-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: check if endpoint exists for dynamic pages when checking for red… #6994
base: main
Are you sure you want to change the base?
Conversation
const isEndpointExists = async function (endpoint: string, origin: string) { | ||
const url = new URL(endpoint, origin) | ||
try { | ||
const res = await fetch(url, { method: 'HEAD' }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
URL
user-provided value
The
URL
user-provided value
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 3 days ago
To fix the problem, we need to ensure that the user input is validated and sanitized before being used to construct the URL for the fetch
request. One effective way to do this is to use an allow-list of acceptable paths or endpoints. This way, we can ensure that only known and safe endpoints are used in the fetch
request.
- Create an allow-list of acceptable paths or endpoints.
- Validate the
req.url
against this allow-list before using it to construct the URL for thefetch
request. - If the
req.url
is not in the allow-list, handle the request appropriately (e.g., return a 400 Bad Request response).
-
Copy modified lines R153-R156
@@ -152,2 +152,6 @@ | ||
const isEndpointExists = async function (endpoint: string, origin: string) { | ||
const allowList = ['/allowed-path1', '/allowed-path2', '/allowed-path3'] | ||
if (!allowList.includes(endpoint)) { | ||
throw new Error('Endpoint not allowed') | ||
} | ||
const url = new URL(endpoint, origin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really sure this is useful, should we dismiss it?
const isEndpointExists = async function (endpoint: string, origin: string) { | ||
const url = new URL(endpoint, origin) | ||
try { | ||
const res = await fetch(url, { method: 'HEAD' }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we check if the existing endpoint is external (https://...) or some existing dynamic route (localhost:3000/...).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
options.target
matches the ssg itself e.g. 3000. If we'd do it to 8888, it will be pointless since we managing routes
…irect
🎉 Thanks for submitting a pull request! 🎉
Summary
Fixes WRFL-2122
Basically we are checking only for static files when trying to determinate if we should do the
non forced
redirect.In dynamic SSG, when they either run in
dev mode
or having dynamic endpoints (not a static files), we are not detecting it and doing the redirect, which is wrong.I've added a simple checker via
fetch url, { method: HEAD }
- which checks if the endpoint exists.Example
Assume next
netlify.toml
:Run
netlify dev
.Make change to some code file.
Open
http://localhost:8888
. See that change is not applied. See in consoleProxying to https://www.netlify.app/
.Thats wrong, it should actually detect that there is an index route in current site and not proxy.
For us to review and ship your PR efficiently, please perform the following steps:
passes our tests.
A picture of a cute animal (not mandatory, but encouraged)