = {
 	 * Required by default.
 	 */
 	required?: boolean
+
+	// default min is 1
+	minPort?: number
+
+	// default max is 65535
+	maxPort?: number
 }
 
 const allowedHTTPHosts = ['localhost', '127.0.0.1']
-const urlValidateFn = (options?: URLValidateFnOptions): ValidateFunction => {
+export const urlValidateFn = (options?: URLValidateFnOptions): ValidateFunction => {
 	return (input: string): true | string => {
 		try {
 			const url = new URL(input)
+			const minPort = options?.minPort ?? 1
+			const maxPort = options?.maxPort ?? 65535
+			if (url.port) {
+				const portNum = parseInt(url.port)
+				if (portNum < minPort || portNum > maxPort) {
+					return `Port must be between ${minPort} and ${maxPort} inclusive.`
+				}
+			}
 			if (options?.httpsRequired) {
 				if (options.allowLocalhostHTTP) {
 					return url.protocol === 'https:' ||