[Production Deploy] Tidy up gateway code (#469)#470
Conversation
| }); | ||
| } else if (isDevelopment()) { | ||
| router.use("/studio", (req, res) => { | ||
| res.redirect(`http://localhost:3000${req.originalUrl}`); |
Check warning
Code scanning / CodeQL
Server-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 6 months ago
The best way to fix this problem is to ensure that only local, trusted paths are appended to the redirect URL, and block or normalize any user input that could result in an external or unexpected redirect. Since the code is proxying requests to a local development server at localhost:3000, simply redirecting to the same path without allowing the user to control the host or scheme is ideal. We can ensure that req.originalUrl is always a path under /studio, and avoid redirecting to user-injected absolute URLs.
To implement this, parse and normalize req.originalUrl to extract only the path after /studio, and use it to construct the redirect. Alternatively, reject any requests where req.originalUrl contains suspicious elements (//, http, hosts, etc.), or always redirect to a canonical /studio path with a clean suffix.
Changes needed in apps/gateway/src/routers/studio.ts:
- On line 37, parse
req.originalUrlto only take the “rest” of the path after/studio, ensuring it does not contain any dangerous characters (like//or leading protocols), and append it to the local redirect URL. - Optionally, define a helper to sanitize/validate the path.
- No new packages are required as Node.js provides URL handling (
urlor the globalURL), but minimal string manipulation suffices here.
| @@ -34,7 +34,21 @@ | ||
| }); | ||
| } else if (isDevelopment()) { | ||
| router.use("/studio", (req, res) => { | ||
| res.redirect(`http://localhost:3000${req.originalUrl}`); | ||
| // Only proxy local paths under /studio to the dev server | ||
| const studioPrefix = '/studio'; | ||
| let path = req.originalUrl; | ||
| // Remove querystring or hash if present (let's keep them in redirect, but only after sanitizing path) | ||
| // Ensure the path always starts with /studio | ||
| if (!path.startsWith(studioPrefix)) { | ||
| return res.redirect("http://localhost:3000/studio"); | ||
| } | ||
| // Ensure no double-slash or attempts to escape (e.g. /studio//evil, or /studio/../../etc/passwd) | ||
| const restPath = path.slice(studioPrefix.length); | ||
| if (restPath.includes('//') || restPath.includes('\\') || restPath.includes('..')) { | ||
| return res.redirect("http://localhost:3000/studio"); | ||
| } | ||
| // Safe to redirect to local dev server with valid studio path | ||
| res.redirect(`http://localhost:3000${studioPrefix}${restPath}`); | ||
| }); | ||
| } | ||
|
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Automated PR to deploy staging changes to production.
Commit
2279c00
Changes
Tidy up gateway code (#469)