From 4f9b9b6eca6aaa2faf15610dedb3d35cd40e13f8 Mon Sep 17 00:00:00 2001
From: beejak <beejak@users.noreply.github.com>
Date: Wed, 22 Apr 2026 20:15:46 +0530
Subject: [PATCH] fix(security): validate navigate tool URL with
 z.string().url()

Require HTTP(S) URL shape for the `navigate` tool input (defense in depth vs non-URL strings passed to `page.goto`). Complements MCP Sentinel SSRF-style heuristics on navigation surfaces.

Made-with: Cursor
---
 src/tools/navigate.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/tools/navigate.ts b/src/tools/navigate.ts
index 08abe38..99af0d7 100644
--- a/src/tools/navigate.ts
+++ b/src/tools/navigate.ts
@@ -4,7 +4,7 @@ import type { Context } from "../context.js";
 import type { ToolActionResult } from "../types/types.js";
 
 const NavigateInputSchema = z.object({
-  url: z.string().min(1),
+  url: z.string().url(),
 });
 
 type NavigateInput = z.infer<typeof NavigateInputSchema>;