feat: add epic web stack #3
Conversation
- Completely rewrote README.md with comprehensive documentation - Updated example project configuration and routes - Improved dev server and plugin configuration handling - Added more detailed styling and interactive elements to documentation pages - Refined plugin options and configuration management - Enhanced server-side rendering and custom server support
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // Note: a request handler with passthrough is not suited with this type of url | ||
| // until there is a more permissible url catching system | ||
| // like requested at https://github.com/mswjs/msw/issues/1804 | ||
| if (request.url.includes('.sentry.io')) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, we need to parse the URL and check the host value explicitly instead of using a substring check. This ensures that the check handles arbitrary subdomain sequences correctly and prevents bypassing the check by embedding the allowed host in unexpected parts of the URL.
The best way to fix the problem without changing existing functionality is to use the URL class to parse the URL and then check if the host matches the allowed host. We will replace the substring check with a more robust check that verifies the host value.
| @@ -13,3 +13,4 @@ | ||
| // like requested at https://github.com/mswjs/msw/issues/1804 | ||
| if (request.url.includes('.sentry.io')) { | ||
| const url = new URL(request.url); | ||
| if (url.host.endsWith('.sentry.io')) { | ||
| return |
# Conflicts: # README.md # examples/custom-node-server/package.json # examples/custom-node-server/server.js # package.json # pnpm-lock.yaml # pnpm-workspace.yaml # src/index.ts # tests/features.test.ts # tests/index.test.ts
| if (req.path.endsWith('/') && req.path.length > 1) { | ||
| const query = req.url.slice(req.path.length) | ||
| const safepath = req.path.slice(0, -1).replace(/\/+/g, '/') | ||
| res.redirect(302, safepath + query) |
Check warning
Code scanning / CodeQL
Server-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 months ago
To fix the problem, we need to ensure that the redirection URL is validated before performing the redirection. One way to do this is to check that the redirection URL does not redirect to a different host by parsing it relative to a base URL with a known host and verifying that the host stays the same.
We will implement a function isLocalUrl to check if the URL is local and use this function to validate the safepath + query before performing the redirection.
| @@ -8,2 +8,3 @@ | ||
| import express, { type RequestHandler } from 'express' | ||
| import { URL } from 'url' | ||
| import rateLimit from 'express-rate-limit' | ||
| @@ -65,2 +66,12 @@ | ||
|
|
||
| function isLocalUrl(path) { | ||
| try { | ||
| return ( | ||
| new URL(path, "https://example.com").origin === "https://example.com" | ||
| ); | ||
| } catch (e) { | ||
| return false; | ||
| } | ||
| } | ||
|
|
||
| // no ending slashes for SEO reasons | ||
| @@ -71,3 +82,8 @@ | ||
| const safepath = req.path.slice(0, -1).replace(/\/+/g, '/') | ||
| res.redirect(302, safepath + query) | ||
| const target = safepath + query | ||
| if (isLocalUrl(target)) { | ||
| res.redirect(302, target) | ||
| } else { | ||
| res.redirect(302, '/') | ||
| } | ||
| } else { |
ScriptedAlchemy
force-pushed
the
epic-web
branch
from
62f0f81 to
a95bf32
Compare
No description provided.