Reject non-http(s) and cross-origin API base values inside apiFetch
Description
src/lib/apiClient.ts builds every request URL as `${API_BASE}${path}` where API_BASE comes straight from NEXT_PUBLIC_STABLEROUTE_API_BASE. If that variable is ever set to a javascript:/data: value or a typo'd host, the client will happily issue requests to it. This issue hardens the base by validating its scheme and shape before any fetch runs, defending against SSRF-style misconfiguration and credential leakage.
Requirements and context
- Repository scope: StableRoute-Org/Stableroute-frontend only.
- Parse
API_BASE once with new URL(...) and assert the protocol is http: or https:; throw a clear, non-leaky error on any other scheme or an unparseable value.
- Reject
path arguments that are absolute URLs or that escape the base (must start with /), so callers cannot redirect a request to an arbitrary origin.
- Keep behavior backward compatible for valid
http://localhost:3001-style defaults; do not log the raw value on failure.
Suggested execution
- Fork the repo and create a branch
git checkout -b security/api-client-base-url-validation
- Implement changes
- Write code in:
src/lib/apiClient.ts — base parsing/validation and a path guard in apiFetch.
- Write comprehensive tests in:
src/lib/__tests__/apiClient.test.ts — valid base passes, javascript:/data: rejected, absolute-URL path rejected, and no raw-value leakage in thrown messages.
- Add documentation: note the scheme/shape constraints in
README.md.
- Validate security: include a short threat-model note in the PR.
- Test and commit
Test and commit
- Run
npm run lint, npm test, and npm run build.
Example commit message
security: reject non-http(s) and cross-origin API base values in apiFetch
Guidelines
- Minimum 95 percent test coverage for impacted modules.
- Clear, reviewer-focused documentation.
- Timeframe: 96 hours.
Community & contribution rewards
- 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
- ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.
Reject non-http(s) and cross-origin API base values inside apiFetch
Description
src/lib/apiClient.tsbuilds every request URL as`${API_BASE}${path}`whereAPI_BASEcomes straight fromNEXT_PUBLIC_STABLEROUTE_API_BASE. If that variable is ever set to ajavascript:/data:value or a typo'd host, the client will happily issue requests to it. This issue hardens the base by validating its scheme and shape before any fetch runs, defending against SSRF-style misconfiguration and credential leakage.Requirements and context
API_BASEonce withnew URL(...)and assert the protocol ishttp:orhttps:; throw a clear, non-leaky error on any other scheme or an unparseable value.patharguments that are absolute URLs or that escape the base (must start with/), so callers cannot redirect a request to an arbitrary origin.http://localhost:3001-style defaults; do not log the raw value on failure.Suggested execution
git checkout -b security/api-client-base-url-validationsrc/lib/apiClient.ts— base parsing/validation and apathguard inapiFetch.src/lib/__tests__/apiClient.test.ts— valid base passes,javascript:/data:rejected, absolute-URLpathrejected, and no raw-value leakage in thrown messages.README.md.Test and commit
npm run lint,npm test, andnpm run build.Example commit message
security: reject non-http(s) and cross-origin API base values in apiFetchGuidelines
Community & contribution rewards