Conversation
Review or Edit in CodeSandboxOpen the branch in Web Editor • VS Code • Insiders |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| const { data } = await fetch( | ||
| "https://codesandbox.io/api/v1/sandboxes/" + sandboxId, | ||
| { | ||
| method: "GET", | ||
| headers: { | ||
| Authorization: `Bearer ${globalApiKey}`, | ||
| "Content-Type": "application/json", | ||
| }, | ||
| } | ||
| ).then((res) => res.json()); |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to validate and sanitize the sandboxId parameter before using it in the URL. The best approach is to enforce a strict allow-list or pattern for valid sandboxId values. For example:
- Use a regular expression to ensure that
sandboxIdonly contains valid characters (e.g., alphanumeric or UUID format). - Reject or sanitize any input that does not conform to the expected format.
- Optionally, maintain an allow-list of known valid
sandboxIdvalues if applicable.
The changes will be made in the /api/sandboxes/:id endpoint to validate the sandboxId before constructing the URL.
| @@ -39,2 +39,10 @@ | ||
| const sandboxId = req.params.id; | ||
|
|
||
| // Validate sandboxId to ensure it is alphanumeric | ||
| const isValidSandboxId = /^[a-zA-Z0-9_-]+$/.test(sandboxId); | ||
| if (!isValidSandboxId) { | ||
| res.status(400).json({ error: "Invalid sandbox ID" }); | ||
| return; | ||
| } | ||
|
|
||
| const { data } = await fetch( |
| await fetch( | ||
| `https://codesandbox.io/api/v1/sandboxes/${sandboxId}/modules/${shortid}`, | ||
| { | ||
| method: "PUT", | ||
| headers: { | ||
| Authorization: `Bearer ${globalApiKey}`, | ||
| "Content-Type": "application/json", | ||
| }, | ||
| body: JSON.stringify({ module: { code: content } }), | ||
| } | ||
| ); |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 1 year ago
To fix the issue, we need to validate and sanitize the sandboxId parameter before using it in the URL. The best approach is to enforce a strict allow-list of acceptable sandboxId values or validate the format of sandboxId to ensure it adheres to expected patterns (e.g., alphanumeric strings of a specific length). This ensures that only valid and intended values are used in the outgoing request.
Steps to implement the fix:
- Define a validation function to check the format of
sandboxId. - Use this function to validate
req.params.idbefore constructing the URL. - If the validation fails, return an appropriate error response to the client.
| @@ -112,2 +112,8 @@ | ||
|
|
||
| // Validate sandboxId to ensure it adheres to a safe format | ||
| const isValidSandboxId = /^[a-zA-Z0-9_-]+$/.test(sandboxId); | ||
| if (!isValidSandboxId) { | ||
| return res.status(400).json({ error: "Invalid sandbox ID format" }); | ||
| } | ||
|
|
||
| // Implementation details to be handled by you |
4 participants
No description provided.