starred/webapp
1
0
Fork 0
mirror of https://github.com/netbootxyz/webapp.git synced 2026-04-25 15:15:59 +03:00
Code Issues 42 Projects Releases 10 Packages Wiki Activity

[PR #86] [MERGED] Incomplete URL substring sanitization #89

New issue
Closed
opened 2026-02-27 14:57:15 +03:00 by kerem · 0 comments
kerem commented 2026-02-27 14:57:15 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/netbootxyz/webapp/pull/86
Author: @antonym
Created: 2/13/2025
Status: Merged
Merged: 2/13/2025
Merged by: @antonym

Base: masterHead: url-sanitization

📝 Commits (1)

  • f098d94 Incomplete URL substring sanitization

📊 Changes

1 file changed (+7 additions, -1 deletions)

View changed files

📝 app.js (+7 -1)

📄 Description

Potential fix for https://github.com/netbootxyz/webapp/security/code-scanning/1

To fix the problem, we need to parse the URL and check the host value explicitly. This involves using the url module to parse the URL and then comparing the host against a whitelist of allowed hosts. This approach ensures that the check is not bypassed by embedding the allowed host in an unexpected location.

  1. Import the url module at the beginning of the file.
  2. Parse the URL to extract the host value.
  3. Compare the host value against a whitelist of allowed hosts.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/netbootxyz/webapp/pull/86 **Author:** [@antonym](https://github.com/antonym) **Created:** 2/13/2025 **Status:** ✅ Merged **Merged:** 2/13/2025 **Merged by:** [@antonym](https://github.com/antonym) **Base:** `master` ← **Head:** `url-sanitization` --- ### 📝 Commits (1) - [`f098d94`](https://github.com/netbootxyz/webapp/commit/f098d94cd4e782cfd433db70be39c57072fa1509) Incomplete URL substring sanitization ### 📊 Changes **1 file changed** (+7 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `app.js` (+7 -1) </details> ### 📄 Description Potential fix for [https://github.com/netbootxyz/webapp/security/code-scanning/1](https://github.com/netbootxyz/webapp/security/code-scanning/1) To fix the problem, we need to parse the URL and check the host value explicitly. This involves using the `url` module to parse the URL and then comparing the host against a whitelist of allowed hosts. This approach ensures that the check is not bypassed by embedding the allowed host in an unexpected location. 1. Import the `url` module at the beginning of the file. 2. Parse the URL to extract the host value. 3. Compare the host value against a whitelist of allowed hosts. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-02-27 14:57:15 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/alpine-3.x
renovate/ejs-5.x
renovate/codecov-codecov-action-6.x
renovate/systeminformation-5.x
renovate/readdirp-5.x
renovate/isbinaryfile-6.x
renovate/express-5.x
renovate/actions-setup-node-6.x
renovate/node-downloader-helper-2.x
renovate/isbinaryfile-5.x
fix/isbinaryfile-esm-mock
fix/nock-unhandled-error
antonym/add-dark-mode
0.7.6
0.7.5
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
0.6.9
0.6.8
0.6.7
0.6.6
0.6.5
0.6.4
0.6.3
0.6.2
0.6.1
0.6.0
0.5.3
0.5.2
0.5.1
Labels
Clear labels   
Hacktoberfest

   
bug

   
enhancement

   
no-issue-activity

   
pull-request

Mirrored from GitHub Pull Request

No labels
Hacktoberfest
bug
enhancement
no-issue-activity
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/webapp#89
No description provided.