Short-ciruit string rendering if require invocation is detected (#8358)

* Short-ciruit string rendering if require invocation is detected [SEC-1323] [INS-4963] * add sentry exception --------- Co-authored-by: jackkav <jackkav@gmail.com>
Kong · Feb 12, 2025 · dd9453f · dd9453f
1 parent 700f2b0
commit dd9453f
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/packages/insomnia/src/common/render.ts b/packages/insomnia/src/common/render.ts
@@ -1,3 +1,4 @@
+import * as Sentry from '@sentry/electron/renderer';
 import clone from 'clone';
 import orderedJSON from 'json-order';
 
@@ -291,6 +292,13 @@ export async function render<T>(
     ) {
       // Do nothing to these types
     } else if (typeof x === 'string') {
+      // Detect if the string contains a require statement
+      if (/require\s*\(/ig.test(x)) {
+        console.warn('Short-circuiting `render`; string contains possible "require" invocation:', x);
+        Sentry.captureException(new Error(`Short-circuiting 'render'; string contains possible "require" invocation: ${x}`));
+        return x;
+      }
+
       try {
         // @ts-expect-error -- TSCONVERSION
         x = await templating.render(x, { context, path, ignoreUndefinedEnvVariable });