-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial implementation of azure blob container interface #1853
Conversation
(cherry picked from commit b4a9466)
@@ -49,10 +49,17 @@ | |||
|
|||
// Uploads using a single request. | |||
uploadSingle(info) { | |||
let headers = {}; | |||
if (info.urls[0].includes("blob.core.windows.net")) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
blob.core.windows.net
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to parse the URL and check the host explicitly rather than using a substring check. This ensures that the host is exactly what we expect and not just a part of a longer, potentially malicious URL.
The best way to fix this is to use the URL
class available in modern JavaScript environments to parse the URL and then check the hostname
property. We will replace the substring check with a check against a whitelist of allowed hosts.
-
Copy modified lines R53-R55
@@ -52,3 +52,5 @@ | ||
let headers = {}; | ||
if (info.urls[0].includes("blob.core.windows.net")) { | ||
const url = new URL(info.urls[0]); | ||
const allowedHosts = ["blob.core.windows.net"]; | ||
if (allowedHosts.includes(url.hostname)) { | ||
headers = { |
43ca86d
to
59b45c2
Compare
No description provided.