Removes untrusted documentation links and implements URL security validation (#73)

Replaces references to the docs.paseo.network domain with GitHub alternatives across the site. Introduces a new security test suite to enforce a domain allowlist, prevent the use of blocked phishing domains, and ensure all URLs use secure protocols (HTTPS/WSS).

Author: ayelenmurano

src/components/sections/UsersSection.tsx

@@ -67,13 +67,11 @@ export function UsersSection() {
 					{PASEO_USERS.map((user) => {
 						const hasLogo = "logo" in user && user.logo;
 						const hasDarkLogo = "logoDark" in user && user.logoDark;
-						const shouldInvert =
-							"darkInvert" in user && user.darkInvert;
+						const shouldInvert = "darkInvert" in user && user.darkInvert;
 						const isWordmark = "isWordmark" in user && user.isWordmark;
 
 						const invertClass = shouldInvert ? "dark:invert" : "";
-						const logoClass =
-							`object-contain opacity-70 group-hover:opacity-100 transition-opacity duration-300 ${invertClass}`;
+						const logoClass = `object-contain opacity-70 group-hover:opacity-100 transition-opacity duration-300 ${invertClass}`;
 
 						const content = isWordmark ? (
 							<UserLogo

src/components/sections/developers/DevelopersHeroSection.tsx

@@ -36,7 +36,7 @@ export function DevelopersHeroSection() {
 					</PrimaryButton>
 					<SecondaryButton
 						className="group"
-						onClick={() => window.open(URLS.docs, "_blank")}
+						onClick={() => window.open(URLS.github, "_blank")}
 					>
 						<FileText className="mr-2 h-4 w-4" />
 						Documentation

src/constants/__tests__/urls-security.test.ts

@@ -0,0 +1,139 @@
+import { describe, expect, it } from "vitest";
+import { URLS } from "../urls";
+
+/**
+ * Allowlist of trusted domains for all URLs in the project.
+ * Any new domain must be explicitly added here after review.
+ */
+const ALLOWED_DOMAINS = [
+	"github.com",
+	"paseo-r2.zondax.ch",
+	"validators.paseo.site",
+	"grafana.paseo.site",
+	"hub.regionx.tech",
+	"x.com",
+	"matrix.to",
+	"polkadot.com",
+	"wiki.polkadot.com",
+	"polkadot-fellows.github.io",
+	"zondax.ch",
+	"faucet.polkadot.io",
+	"onpop.io",
+	"www.deploypolkadot.xyz",
+	"docs.polkadot.com",
+	"blockscout-passet-hub.parity-testnet.parity.io",
+	"paseo.subscan.io",
+	"polkadot.testnet.routescan.io",
+	"testnet-passet-hub-eth-rpc.polkadot.io",
+	"passet-hub-paseo.ibp.network",
+];
+
+/**
+ * Known phishing or compromised domains that must never appear in the codebase.
+ */
+const BLOCKED_DOMAINS = ["docs.paseo.network"];
+
+function extractAllUrls(
+	obj: unknown,
+	path = "",
+): { url: string; path: string }[] {
+	const urls: { url: string; path: string }[] = [];
+
+	if (typeof obj === "string") {
+		if (
+			obj.startsWith("http://") ||
+			obj.startsWith("https://") ||
+			obj.startsWith("wss://")
+		) {
+			urls.push({ url: obj, path });
+		}
+	} else if (typeof obj === "object" && obj !== null) {
+		for (const [key, value] of Object.entries(obj)) {
+			urls.push(...extractAllUrls(value, path ? `${path}.${key}` : key));
+		}
+	}
+
+	return urls;
+}
+
+function getDomain(url: string): string {
+	try {
+		return new URL(url.replace("wss://", "https://")).hostname;
+	} catch {
+		return "";
+	}
+}
+
+describe("URL Security", () => {
+	const allUrls = extractAllUrls(URLS);
+
+	it("should have URLs to validate", () => {
+		expect(allUrls.length).toBeGreaterThan(0);
+	});
+
+	it("should only contain URLs from allowed domains", () => {
+		const disallowed = allUrls.filter(({ url }) => {
+			const domain = getDomain(url);
+			return !ALLOWED_DOMAINS.some(
+				(allowed) => domain === allowed || domain.endsWith(`.${allowed}`),
+			);
+		});
+
+		if (disallowed.length > 0) {
+			const details = disallowed
+				.map(({ url, path }) => `  ${path}: ${url}`)
+				.join("\n");
+			throw new Error(
+				`Found URLs with domains not in the allowlist:\n${details}\n\n` +
+					"If this domain is legitimate, add it to ALLOWED_DOMAINS in urls-security.test.ts",
+			);
+		}
+	});
+
+	it("should not contain any blocked/phishing domains", () => {
+		const blocked = allUrls.filter(({ url }) => {
+			const domain = getDomain(url);
+			return BLOCKED_DOMAINS.some(
+				(b) => domain === b || domain.endsWith(`.${b}`),
+			);
+		});
+
+		if (blocked.length > 0) {
+			const details = blocked
+				.map(({ url, path }) => `  ${path}: ${url}`)
+				.join("\n");
+			throw new Error(`SECURITY: Found blocked/phishing domains:\n${details}`);
+		}
+	});
+
+	it("should only use HTTPS or WSS protocols", () => {
+		const insecure = allUrls.filter(
+			({ url }) => !url.startsWith("https://") && !url.startsWith("wss://"),
+		);
+
+		if (insecure.length > 0) {
+			const details = insecure
+				.map(({ url, path }) => `  ${path}: ${url}`)
+				.join("\n");
+			throw new Error(`Found URLs using insecure protocols:\n${details}`);
+		}
+	});
+
+	it("should have valid URL format", () => {
+		const invalid = allUrls.filter(({ url }) => {
+			try {
+				new URL(url.replace("wss://", "https://"));
+				return false;
+			} catch {
+				return true;
+			}
+		});
+
+		if (invalid.length > 0) {
+			const details = invalid
+				.map(({ url, path }) => `  ${path}: ${url}`)
+				.join("\n");
+			throw new Error(`Found malformed URLs:\n${details}`);
+		}
+	});
+});

src/constants/content.ts

@@ -28,7 +28,7 @@ export const HERO_CONTENT = {
 		},
 		secondary: {
 			label: "Documentation",
-			href: URLS.docs,
+			href: URLS.github,
 		},
 	},
 } as const satisfies HeroContent;
@@ -210,7 +210,7 @@ export const COMMUNITY_CONTENT = {
 			},
 			secondary: {
 				label: "View PAS Documents",
-				href: URLS.docsGovernance,
+				href: URLS.githubGovernance,
 			},
 		},
 	},

src/constants/urls.ts

@@ -5,10 +5,6 @@ export const URLS = {
 	grafanaLogs: "https://grafana.paseo.site/",
 	regionXHub: "https://hub.regionx.tech/?network=paseo",
 
-	// Documentation
-	docs: "https://docs.paseo.network",
-	docsGovernance: "https://docs.paseo.network/governance",
-
 	// GitHub - Paseo Network
 	github: "https://github.com/paseo-network",
 	githubChainSpecs: "https://github.com/paseo-network/paseo-chain-specs",