Potential fix for code scanning alert no. 213: Server-side request forgery

[breadddevv]

Potential fix for https://github.com/PlanetaryOrbit/orbit/security/code-scanning/213

To fix this safely without changing intended behavior, validate the incoming url using the URL parser and enforce a strict allowlist on parsed components before calling axios.get:

• Parse req.query.url with new URL(...) inside a try/catch.
• Require:
  • protocol === 'https:'
  • hostname === 'audio-ssl.itunes.apple.com'
  • no credentials (username/password empty)
  • default HTTPS port only (port === '' or 443)
• Use the parsed/normalized URL (parsedUrl.toString()) for the upstream request.
• Disable redirects (maxRedirects: 0) to prevent bypass via open redirects.
• Keep existing behavior for headers/streaming response.

All edits are in pages/api/music/preview.ts, around lines 9–21 where input validation and axios.get are currently done.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Summary by CodeRabbit

• Bug Fixes
  • Strengthened security validation for music preview requests to prevent unauthorized access and redirect attacks through stricter endpoint verification.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bec242b8-2af0-4584-8ceb-29b549189d8a

📥 Commits

Reviewing files that changed from the base of the PR and between ac09418 and dd35deb.

📒 Files selected for processing (1)

• pages/api/music/preview.ts

---

📝 Walkthrough

Walkthrough

URL validation in the music preview API handler was strengthened to enforce strict constraints on protocol, hostname, port, and credentials. The handler now parses URLs as URL objects and validates each component individually. Redirect following was disabled via maxRedirects: 0 configuration.

Changes

Cohort / File(s)	Summary
URL Validation & Security Hardening pages/api/music/preview.ts	Enhanced URL validation by requiring valid URL object parsing and enforcing strict constraints on protocol (https:), hostname (audio-ssl.itunes.apple.com), port (443 or empty), and embedded credentials (must be empty). Disabled automatic redirect following with maxRedirects: 0.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 A URL, once loose, now firmly bound,
With protocol checks and ports aground,
No sneaky redirects shall pass this way,
Security tightened, hooray, hooray! 🔐

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch alert-autofix-213

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}