Potential fix for code scanning alert no. 44: Server-side request forgery#3524
Draft
BorghildSelle wants to merge 1 commit intomainfrom
Draft
Potential fix for code scanning alert no. 44: Server-side request forgery#3524BorghildSelle wants to merge 1 commit intomainfrom
BorghildSelle wants to merge 1 commit intomainfrom
Conversation
…gery Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/equinor/energyvision/security/code-scanning/44
In general, to fix SSRF risks where user input influences an outgoing request URL, you must (1) ensure the hostname and protocol are not user-controlled, and (2) strictly validate or normalize any user-controlled path components against an allowlist or whitelist of expected patterns before using them in the URL. Any disallowed value should cause the request to be aborted or return
notFound.For this specific code, the host is already fixed via
publicRuntimeConfig.archiveStorageURL, so the remaining work is to constrainpagePathbefore it is passed tofetchArchiveData. The project already has an allowlist of valid archived slugs inarchivedNews. The safest and least intrusive change is:safePagePathfrom thearchivedNewsdata instead of directly fromparams.pagePaththat:..segments).a-zA-Z0-9/-), preventing things like%2e%2eand other encodings.safePagePathconsistently everywherepagePathis used for fetching, including ingetStaticProps,fetchArchiveData, andfallbackToAnotherLanguage.Concretely:
getStaticProps, after computingpagePathArrayandpagePath, add a validation step:pagePathcontains".."or disallowed characters, immediately return{ notFound: true }.archivedNewsand derive the canonical path from that slug:canonicalPagePath = archivedItem.slug.replace(/^\/news\/archive\//, '').canonicalPagePath(not the rawpagePath) for all subsequent calls tofetchArchiveDataandfallbackToAnotherLanguage, and when settingnews.slugand redirect destinations.const response = await fetchArchiveData(pagePathArray, canonicalPagePath, locale)if (response.status === 404) return fallbackToAnotherLanguage(pagePathArray, canonicalPagePath, locale)fallbackToAnotherLanguage’s redirect to use the validatedpagePathargument (which is now canonical) – that’s already the case, so no internal change needed there.fetchArchiveData’s existingif (pagePath.includes('.')) return Promise.reject()as an extra safeguard; it now also receives only a validated string.This preserves existing functionality (paths that match archived slugs still work and are mapped to the same JSON files) while removing the dependence of the fetch URL path on raw user input.
Suggested fixes powered by Copilot Autofix. Review carefully before merging.