fix: add security validations - WebSocket URL protocol checks, localStorage JSON sanitization, fetch URL validation

Copilot · hotlong · Copilot · commit 7e920c0db73e · 2026-02-12T03:46:06.000Z
Co-authored-by: hotlong &lt;50353452+hotlong@users.noreply.github.com&gt;
diff --git a/apps/console/src/components/AppSidebar.tsx b/apps/console/src/components/AppSidebar.tsx
@@ -65,7 +65,17 @@ function useNavOrder(appName: string) {
   const [orderMap, setOrderMap] = React.useState<Record<string, string[]>>(() => {
     try {
       const raw = localStorage.getItem(storageKey);
-      return raw ? JSON.parse(raw) : {};
+      if (!raw) return {};
+      const parsed: unknown = JSON.parse(raw);
+      // Validate shape: must be a plain object with string[] values
+      if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) return {};
+      const result: Record<string, string[]> = {};
+      for (const [k, v] of Object.entries(parsed as Record<string, unknown>)) {
+        if (Array.isArray(v) && v.every((i: unknown) => typeof i === 'string')) {
+          result[k] = v as string[];
+        }
+      }
+      return result;
     } catch {
       return {};
     }
diff --git a/packages/collaboration/src/useRealtimeSubscription.ts b/packages/collaboration/src/useRealtimeSubscription.ts
@@ -118,6 +118,20 @@ export function useRealtimeSubscription<T = unknown>(config: RealtimeConfig): Re
       return;
     }
 
+    // Validate WebSocket URL protocol (only ws: or wss: allowed)
+    try {
+      const parsed = new URL(url);
+      if (parsed.protocol !== 'ws:' && parsed.protocol !== 'wss:') {
+        setError(new Error('WebSocket URL must use ws: or wss: protocol'));
+        setConnectionState('error');
+        return;
+      }
+    } catch {
+      setError(new Error('Invalid WebSocket URL'));
+      setConnectionState('error');
+      return;
+    }
+
     // Close existing connection
     if (wsRef.current) {
       intentionalCloseRef.current = true;
diff --git a/packages/plugin-designer/src/CollaborationProvider.tsx b/packages/plugin-designer/src/CollaborationProvider.tsx
@@ -70,7 +70,14 @@ export function CollaborationProvider({
     if (!canUseWS) return;
 
     function connect() {
-      const url = new URL(config.serverUrl!);
+      // Validate WebSocket URL protocol (only ws: or wss: allowed)
+      let url: URL;
+      try {
+        url = new URL(config.serverUrl!);
+        if (url.protocol !== 'ws:' && url.protocol !== 'wss:') return;
+      } catch {
+        return;
+      }
       if (config.roomId) url.searchParams.set('room', config.roomId);
       url.searchParams.set('userId', user!.id);
 
diff --git a/packages/react/src/hooks/useETagCache.ts b/packages/react/src/hooks/useETagCache.ts
@@ -287,6 +287,19 @@ export function useETagCache(userConfig: ETagCacheConfig = {}): ETagCacheResult
       url: string,
       options?: RequestInit,
     ): Promise<{ data: T; fromCache: boolean; etag?: string }> => {
+      // Validate URL: only allow http(s) or relative URLs
+      if (url.includes('://')) {
+        try {
+          const parsed = new URL(url);
+          if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+            throw new Error(`Unsupported URL protocol: ${parsed.protocol}`);
+          }
+        } catch (e) {
+          if (e instanceof Error && e.message.startsWith('Unsupported')) throw e;
+          throw new Error('Invalid URL');
+        }
+      }
+
       if (!configRef.current.enabled) {
         const res = await fetch(url, options);
         const data = (await res.json()) as T;
