Skip to content
This repository was archived by the owner on Apr 11, 2024. It is now read-only.

Add host param content validation using sanitizeShop regex#634

Merged
mkevinosullivan merged 1 commit intomainfrom
kos/validate_content_of_host
Dec 13, 2022
Merged

Add host param content validation using sanitizeShop regex#634
mkevinosullivan merged 1 commit intomainfrom
kos/validate_content_of_host

Conversation

@mkevinosullivan
Copy link
Copy Markdown
Contributor

@mkevinosullivan mkevinosullivan commented Dec 13, 2022
edited
Loading

WHY are these changes introduced?

Patches a potential phishing vulnerability (Node implementation of this PR.

WHAT is this pull request doing?

sanitizeHost decodes the host parameter and runs sanitizeShop against it, to confirm it complies with one of the expected hostname URLs.

Also adds shopify.com as a valid domain for sanitizeShop - fixes Shopify/first-party-library-planning#516

Type of change

  • Patch: Bug (non-breaking change which fixes an issue)
  • Minor: New feature (non-breaking change which adds functionality)
  • Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

  • I have added a changelog entry, prefixed by the type of change noted above
  • I have added/updated tests for this change
  • I have documented new APIs/updated the documentation for modified APIs (for public APIs) - not applicable

@mkevinosullivan mkevinosullivan requested a review from a team as a code owner December 13, 2022 16:37
@mkevinosullivan mkevinosullivan force-pushed the kos/validate_content_of_host branch from 8eac6d5 to 91dea0e Compare December 13, 2022 16:38
paulomarg
paulomarg reviewed Dec 13, 2022
View reviewed changes
Comment thread lib/auth/decode-host.ts
paulomarg
paulomarg approved these changes Dec 13, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@paulomarg paulomarg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mkevinosullivan mkevinosullivan merged commit 2e67323 into main Dec 13, 2022
@mkevinosullivan mkevinosullivan deleted the kos/validate_content_of_host branch December 13, 2022 22:15
@shopify-shipit shopify-shipit Bot temporarily deployed to production December 20, 2022 20:22 Inactive
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@paulomarg paulomarg paulomarg approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mkevinosullivan @paulomarg