Conversation
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: obtuse-triangle <me@obtuse.kr>
…-때-손이-잘림 [I25-340] feat : 프로젝트 없는 학생은 표출하지 않음
…rage-issue [I25-350] chore: Add Docker builder cache pruning to Jenkinsfile clea…
…ude competition names - Added competition_name field to profileConfig and updated input configuration. - Refactored getOrCreateCompetitionIds to accept competition names instead of prizes. - Modified updateProfileCompetitions to handle competitions as objects containing competition_name and prize. - Enhanced data processing for profile_competitions to ensure valid entries are maintained.
…sionSync and middleware.server - Refactored error type assertion to use a more specific type for better type safety. - Removed unused function imports and streamlined profile fetching in HeaderDropdown. - Optimized textarea height adjustment in SingleInput using useCallback. - Cleaned up unused imports in sortProjects.
…두번-연속-보임 (i25 338) feat/특정 수상이력 두번 연속 보임
Signed-off-by: obtuse-triangle <me@obtuse.kr>
…se-query I25-345 refactor supabase query
… into I25-349-fix-remote-image
I25-349 fix remote image
… using external URL and others using internal URL.
…efine required field checks for array types.
…번-관련-테이블-쿼리 [I25-337] feat : 디바운스 추가 및 지연 해결
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: obtuse-triangle <me@obtuse.kr>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
…onError [I25-333]-fix/TeamExceptionError PR
[I25-394] fix : topLabelText 오류 수정
[I25-394] feat : 뷰어에서 링크를 새 창 열기로 변경
…owner fix: team owner도 project 추가 가능하도록 변경
…eFormConfigData to include string in initialValues and onSubmit data types
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
…ofileEditModal to include string
…-만들기 I25 405 사진 업로드에 임시사진 뜨게 만들기
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: LEE JEONGHYEOK <157395300+GAMZAMANDU@users.noreply.github.com>
…or better performance
…ion and refactor DropdownInput component
…t by filtering new items and improving shuffle logic
I25-412-명함을-넘기는-손-성능-개선
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+13
to
+18
| const response = await fetch(url, { | ||
| headers: { | ||
| "User-Agent": | ||
| "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", | ||
| }, | ||
| }) |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To remediate this SSRF vulnerability without breaking intended functionality, the best practice is to allow outgoing requests only to a fixed set of approved hostnames and protocols. Rather than fetching any arbitrary user-provided URL, we should allow requests only to those URLs whose hostnames are included in a predefined allow-list. This can be implemented by parsing the URL parameter, comparing its hostname and protocol (e.g., must be https/http), and returning an error if the hostname is not in the allow-list or the protocol is unsafe.
The affected code is found in src/app/api/og-fetch/route.ts, specifically at the assignment to url and the fetch(url, ...) call. We need to:
- Define an allow-list of permitted hostnames.
- Parse the provided
urlparameter safely using the WHATWG URL constructor. - Reject the request early with a clear 400 error if:
- The URL is not valid.
- The protocol is not "http:" or "https:".
- The hostname does not match the allow-list.
- Only invoke
fetchif these conditions are met.
No new external packages are strictly necessary: the standard library's URL module suffices for parsing and validation.
Suggested changeset
1
src/app/api/og-fetch/route.ts
| @@ -5,12 +5,33 @@ | ||
| const { searchParams } = new URL(request.url) | ||
| const url = searchParams.get("url") | ||
|
|
||
| // Allow-list of permitted hostnames (add or adjust as needed) | ||
| const ALLOWED_HOSTNAMES = [ | ||
| "example.com", | ||
| "another-allowed-host.com" | ||
| ] | ||
|
|
||
| if (!url) { | ||
| return NextResponse.json({ error: "URL is required" }, { status: 400 }) | ||
| } | ||
|
|
||
| let parsedUrl: URL | ||
| try { | ||
| const response = await fetch(url, { | ||
| parsedUrl = new URL(url) | ||
| } catch { | ||
| return NextResponse.json({ error: "Invalid URL" }, { status: 400 }) | ||
| } | ||
|
|
||
| if (!["http:", "https:"].includes(parsedUrl.protocol)) { | ||
| return NextResponse.json({ error: "Only http(s) URLs are allowed" }, { status: 400 }) | ||
| } | ||
|
|
||
| if (!ALLOWED_HOSTNAMES.includes(parsedUrl.hostname)) { | ||
| return NextResponse.json({ error: "Hostname is not allowed" }, { status: 400 }) | ||
| } | ||
|
|
||
| try { | ||
| const response = await fetch(parsedUrl.toString(), { | ||
| headers: { | ||
| "User-Agent": | ||
| "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)", |
Copilot is powered by AI and may make mistakes. Always verify output.
Bumps [next](https://github.com/vercel/next.js) from 15.5.6 to 15.5.9. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.5.6...v15.5.9) --- updated-dependencies: - dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
…/next-15.5.9 Bump next from 15.5.6 to 15.5.9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
relase/v2를 develop에 병합합니다.