Skip to content

[Production Deploy] Tidy up gateway code (#469)#470

Merged
barnaby merged 1 commit into
productionfrom
main
Dec 17, 2025
Merged

[Production Deploy] Tidy up gateway code (#469)#470
barnaby merged 1 commit into
productionfrom
main

Conversation

@github-actions

@github-actions github-actions Bot commented Dec 17, 2025

Copy link
Copy Markdown
Contributor

Automated PR to deploy staging changes to production.

Commit

2279c00

Changes

Tidy up gateway code (#469)

github-advanced-security[bot]
github-advanced-security AI found potential problems Dec 17, 2025
View reviewed changes
Comment thread apps/gateway/src/routers/studio.ts
});
} else if (isDevelopment()) {
router.use("/studio", (req, res) => {
res.redirect(`http://localhost:3000${req.originalUrl}`);

Check warning

Code scanning / CodeQL

Server-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 6 months ago

The best way to fix this problem is to ensure that only local, trusted paths are appended to the redirect URL, and block or normalize any user input that could result in an external or unexpected redirect. Since the code is proxying requests to a local development server at localhost:3000, simply redirecting to the same path without allowing the user to control the host or scheme is ideal. We can ensure that req.originalUrl is always a path under /studio, and avoid redirecting to user-injected absolute URLs.

To implement this, parse and normalize req.originalUrl to extract only the path after /studio, and use it to construct the redirect. Alternatively, reject any requests where req.originalUrl contains suspicious elements (//, http, hosts, etc.), or always redirect to a canonical /studio path with a clean suffix.
Changes needed in apps/gateway/src/routers/studio.ts:

  • On line 37, parse req.originalUrl to only take the “rest” of the path after /studio, ensuring it does not contain any dangerous characters (like // or leading protocols), and append it to the local redirect URL.
  • Optionally, define a helper to sanitize/validate the path.
  • No new packages are required as Node.js provides URL handling (url or the global URL), but minimal string manipulation suffices here.
Suggested changeset 1
apps/gateway/src/routers/studio.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/gateway/src/routers/studio.ts b/apps/gateway/src/routers/studio.ts
--- a/apps/gateway/src/routers/studio.ts
+++ b/apps/gateway/src/routers/studio.ts
@@ -34,7 +34,21 @@
     });
   } else if (isDevelopment()) {
     router.use("/studio", (req, res) => {
-      res.redirect(`http://localhost:3000${req.originalUrl}`);
+      // Only proxy local paths under /studio to the dev server
+      const studioPrefix = '/studio';
+      let path = req.originalUrl;
+      // Remove querystring or hash if present (let's keep them in redirect, but only after sanitizing path)
+      // Ensure the path always starts with /studio
+      if (!path.startsWith(studioPrefix)) {
+        return res.redirect("http://localhost:3000/studio");
+      }
+      // Ensure no double-slash or attempts to escape (e.g. /studio//evil, or /studio/../../etc/passwd)
+      const restPath = path.slice(studioPrefix.length);
+      if (restPath.includes('//') || restPath.includes('\\') || restPath.includes('..')) {
+        return res.redirect("http://localhost:3000/studio");
+      }
+      // Safe to redirect to local dev server with valid studio path
+      res.redirect(`http://localhost:3000${studioPrefix}${restPath}`);
     });
   }
 
EOF
@@ -34,7 +34,21 @@
});
} else if (isDevelopment()) {
router.use("/studio", (req, res) => {
res.redirect(`http://localhost:3000${req.originalUrl}`);
// Only proxy local paths under /studio to the dev server
const studioPrefix = '/studio';
let path = req.originalUrl;
// Remove querystring or hash if present (let's keep them in redirect, but only after sanitizing path)
// Ensure the path always starts with /studio
if (!path.startsWith(studioPrefix)) {
return res.redirect("http://localhost:3000/studio");
}
// Ensure no double-slash or attempts to escape (e.g. /studio//evil, or /studio/../../etc/passwd)
const restPath = path.slice(studioPrefix.length);
if (restPath.includes('//') || restPath.includes('\\') || restPath.includes('..')) {
return res.redirect("http://localhost:3000/studio");
}
// Safe to redirect to local dev server with valid studio path
res.redirect(`http://localhost:3000${studioPrefix}${restPath}`);
});
}

Copilot is powered by AI and may make mistakes. Always verify output.
@vercel

vercel Bot commented Dec 17, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
director-storybook Ready Ready Preview, Comment Dec 17, 2025 0:36am

@barnaby barnaby merged commit 57b07e8 into production Dec 17, 2025
20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@github-advanced-security @barnaby