Skip to content

Sanitize blockchain API URLs to prevent injection attacks#706

Merged
jamespepper81 merged 1 commit into
alert-autofix-3from
claude/upbeat-goldberg-grNwd
May 27, 2026
Merged

Sanitize blockchain API URLs to prevent injection attacks#706
jamespepper81 merged 1 commit into
alert-autofix-3from
claude/upbeat-goldberg-grNwd

Conversation

@jamespepper81
Copy link
Copy Markdown
Contributor

@jamespepper81 jamespepper81 commented May 27, 2026

Summary

Adds URL sanitization to the fetchJson function in blockchain-api.ts to prevent potential injection attacks. The changes introduce a getTrustedOrigin helper function that validates hostnames against a whitelist of allowed providers and reconstructs URLs using only safe components (pathname and search), while stripping credentials and fragments.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Refactor / cleanup

Details

What changed:

  • Added getTrustedOrigin() function that maps allowed hostnames to their canonical HTTPS origins
  • Modified fetchJson() to validate the parsed URL's hostname against the trusted origin list
  • Reconstructs the URL using only the pathname and search parameters from the original URL, combined with the trusted origin
  • Strips username, password, and hash fragments from the original URL before reconstruction
  • Updated all references to use the sanitized safeUrl instead of the original parsedUrl

Why it matters:
This prevents potential URL injection attacks where malicious input could:

  • Include credentials in the URL (username:password@)
  • Use URL fragments to bypass validation
  • Exploit hostname parsing edge cases

The sanitization ensures that only the pathname and query string from user input are preserved, while the origin is always taken from the trusted whitelist.

Test Plan

Existing validation logic remains intact and continues to check paths against ALLOWED_PATHS regex patterns. The new sanitization layer adds defense-in-depth by ensuring the final URL always uses a whitelisted origin. Manual verification can confirm that:

  • Valid requests to allowed providers (blockstream.info, mempool.space, etc.) continue to work
  • Requests to non-whitelisted hosts are rejected with "Disallowed provider URL" error
  • URL components like credentials and fragments are stripped before the request is made

Checklist

  • npm run typecheck passes
  • npm run lint passes
  • npm run test passes
  • Documentation updated (if applicable)

https://claude.ai/code/session_011pxQ2tSP9bsZzKdmA8gzz8

@claude
Fix CodeQL SSRF alert: reconstruct fetch URL from trusted constant or…
a838235 
…igins

The CodeQL taint tracker follows user input through new URL(url) →
parsedUrl.toString() → fetch(), and doesn't recognize Set.has() or
regex checks as sanitizers. Break the taint chain by looking up the
origin from getTrustedOrigin() which returns hardcoded string literals
via an if/else chain, then reconstructing the URL with new URL(path, origin).

Also strips credentials and fragment from parsed URLs for defense in depth.

https://claude.ai/code/session_011pxQ2tSP9bsZzKdmA8gzz8
@jamespepper81 jamespepper81 merged commit 00f9e5d into alert-autofix-3 May 27, 2026
@jamespepper81 jamespepper81 deleted the claude/upbeat-goldberg-grNwd branch May 27, 2026 13:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamespepper81 @claude