feat(nextjs): Automatically skip middleware requests for tunnel route #16812
Conversation
![semgrep-code-getsentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| const isTunnelRequest = url.pathname.startsWith(tunnelRoute); | ||
|
|
||
| if (isTunnelRequest) { | ||
| return NextResponse.next() as ReturnType<H>; |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 44 lists a dependency (next) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of next are vulnerable to Improper Authorization. Improper authorization handling in Next.js applications enables attackers to bypass security controls for paths directly under the application's root directory, potentially exposing sensitive data or functionality. This issue affects versions prior to Next.js 14.2.15, where authorization logic based solely on pathname fails to account for certain direct page accesses.
To resolve this comment:
Check if you use authorization to protect a page directly under the application's root directory (for example, https://example.com/foo) and you do NOT host your application on Vercel.
- If you're affected, upgrade this dependency to at least version 14.2.15 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| const url = new URL(req.url); | ||
| const isTunnelRequest = url.pathname.startsWith(tunnelRoute); |
There was a problem hiding this comment.
I don't think we need a url constant since we only use it once and new URL(req.url) is quite explanatory
| const url = new URL(req.url); | |
| const isTunnelRequest = url.pathname.startsWith(tunnelRoute); | |
| const isTunnelRequest = new URL(req.url).pathname.startsWith(tunnelRoute); |
What do you reckon?
| ); | ||
| } | ||
| } else { | ||
| const resolvedTunnelRoute = | ||
| typeof userSentryOptions.tunnelRoute === 'boolean' | ||
| typeof userSentryOptions.tunnelRoute === 'boolean' && userSentryOptions.tunnelRoute === true |
There was a problem hiding this comment.
We could simplify that, since we know it's a boolean once we pass typeof userSentryOptions.tunnelRoute === 'boolean'
| typeof userSentryOptions.tunnelRoute === 'boolean' && userSentryOptions.tunnelRoute === true | |
| typeof userSentryOptions.tunnelRoute === 'boolean' && userSentryOptions.tunnelRoute |
Perhaps a bit redundant otherwise
| ? generateRandomTunnelRoute() | ||
| : userSentryOptions.tunnelRoute; | ||
|
|
||
| // Update the global options object to use the resolved value everywhere | ||
| userSentryOptions.tunnelRoute = resolvedTunnelRoute; | ||
| userSentryOptions.tunnelRoute = resolvedTunnelRoute || undefined; |
There was a problem hiding this comment.
I like that! 👍
Is there a reason why we want the value to be undefined specifically?
#16626 added the option to generate a randomly generated tunnel route per build. This PR adds functionality for automatically skipping tunnel route requests in the nextjs middleware, as this had to be set up manually by the user until now.