mirror of
https://github.com/netbootxyz/webapp.git
synced 2026-04-25 15:15:59 +03:00
[PR #86] [MERGED] Incomplete URL substring sanitization #89
Labels
No labels
Hacktoberfest
bug
enhancement
no-issue-activity
pull-request
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/webapp#89
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/netbootxyz/webapp/pull/86
Author: @antonym
Created: 2/13/2025
Status: ✅ Merged
Merged: 2/13/2025
Merged by: @antonym
Base:
master← Head:url-sanitization📝 Commits (1)
f098d94Incomplete URL substring sanitization📊 Changes
1 file changed (+7 additions, -1 deletions)
View changed files
📝
app.js(+7 -1)📄 Description
Potential fix for https://github.com/netbootxyz/webapp/security/code-scanning/1
To fix the problem, we need to parse the URL and check the host value explicitly. This involves using the
urlmodule to parse the URL and then comparing the host against a whitelist of allowed hosts. This approach ensures that the check is not bypassed by embedding the allowed host in an unexpected location.urlmodule at the beginning of the file.Suggested fixes powered by Copilot Autofix. Review carefully before merging.
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.