More validation for potential faulty user.js engines (#2069)

Martii · web-flow · commit 97fd17115849 · 2025-06-11T22:57:55.000-06:00
* Prevent new local minified source in `@updateURL` Post #944 Auto-merge
diff --git a/libs/scriptStorage.js b/libs/scriptStorage.js
@@ -331,7 +331,13 @@ function invalidKey(aAuthorName, aScriptName, aIsLib, aKeyName, aKeyValue) {  //
           // NOTE: value needs to be decoded already since MongoDB and AWS doesn't store that
           matches = keyValueUtf.match(rAnyLocalMetaUrl);
           if (matches) {
-            if (cleanFilename(aAuthorName, '').toLowerCase() +
+            if (/\.min$/.test(matches[2])) {
+                return new statusError({
+                  message: '`@' + aKeyName +
+                    '` must not be a minified URL.',
+                  code: 403 // Forbidden
+                });
+            } else if (cleanFilename(aAuthorName, '').toLowerCase() +
               '/' + cleanFilename(aScriptName, '') ===
                 matches[1].toLowerCase() + '/' + matches[2]) {
               // Same script
