Skip to content

Reject non-http(s) and cross-origin API base values inside apiFetch #144

Description

@mikewheeleer

Reject non-http(s) and cross-origin API base values inside apiFetch

Description

src/lib/apiClient.ts builds every request URL as `${API_BASE}${path}` where API_BASE comes straight from NEXT_PUBLIC_STABLEROUTE_API_BASE. If that variable is ever set to a javascript:/data: value or a typo'd host, the client will happily issue requests to it. This issue hardens the base by validating its scheme and shape before any fetch runs, defending against SSRF-style misconfiguration and credential leakage.

Requirements and context

  • Repository scope: StableRoute-Org/Stableroute-frontend only.
  • Parse API_BASE once with new URL(...) and assert the protocol is http: or https:; throw a clear, non-leaky error on any other scheme or an unparseable value.
  • Reject path arguments that are absolute URLs or that escape the base (must start with /), so callers cannot redirect a request to an arbitrary origin.
  • Keep behavior backward compatible for valid http://localhost:3001-style defaults; do not log the raw value on failure.

Suggested execution

  • Fork the repo and create a branch
  • git checkout -b security/api-client-base-url-validation
  • Implement changes
    • Write code in: src/lib/apiClient.ts — base parsing/validation and a path guard in apiFetch.
    • Write comprehensive tests in: src/lib/__tests__/apiClient.test.ts — valid base passes, javascript:/data: rejected, absolute-URL path rejected, and no raw-value leakage in thrown messages.
    • Add documentation: note the scheme/shape constraints in README.md.
    • Validate security: include a short threat-model note in the PR.
  • Test and commit

Test and commit

  • Run npm run lint, npm test, and npm run build.

Example commit message

security: reject non-http(s) and cross-origin API base values in apiFetch

Guidelines

  • Minimum 95 percent test coverage for impacted modules.
  • Clear, reviewer-focused documentation.
  • Timeframe: 96 hours.

Community & contribution rewards

  • 💬 Join the StableRoute community on Discord for questions, reviews, and faster merges: https://discord.gg/37aCpusvx
  • ⭐ This is a GrantFox OSS / Official Campaign task and may be rewarded. When your PR is merged you'll be prompted to rate the project — if this issue and the maintainers helped you ship, we'd be grateful for a 5-star rating. Clear questions in Discord and tidy, well-tested PRs are the fastest path to a merge and a reward.

Metadata

Metadata

Assignees

No one assigned

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions