fix(issue-view): don't send auth headers to non-linear domains

Author: hmnd

src/commands/issue/issue-view.ts

@@ -23,6 +23,10 @@ import {
 } from "../../utils/hyperlink.ts"
 import { createHyperlinkExtension } from "../../utils/charmd-hyperlink-extension.ts"
 import { handleError, ValidationError } from "../../utils/errors.ts"
+import {
+  LINEAR_PRIVATE_UPLOAD_HOST,
+  LINEAR_UPLOAD_HOSTNAMES,
+} from "../../const.ts"
 
 export const viewCommand = new Command()
   .name("view")
@@ -476,11 +480,7 @@ export function extractLinearLinkInfo(
 
   visit(tree, "link", (node: Link) => {
     // Only extract links to Linear uploads
-    if (
-      node.url &&
-      (node.url.includes("uploads.linear.app") ||
-        node.url.includes("public.linear.app"))
-    ) {
+    if (node.url && getLinearUploadHost(node.url)) {
       // Get link text from first child if it's a text node
       const textNode = node.children[0]
       const text = textNode && textNode.type === "text" ? textNode.value : null
@@ -533,6 +533,15 @@ export async function getUrlHash(url: string): Promise<string> {
   return encodeHex(hashArray).substring(0, 16)
 }
 
+export function getLinearUploadHost(url: string): string | null {
+  try {
+    const { hostname } = new URL(url)
+    return LINEAR_UPLOAD_HOSTNAMES.includes(hostname) ? hostname : null
+  } catch {
+    return null
+  }
+}
+
 /**
  * download an image to the cache directory if not already cached
  * returns the local file path
@@ -556,7 +565,7 @@ async function downloadImage(
   }
 
   const headers: Record<string, string> = {}
-  if (url.includes("uploads.linear.app")) {
+  if (getLinearUploadHost(url) === LINEAR_PRIVATE_UPLOAD_HOST) {
     const apiKey = getResolvedApiKey()
     if (apiKey) {
       headers["Authorization"] = apiKey
@@ -674,10 +683,8 @@ async function downloadAttachments(
   for (const attachment of attachments) {
     try {
       // Skip non-file URLs (e.g., external links)
-      // Linear uses uploads.linear.app for private and public.linear.app for public images
-      const isLinearUpload = attachment.url.includes("uploads.linear.app") ||
-        attachment.url.includes("public.linear.app")
-      if (!isLinearUpload) {
+      const uploadHost = getLinearUploadHost(attachment.url)
+      if (!uploadHost) {
         continue
       }
 
@@ -694,8 +701,7 @@ async function downloadAttachments(
       }
 
       const headers: Record<string, string> = {}
-      // Only add auth header for private uploads, not public URLs
-      if (attachment.url.includes("uploads.linear.app")) {
+      if (uploadHost === LINEAR_PRIVATE_UPLOAD_HOST) {
         const apiKey = getResolvedApiKey()
         if (apiKey) {
           headers["Authorization"] = apiKey

src/const.ts

@@ -1,2 +1,11 @@
 export const LINEAR_WEB_BASE_URL = "https://linear.app"
 export const LINEAR_API_ENDPOINT = "https://api.linear.app/graphql"
+
+/** Requires auth to access. */
+export const LINEAR_PRIVATE_UPLOAD_HOST = "uploads.linear.app"
+export const LINEAR_PUBLIC_UPLOAD_HOST = "public.linear.app"
+
+export const LINEAR_UPLOAD_HOSTNAMES: readonly string[] = [
+  LINEAR_PRIVATE_UPLOAD_HOST,
+  LINEAR_PUBLIC_UPLOAD_HOST,
+]

test/commands/issue/image-download.test.ts

@@ -1,6 +1,7 @@
 import { assertEquals } from "@std/assert"
 import {
   extractImageInfo,
+  extractLinearLinkInfo,
   getUrlHash,
   replaceImageUrls,
 } from "../../../src/commands/issue/issue-view.ts"
@@ -109,6 +110,25 @@ Deno.test("replaceImageUrls - handles empty map", async () => {
   assertEquals(result.includes("https://example.com/img.png"), true)
 })
 
+Deno.test("extractLinearLinkInfo - extracts Linear upload links", () => {
+  const md = "See [file](https://uploads.linear.app/abc/doc.pdf)"
+  const links = extractLinearLinkInfo(md)
+  assertEquals(links.length, 1)
+  assertEquals(links[0].url, "https://uploads.linear.app/abc/doc.pdf")
+})
+
+Deno.test("extractLinearLinkInfo - ignores spoofed domain in path", () => {
+  const md = "See [file](https://example.com/uploads.linear.app/doc.pdf)"
+  const links = extractLinearLinkInfo(md)
+  assertEquals(links.length, 0)
+})
+
+Deno.test("extractLinearLinkInfo - ignores spoofed subdomain", () => {
+  const md = "See [file](https://uploads.linear.app.example.com/doc.pdf)"
+  const links = extractLinearLinkInfo(md)
+  assertEquals(links.length, 0)
+})
+
 // Hyperlink utility tests
 
 Deno.test("hyperlink - creates OSC-8 escape sequence", () => {