Skip to content

Commit

Permalink
Fix code scan issue with ALLOWED_DOMAIN_PATTERN regex (#1687)
Browse files Browse the repository at this point in the history
  • Loading branch information
@krzysztofzuraw
krzysztofzuraw authored Jan 13, 2025
1 parent 9fc9edf commit 9649b78
Show file tree
Hide file tree
Showing 14 changed files with 67 additions and 39 deletions.
10 changes: 10 additions & 0 deletions .changeset/rotten-seals-suffer.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
---
"products-feed": patch
"klaviyo": patch
"app-avatax": patch
"cms-v2": patch
"search": patch
"smtp": patch
---

Escape ALLOWED_DOMAIN_PATTERN regex. It ensures that regex constructed from env variable is sanitized and can't be used to Denial of Service attack.
1 change: 1 addition & 0 deletions apps/avatax/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@
"decimal.js-light": "2.5.1",
"dotenv": "16.3.1",
"dynamodb-toolbox": "1.8.2",
"escape-string-regexp": "5.0.0",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
"jotai": "^2.4.2",
Expand Down
3 changes: 2 additions & 1 deletion apps/avatax/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import escapeStringRegexp from "escape-string-regexp";

import { env } from "@/env";
import { createLogger } from "@/logger";
Expand All @@ -27,7 +28,7 @@ export default wrapWithLoggerContext(
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
1 change: 1 addition & 0 deletions apps/cms-v2/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,7 @@
"@vitejs/plugin-react": "4.3.1",
"contentful-management": "10.46.4",
"dotenv": "16.3.1",
"escape-string-regexp": "5.0.0",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
"jsdom": "^20.0.3",
Expand Down
3 changes: 2 additions & 1 deletion apps/cms-v2/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import escapeStringRegexp from "escape-string-regexp";

import { saleorApp } from "@/saleor-app";

Expand All @@ -17,7 +18,7 @@ const handler = createAppRegisterHandler({
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
1 change: 1 addition & 0 deletions apps/klaviyo/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
"@sentry/nextjs": "../../node_modules/@sentry/nextjs",
"@urql/exchange-auth": "2.1.4",
"dotenv": "16.3.1",
"escape-string-regexp": "5.0.0",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
"next": "14.2.3",
Expand Down
3 changes: 2 additions & 1 deletion apps/klaviyo/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import escapeStringRegexp from "escape-string-regexp";

import { saleorApp } from "../../../saleor-app";
import { loggerContext } from "../../logger-context";
Expand All @@ -16,7 +17,7 @@ const handler = createAppRegisterHandler({
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
1 change: 1 addition & 0 deletions apps/products-feed/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@
"@urql/exchange-auth": "2.1.4",
"@vitejs/plugin-react": "4.3.1",
"dotenv": "16.3.1",
"escape-string-regexp": "5.0.0",
"fast-xml-parser": "^4.0.15",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
Expand Down
4 changes: 2 additions & 2 deletions apps/products-feed/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import escapeStringRegexp from "escape-string-regexp";

import { createLogger } from "../../logger";
import { loggerContext } from "../../logger-context";
import { saleorApp } from "../../saleor-app";

Expand All @@ -19,7 +19,7 @@ export default wrapWithLoggerContext(
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
1 change: 1 addition & 0 deletions apps/search/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,7 @@
"clsx": "^1.2.1",
"debug": "^4.3.4",
"dotenv": "16.3.1",
"escape-string-regexp": "5.0.0",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
"next": "14.2.3",
Expand Down
3 changes: 2 additions & 1 deletion apps/search/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import escapeStringRegexp from "escape-string-regexp";

import { saleorApp } from "../../../saleor-app";
import { loggerContext } from "../../lib/logger-context";
Expand All @@ -14,7 +15,7 @@ export default wrapWithLoggerContext(
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
1 change: 1 addition & 0 deletions apps/smtp/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,7 @@
"@urql/exchange-auth": "2.1.4",
"@vitejs/plugin-react": "4.3.1",
"dotenv": "16.3.1",
"escape-string-regexp": "5.0.0",
"graphql": "16.7.1",
"graphql-tag": "2.12.6",
"handlebars": "^4.7.7",
Expand Down
3 changes: 2 additions & 1 deletion apps/smtp/src/pages/api/register.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { createAppRegisterHandler } from "@saleor/app-sdk/handlers/next";
import { wrapWithLoggerContext } from "@saleor/apps-logger/node";
import { withOtel } from "@saleor/apps-otel";
import { SaleorVersionCompatibilityValidator } from "@saleor/apps-shared";
import escapeStringRegexp from "escape-string-regexp";

import { createInstrumentedGraphqlClient } from "../../lib/create-instrumented-graphql-client";
import { createLogger } from "../../logger";
Expand All @@ -22,7 +23,7 @@ export default wrapWithLoggerContext(
allowedSaleorUrls: [
(url) => {
if (allowedUrlsPattern) {
const regex = new RegExp(allowedUrlsPattern);
const regex = new RegExp(escapeStringRegexp(allowedUrlsPattern));

return regex.test(url);
}
Expand Down
Loading

0 comments on commit 9649b78

Please sign in to comment.