Skip to content

[pull] main from hoppscotch:main#65

Merged
pull[bot] merged 31 commits into
Uncodedtech:mainfrom
hoppscotch:main
May 28, 2025
Merged

[pull] main from hoppscotch:main#65
pull[bot] merged 31 commits into
Uncodedtech:mainfrom
hoppscotch:main

Conversation

@pull
Copy link
Copy Markdown

@pull pull Bot commented May 28, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.1)

Can you help keep this open source service alive? 💖 Please sponsor : )

anwarulislam and others added 30 commits May 2, 2025 20:52
@anwarulislam @jamesgeorge007
feat(common): platform ui definition for team edit and invite (#5037)
cb4ad87 
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@jamesgeorge007
chore: merge main into next
609aaa4
@g3Bg2 @mirarifhasan @anwarulislam
refactor: rename enum TeamMemberRole to TeamAccessRole (#5053)
f26d32c 
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
Co-authored-by: Anwarul Islam <anwaarulislaam@gmail.com>
@jamesgeorge007
chore: merge hoppscotch/main into hoppscotch/next
c28e410
@mirarifhasan
chore: hoppscotch-backend code formatting, minor lint fixes, and re…
46e5792 
…factoring (#5061)

* chore: prettier formatting applied

* chore: added some lint fixed

* fix: few lint errors

* chore: prisma and pubsub are now global module

* chore: add encapsulation consistency in service files

* chore: made a cast function private

* chore: cast function made private

* refactor: module imports

* refactor: posthog spelling
@ZenMachina16 @mirarifhasan
chore(backend): configure CORS for development and production environ…
9b0e1af 
…ments (#4430)

Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
@progprnv @mirarifhasan
chore: improve healthcheck configuration for AIO container (#4595)
3bf4463 
Co-authored-by: mirarifhasan <arif.ishan05@gmail.com>
@mirarifhasan
HSB-514 refactor: remove unused CollType GQL enum (#5074)
7ee33ab 
chore: removed unused CollType GQL enum
@anwarulislam @jamesgeorge007
feat(common): add support for registering and merging additional loca…
2232f02 
…le messages (#5072)

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@anwarulislam @jamesgeorge007
feat(common): enhance HAWK authentication with payload hash calculati…
3980847 
…on (#5067)

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@CuriousCorrelation
feat(desktop): complete lifecycle logs (#5044)
2ecc60a
@CuriousCorrelation
fix(desktop): verbatim path handling in disk resolution (#5049)
d14a3c7
@CuriousCorrelation
fix(desktop): extend file-write permissions (#5070)
1da961c
@CuriousCorrelation
feat(kernel): multi-instance support for store (#5083)
d213bec
@anwarulislam
fix: include request body to AWS V4 signer in effective request funct…
130facb 
…ions (#5084)
@nivedin
chore: display platform links in app header (#5091)
9371457
@mirarifhasan
chore(backend): update dependencies (#5085)
e7aba8a
@nivedin
feat: initial and current value for environment variables (#5055)
01d96fa
@jamesgeorge007 @CuriousCorrelation
feat: migrate to a unified scripting system based on faraday-cage (#…
656a15a 
…5090)

Co-authored-by: curiouscorrelation <curiouscorrelation@gmail.com>
@CuriousCorrelation
docs(desktop): add minimum system requirements (#5096)
935bc10
@jamesgeorge007
feat: extend platform API support for experimental scripting sandbox (#…
aab2924 
…5097)
@anwarulislam
chore(common): improved i18n strings (#5099)
b414496
@anwarulislam @jamesgeorge007
feat(common): support importing OpenAPI YAML definitions from URL (#5098
cf442c5 
)

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@jamesgeorge007
chore: bump version to 2025.5.0
a805736
@nivedin @jamesgeorge007
fix: update id while syncing and gist import bug (#5100)
0212eba 
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@AndrewBastin
chore: bump vulnerable dependencies
ad59690
@anwarulislam
fix: correct import order for HoppRESTAuth (#5101)
fea6d8c
@Phaired @jamesgeorge007
feat(lenses): enhance content type detection and lens selection logic (
40c1c20 
…#5081)

Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@jamesgeorge007
chore: remove support for fetch from experimental scripting sandbox
e1f78b1 
To be revisited after addressing security implications.
@anwarulislam @jamesgeorge007
feat: add JWT authentication support (#5079)
82d9367 
Co-authored-by: jamesgeorge007 <25279263+jamesgeorge007@users.noreply.github.com>
@jamesgeorge007
test: update CLI test suite
052dc17 
- Flexible assertions avoiding flakiness.
- Update test fixtures conforming to the schema.
@pull pull Bot added the ⤵️ pull label May 28, 2025
@pull pull Bot merged commit 052dc17 into Uncodedtech:main May 28, 2025
github-advanced-security[bot]
github-advanced-security AI found potential problems May 28, 2025
View reviewed changes
Comment thread packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts

self.addEventListener(
"message",
async (event: MessageEvent<IncomingSandboxWorkerMessage>) => {

Check warning

Code scanning / CodeQL

Missing origin verification in `postMessage` handler Medium

Postmessage handler has no origin check.

Copilot Autofix

AI about 1 year ago

To fix the issue, we need to verify the origin of the incoming message in the postMessage handler. This involves checking the event.origin property against a list of trusted origins before processing the message. If the origin is not trusted, the handler should ignore the message.

The fix involves:

  1. Defining a list of trusted origins (e.g., const TRUSTED_ORIGINS = ['https://www.example.com'];).
  2. Adding a conditional check at the start of the message event listener to ensure the event.origin matches one of the trusted origins.
  3. Ignoring messages from untrusted origins by returning early from the handler.
Suggested changeset 1
packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts b/packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts
--- a/packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts
+++ b/packages/hoppscotch-common/src/helpers/workers/sandbox.worker.ts
@@ -59,2 +59,4 @@
 
+const TRUSTED_ORIGINS = ['https://www.example.com'];
+
 self.addEventListener(
@@ -62,2 +64,6 @@
   async (event: MessageEvent<IncomingSandboxWorkerMessage>) => {
+    if (!TRUSTED_ORIGINS.includes(event.origin)) {
+      return; // Ignore messages from untrusted origins
+    }
+
     const { type, script, envs } = event.data
EOF
@@ -59,2 +59,4 @@

const TRUSTED_ORIGINS = ['https://www.example.com'];

self.addEventListener(
@@ -62,2 +64,6 @@
async (event: MessageEvent<IncomingSandboxWorkerMessage>) => {
if (!TRUSTED_ORIGINS.includes(event.origin)) {
return; // Ignore messages from untrusted origins
}

const { type, script, envs } = event.data
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.