Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: check if endpoint exists for dynamic pages when checking for red… #6994

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: check if endpoint exists for dynamic pages when checking for red… #6994

wants to merge 1 commit into from
+937 −3

Conversation

VitaliyR
Copy link
Contributor

@VitaliyR VitaliyR commented Jan 10, 2025
edited
Loading

…irect

🎉 Thanks for submitting a pull request! 🎉

Summary

Fixes WRFL-2122

Basically we are checking only for static files when trying to determinate if we should do the non forced redirect.

In dynamic SSG, when they either run in dev mode or having dynamic endpoints (not a static files), we are not detecting it and doing the redirect, which is wrong.

I've added a simple checker via fetch url, { method: HEAD } - which checks if the endpoint exists.

Example

Assume next netlify.toml:

[[redirects]]
from = "*"
to = "https://www.netlify.app/:splat"
status = 200
force = false # by default

Run netlify dev.

Make change to some code file.

Open http://localhost:8888. See that change is not applied. See in console Proxying to https://www.netlify.app/.

Thats wrong, it should actually detect that there is an index route in current site and not proxy.

For us to review and ship your PR efficiently, please perform the following steps:

  • Open a bug/issue before writing your code 🧑‍💻. This ensures we can discuss the changes and get feedback from everyone that should be involved. If you`re fixing a typo or something that`s on fire 🔥 (e.g. incident related), you can skip this step.
  • Read the contribution guidelines 📖. This ensures your code follows our style guide and
    passes our tests.
  • Update or add tests (if any source code was changed or added) 🧪
  • Update or add documentation (if features were changed or added) 📝
  • Make sure the status checks below are successful ✅

A picture of a cute animal (not mandatory, but encouraged)

@VitaliyR VitaliyR requested a review from a team as a code owner January 10, 2025 01:07
@github-actions GitHub Actions
Copy link

📊 Benchmark results

Comparing with 3441c58

  • Dependency count: 1,201 (no change)
  • Package size: 316 MB ⬆️ 0.00% increase vs. 3441c58
  • Number of ts-expect-error directives: 830 (no change)

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 10, 2025
View reviewed changes
src/utils/proxy.ts
const isEndpointExists = async function (endpoint: string, origin: string) {
const url = new URL(endpoint, origin)
try {
const res = await fetch(url, { method: 'HEAD' })

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI about 9 hours ago

To fix the problem, we need to ensure that the user input is validated and sanitized before being used to construct the URL for the fetch request. One effective way to do this is to use an allow-list of acceptable paths or endpoints. This way, we can ensure that only known and safe endpoints are used in the fetch request.

  1. Create an allow-list of acceptable paths or endpoints.
  2. Validate the req.url against this allow-list before using it to construct the URL for the fetch request.
  3. If the req.url is not in the allow-list, handle the request appropriately (e.g., return a 400 Bad Request response).
Suggested changeset 1
src/utils/proxy.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/utils/proxy.ts b/src/utils/proxy.ts
--- a/src/utils/proxy.ts
+++ b/src/utils/proxy.ts
@@ -152,2 +152,6 @@
 const isEndpointExists = async function (endpoint: string, origin: string) {
+  const allowList = ['/allowed-path1', '/allowed-path2', '/allowed-path3']
+  if (!allowList.includes(endpoint)) {
+    throw new Error('Endpoint not allowed')
+  }
   const url = new URL(endpoint, origin)
EOF
@@ -152,2 +152,6 @@
const isEndpointExists = async function (endpoint: string, origin: string) {
const allowList = ['/allowed-path1', '/allowed-path2', '/allowed-path3']
if (!allowList.includes(endpoint)) {
throw new Error('Endpoint not allowed')
}
const url = new URL(endpoint, origin)
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not really sure this is useful, should we dismiss it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eduardoboucas eduardoboucas Awaiting requested review from eduardoboucas

@davbree davbree Awaiting requested review from davbree

@smnh smnh Awaiting requested review from smnh

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@VitaliyR