Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(application-generic): Bump got #7399

Closed
wants to merge 1 commit into from
Closed

fix(application-generic): Bump got #7399

wants to merge 1 commit into from

Conversation

SokratisVidros
Copy link
Contributor

What changed? Why was the change needed?

Update Got to its latest version to get all fixes and use its timing reporting so as to investigate timeouts with Bridge endpoints

@SokratisVidros SokratisVidros self-assigned this Dec 27, 2024
@SokratisVidros SokratisVidros marked this pull request as draft December 27, 2024 14:37
@netlify Netlify
Copy link

netlify bot commented Dec 27, 2024
edited
Loading

Deploy Preview for dev-web-novu ready!

Name Link
🔨 Latest commit c2feabd
🔍 Latest deploy log https://app.netlify.com/sites/dev-web-novu/deploys/6772645c31b77d0008499869
😎 Deploy Preview https://deploy-preview-7399.dashboard.novu-staging.co
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify Netlify
Copy link

netlify bot commented Dec 27, 2024
edited
Loading

Deploy Preview for dashboard-v2-novu-staging ready!

Name Link
🔨 Latest commit c2feabd
🔍 Latest deploy log https://app.netlify.com/sites/dashboard-v2-novu-staging/deploys/6772645c89bcbb0008dd60a9
😎 Deploy Preview https://deploy-preview-7399.dashboard-v2.novu-staging.co
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 27, 2024
View reviewed changes
libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
Comment on lines +186 to +189
const res = await request(url, {
...options,
headers,
}).json();
});

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 29 days ago

To fix the SSRF vulnerability, we need to ensure that the bridgeUrl is validated against a whitelist of allowed URLs or domains. This can be done by implementing a validation function that checks if the bridgeUrl matches any of the allowed patterns before using it to construct the final URL for the request.

  1. Implement a validation function that checks if the bridgeUrl is in a list of allowed URLs or matches a specific pattern.
  2. Use this validation function in the execute method of ExecuteBridgeRequest to validate command.statelessBridgeUrl before constructing the bridgeUrl.
  3. If the URL is not valid, throw an appropriate exception.
Suggested changeset 1
libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts b/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
--- a/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
+++ b/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
@@ -120,2 +120,6 @@
 
+    if (!this.isValidBridgeUrl(command.statelessBridgeUrl)) {
+      throw new BadRequestException('Invalid bridge URL');
+    }
+
     const bridgeUrl = this.getBridgeUrl(
@@ -494,2 +498,11 @@
   }
+  private isValidBridgeUrl(url: string): boolean {
+    const allowedUrls = [
+      'https://allowed-domain1.com',
+      'https://allowed-domain2.com',
+      // Add more allowed URLs or patterns here
+    ];
+
+    return allowedUrls.some((allowedUrl) => url.startsWith(allowedUrl));
+  }
 }
EOF
@@ -120,2 +120,6 @@

if (!this.isValidBridgeUrl(command.statelessBridgeUrl)) {
throw new BadRequestException('Invalid bridge URL');
}

const bridgeUrl = this.getBridgeUrl(
@@ -494,2 +498,11 @@
}
private isValidBridgeUrl(url: string): boolean {
const allowedUrls = [
'https://allowed-domain1.com',
'https://allowed-domain2.com',
// Add more allowed URLs or patterns here
];

return allowedUrls.some((allowedUrl) => url.startsWith(allowedUrl));
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@SokratisVidros
fix(application-generic): Bump got
c2feabd 
Update Got to its latest version to get all fixes and use its timing reporting so as to investigate timeouts with Bridge endpoints
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Dec 30, 2024

Open in Stackblitz

npm i https://pkg.pr.new/novuhq/novu/@novu/client@7399

npm i https://pkg.pr.new/novuhq/novu/@novu/headless@7399

npm i https://pkg.pr.new/novuhq/novu/@novu/notification-center@7399

commit: c2feabd

@SokratisVidros
Copy link
Contributor Author

Got will be bumped as part of the #7424

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scopsy scopsy Awaiting requested review from scopsy

@djabarovgeorge djabarovgeorge Awaiting requested review from djabarovgeorge

Assignees

@SokratisVidros SokratisVidros

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@SokratisVidros