Skip to content

Commit db22f32

Browse files
Reject baseURL query and hash components
Co-authored-by: Eric Allam <eric@trigger.dev>
1 parent 915573c commit db22f32

File tree

5 files changed

+51
-1
lines changed

5 files changed

+51
-1
lines changed

docs/tasks/streams.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -656,7 +656,7 @@ If `onError` is omitted, reconnect still returns `null` and continues without ca
656656
`baseURL` supports optional path prefixes and trailing slashes; both trigger and stream URLs
657657
are normalized consistently, surrounding whitespace is trimmed before normalization, and
658658
the resulting value must not be empty. The value must also be a valid absolute URL using
659-
the `http` or `https` protocol.
659+
the `http` or `https` protocol, without query parameters or hash fragments.
660660

661661
For richer TypeScript ergonomics in app code, `@trigger.dev/ai` also exports:
662662

packages/ai/CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,3 +24,4 @@
2424
- Added explicit validation that `baseURL` is non-empty after normalization.
2525
- Added explicit validation that `baseURL` is a valid absolute URL.
2626
- Added explicit validation that `baseURL` uses `http` or `https`.
27+
- Added explicit validation that `baseURL` excludes query parameters and hash fragments.

packages/ai/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -163,6 +163,7 @@ both cleanup steps (`set` inactive state and `delete`) even if one of them fails
163163
- `baseURL` must not be empty after trimming/normalization.
164164
- `baseURL` must be a valid absolute URL.
165165
- `baseURL` must use the `http` or `https` protocol.
166+
- `baseURL` must not include query parameters or hash fragments.
166167

167168
## `ai.tool(...)` example
168169

packages/ai/src/chatTransport.test.ts

Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -653,6 +653,28 @@ describe("TriggerChatTransport", function () {
653653
}).toThrowError("baseURL must use http or https protocol");
654654
});
655655

656+
it("throws when baseURL includes query parameters", function () {
657+
expect(function () {
658+
new TriggerChatTransport({
659+
task: "chat-task",
660+
accessToken: "pk_trigger",
661+
baseURL: "https://example.com/base?query=1",
662+
stream: "chat-stream",
663+
});
664+
}).toThrowError("baseURL must not include query parameters or hash fragments");
665+
});
666+
667+
it("throws when baseURL includes hash fragments", function () {
668+
expect(function () {
669+
new TriggerChatTransport({
670+
task: "chat-task",
671+
accessToken: "pk_trigger",
672+
baseURL: "https://example.com/base#fragment",
673+
stream: "chat-stream",
674+
});
675+
}).toThrowError("baseURL must not include query parameters or hash fragments");
676+
});
677+
656678
it("accepts uppercase http protocol in baseURL", async function () {
657679
let observedTriggerPath: string | undefined;
658680
let observedStreamPath: string | undefined;
@@ -2870,6 +2892,28 @@ describe("TriggerChatTransport", function () {
28702892
}).toThrowError("baseURL must use http or https protocol");
28712893
});
28722894

2895+
it("throws from factory when baseURL includes query parameters", function () {
2896+
expect(function () {
2897+
createTriggerChatTransport({
2898+
task: "chat-task",
2899+
accessToken: "pk_trigger",
2900+
baseURL: "https://example.com/base?query=1",
2901+
stream: "chat-stream",
2902+
});
2903+
}).toThrowError("baseURL must not include query parameters or hash fragments");
2904+
});
2905+
2906+
it("throws from factory when baseURL includes hash fragments", function () {
2907+
expect(function () {
2908+
createTriggerChatTransport({
2909+
task: "chat-task",
2910+
accessToken: "pk_trigger",
2911+
baseURL: "https://example.com/base#fragment",
2912+
stream: "chat-stream",
2913+
});
2914+
}).toThrowError("baseURL must not include query parameters or hash fragments");
2915+
});
2916+
28732917
it("continues streaming when onTriggeredRun callback throws", async function () {
28742918
let callbackCalled = false;
28752919
const errors: TriggerChatTransportError[] = [];

packages/ai/src/chatTransport.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -480,6 +480,10 @@ function normalizeBaseUrl(baseURL: string) {
480480
throw new Error("baseURL must use http or https protocol");
481481
}
482482

483+
if (parsedBaseUrl.search.length > 0 || parsedBaseUrl.hash.length > 0) {
484+
throw new Error("baseURL must not include query parameters or hash fragments");
485+
}
486+
483487
return normalizedBaseUrl;
484488
}
485489

0 commit comments

Comments
 (0)