Skip to content

fix: SSRF vulnerability and error handling bugs in wakatime and stats fetchers#4860

Draft
joaopedroplinta wants to merge 1 commit intoanuraghazra:masterfrom
joaopedroplinta:fix/ssrf-and-error-handling-4859
Draft

fix: SSRF vulnerability and error handling bugs in wakatime and stats fetchers#4860
joaopedroplinta wants to merge 1 commit intoanuraghazra:masterfrom
joaopedroplinta:fix/ssrf-and-error-handling-4859

Conversation

@joaopedroplinta
Copy link
Copy Markdown

@joaopedroplinta joaopedroplinta commented Apr 6, 2026

Summary

  • Validate api_domain against an allowlist (wakatime.com, wakapi.dev) in fetchWakatimeStats to prevent SSRF via user-controlled domain injection (fix: SSRF vulnerability and error handling bugs in wakatime and stats fetchers #4859)
  • Use optional chaining (err.response?.status) in wakatime.js to avoid TypeError when err.response is undefined on network errors (timeout, DNS failure)
  • Rethrow original error in totalCommitsFetcher (stats.js) instead of wrapping with new Error(err), preserving the original stack trace
  • Add secondary error message for WAKATIME_ERROR in error.js
  • Fix floating-point precision in calculateRank test (pre-existing failure on upstream master)

Relates to #4859

Test plan

  • All 27 test suites pass (242 tests)
  • fetchWakatime.test.js — existing tests cover the user-not-found path
  • fetchStats.test.js — existing tests cover the totalCommitsFetcher error path
  • calculateRank.test.js — precision fix confirmed passing

@joaopedroplinta
fix: SSRF vulnerability and error handling bugs in wakatime and stats…
f261d4d 
… fetchers

- Validate api_domain against an allowlist (wakatime.com, wakapi.dev) in
  fetchWakatimeStats to prevent SSRF via user-controlled domain injection
- Use optional chaining (err.response?.status) to avoid TypeError when
  err.response is undefined on network errors (timeout, DNS failure)
- Rethrow original error in totalCommitsFetcher instead of wrapping with
  new Error(err), preserving the original stack trace
- Add secondary error message for WAKATIME_ERROR in error.js
- Fix floating-point precision in calculateRank test (pre-existing failure)
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 6, 2026

@joaopedroplinta is attempting to deploy a commit to the github readme stats Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added stats-card Feature, Enhancement, Fixes related to stats the stats card. wakatime-card Issues related to the wakatime card. labels Apr 6, 2026
@joaopedroplinta joaopedroplinta mentioned this pull request Apr 6, 2026
Open
@joaopedroplinta joaopedroplinta marked this pull request as draft April 6, 2026 16:58
@joaopedroplinta joaopedroplinta marked this pull request as ready for review April 6, 2026 16:58
@joaopedroplinta joaopedroplinta marked this pull request as draft April 6, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

stats-card Feature, Enhancement, Fixes related to stats the stats card. wakatime-card Issues related to the wakatime card.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joaopedroplinta