Skip to content

feat: documents & fixes#384

Merged
potts99 merged 8 commits intomainfrom
feat/documents
Oct 31, 2024
Merged

feat: documents & fixes#384
potts99 merged 8 commits intomainfrom
feat/documents

Conversation

@potts99
Copy link
Collaborator

@potts99 potts99 commented Oct 31, 2024

No description provided.

@vercel
Copy link

vercel bot commented Oct 31, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

2 Skipped Deployments
Name Status Preview Updated (UTC)
docs ⬜️ Skipped (Inspect) Oct 31, 2024 0:54am
peppermint ⬜️ Skipped (Inspect) Oct 31, 2024 0:54am

@potts99 potts99 merged commit 469062e into main Oct 31, 2024
@potts99 potts99 deleted the feat/documents branch October 31, 2024 00:54
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 31, 2024
View reviewed changes
apps/client/components/NotebookEditor/index.tsx
Comment on lines +95 to +100
await fetch(`/api/v1/documents/${router.query.id}`, {
method: "DELETE",
headers: {
Authorization: `Bearer ${token}`,
},
})

Check failure

Code scanning / CodeQL

Server-side request forgery

The [URL](1) of this request depends on a [user-provided value](2).

Copilot Autofix

AI over 1 year ago

To fix the SSRF vulnerability, we need to ensure that the user input used in the URL is validated against a whitelist of allowed values. This will prevent an attacker from manipulating the URL to target unintended endpoints.

  1. General Fix Approach:

    • Validate the id parameter against a list of allowed values or a specific pattern.
    • Reject or sanitize any input that does not match the expected format.

  2. Detailed Fix:

    • Create a function to validate the id parameter.
    • Use this function to check the id before using it in the fetch request.

  3. Specific Changes:

    • Add a validation function to check the id parameter.
    • Modify the deleteNotebook function to use this validation function before making the fetch request.
Suggested changeset 1
apps/client/components/NotebookEditor/index.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/client/components/NotebookEditor/index.tsx b/apps/client/components/NotebookEditor/index.tsx
--- a/apps/client/components/NotebookEditor/index.tsx
+++ b/apps/client/components/NotebookEditor/index.tsx
@@ -92,5 +92,14 @@
 
+  function validateId(id) {
+    const idPattern = /^[a-zA-Z0-9_-]+$/; // Adjust the pattern as needed
+    return idPattern.test(id);
+  }
+
   async function deleteNotebook(id) {
+    if (!validateId(id)) {
+      alert("Invalid notebook ID.");
+      return;
+    }
     if (window.confirm("Do you really want to delete this notebook?")) {
-      await fetch(`/api/v1/documents/${router.query.id}`, {
+      await fetch(`/api/v1/documents/${id}`, {
         method: "DELETE",
EOF
@@ -92,5 +92,14 @@

function validateId(id) {
const idPattern = /^[a-zA-Z0-9_-]+$/; // Adjust the pattern as needed
return idPattern.test(id);
}

async function deleteNotebook(id) {
if (!validateId(id)) {
alert("Invalid notebook ID.");
return;
}
if (window.confirm("Do you really want to delete this notebook?")) {
await fetch(`/api/v1/documents/${router.query.id}`, {
await fetch(`/api/v1/documents/${id}`, {
method: "DELETE",
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@potts99