Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(application-generic): Modernize app generic #7424

Draft
wants to merge 3 commits into
base: next
Choose a base branch
from
Draft

chore(application-generic): Modernize app generic #7424

wants to merge 3 commits into from

Conversation

SokratisVidros
Copy link
Contributor

What changed? Why was the change needed?

Screenshots

Expand for optional sections

Related enterprise PR

Special notes for your reviewer

@SokratisVidros
fix(application-generic): Bump got
2f4dba2 
Update Got to its latest version to get all fixes and use its timing reporting so as to investigate timeouts with Bridge endpoints
@SokratisVidros
refactor(application-generic): Modernize it
0baf2e1 
- Convert it to ESM module
- Replace jest with vitest
- Restore all failing unit tests
@SokratisVidros
fixup! refactor(application-generic): Modernize it
f1a3ce8
@SokratisVidros SokratisVidros self-assigned this Jan 3, 2025
@netlify Netlify
Copy link

netlify bot commented Jan 3, 2025
edited
Loading

Deploy Preview for dev-web-novu ready!

Name Link
🔨 Latest commit f1a3ce8
🔍 Latest deploy log https://app.netlify.com/sites/dev-web-novu/deploys/6777ef9530435300086d8409
😎 Deploy Preview https://deploy-preview-7424.dashboard.novu-staging.co
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify Netlify
Copy link

netlify bot commented Jan 3, 2025
edited
Loading

Deploy Preview for dashboard-v2-novu-staging ready!

Name Link
🔨 Latest commit f1a3ce8
🔍 Latest deploy log https://app.netlify.com/sites/dashboard-v2-novu-staging/deploys/6777ef95ca061e0008624d3c
😎 Deploy Preview https://deploy-preview-7424.dashboard-v2.novu-staging.co
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 3, 2025
View reviewed changes
libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
Comment on lines +186 to +189
const res = await request(url, {
...options,
headers,
}).json();
});

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.
The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix AI 19 days ago

To fix the SSRF vulnerability, we need to ensure that the bridgeUrl is validated against a whitelist of allowed URLs or domains. This can be done by checking if the bridgeUrl matches a predefined set of allowed URLs or domains before using it in the HTTP request.

  1. Introduce a whitelist of allowed URLs or domains.
  2. Validate the bridgeUrl against this whitelist.
  3. If the bridgeUrl is not in the whitelist, throw an error.
Suggested changeset 1
libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts b/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
--- a/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
+++ b/libs/application-generic/src/usecases/execute-bridge-request/execute-bridge-request.usecase.ts
@@ -124,3 +124,3 @@
       command.workflowOrigin,
-      command.statelessBridgeUrl,
+      this.validateBridgeUrl(command.statelessBridgeUrl),
       command.action,
@@ -494,2 +494,17 @@
   }
+  private validateBridgeUrl(url: string): string {
+    const allowedUrls = [
+      'https://allowed-domain1.com',
+      'https://allowed-domain2.com',
+      // Add more allowed URLs or domains here
+    ];
+
+    const isValid = allowedUrls.some(allowedUrl => url.startsWith(allowedUrl));
+
+    if (!isValid) {
+      throw new BadRequestException('Invalid bridge URL');
+    }
+
+    return url;
+  }
 }
EOF
@@ -124,3 +124,3 @@
command.workflowOrigin,
command.statelessBridgeUrl,
this.validateBridgeUrl(command.statelessBridgeUrl),
command.action,
@@ -494,2 +494,17 @@
}
private validateBridgeUrl(url: string): string {
const allowedUrls = [
'https://allowed-domain1.com',
'https://allowed-domain2.com',
// Add more allowed URLs or domains here
];

const isValid = allowedUrls.some(allowedUrl => url.startsWith(allowedUrl));

if (!isValid) {
throw new BadRequestException('Invalid bridge URL');
}

return url;
}
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@SokratisVidros SokratisVidros changed the title Modernize app generic chore(application-generic): Modernize app generic Jan 3, 2025
@SokratisVidros SokratisVidros mentioned this pull request Jan 13, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@SokratisVidros SokratisVidros

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@SokratisVidros