Skip to content

Merge branch "dev" into branch "staging"#3111

Merged
TheophileDiot merged 24 commits into
stagingfrom
dev
Jan 28, 2026
Merged

Merge branch "dev" into branch "staging"#3111
TheophileDiot merged 24 commits into
stagingfrom
dev

Conversation

@TheophileDiot
Copy link
Copy Markdown
Member

@TheophileDiot TheophileDiot commented Jan 28, 2026

No description provided.

Anadris and others added 24 commits January 12, 2026 11:38
@Anadris
add guide to migrate from nginx ingress to bunkerweb
fd15afe
@TheophileDiot
Road to 1.6.8~rc2 🚀
472b0e3
@TheophileDiot
feat: Add migration scripts for upgrading to version 1.6.8~rc2 across…
7a38e79 
… multiple databases
@TheophileDiot
fix: Reduce compression level for tar files in download-plugins scripts
509ce41
@TheophileDiot
refactor(blacklist): Update blacklist sources and remove deprecated l…
8c39c6c 
…aurent minne's entries in documentation and code
@TheophileDiot
fix: Change redirect status code from 301 to 303 for login and setup …
b33d3e6 
…pages
@dependabot
deps/gha: bump github/codeql-action from 4.31.10 to 4.32.0
ccb6652 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.10 to 4.32.0.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@cdefb33...b20883b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@TheophileDiot
fix: Update API description for clarity and consistency
363d63f
@TheophileDiot
fix: Update Docker image references from nginxdemos/nginx-hello to bu…
c4e4331 
…nkerity/bunkerweb-hello:v1.0 across documentation and configuration files
@TheophileDiot
fix: Add link to BunkerWeb community in README.md
86b2aa7
@TheophileDiot
[#1963] fix: Initialize is_whitelisted variable to 'no' in configurat…
e1c8f60 
…ion files
@TheophileDiot
fix: Add table of contents extension with depth of 3 to markdown conf…
a7d5338 
…igurations
@TheophileDiot
deps: Update dependencies in requirements files
092999e
@TheophileDiot
feat: Add script to update Dockerfile image digests under src/
6362349
@TheophileDiot
fix: Update Dockerfile image digests for consistency across services
c939fa4
@TheophileDiot
Merge pull request #3104 from bunkerity/dependabot/github_actions/dev…
8201373 
…/github/codeql-action-4.32.0
@TheophileDiot
Merge remote-tracking branch 'origin/dev' into dev
311bf9e
@TheophileDiot
docs: update Kubernetes NGINX ingress migration for a better readability
d130f91
@TheophileDiot
fix: Update service name from bunkerweb-external to bunkerweb-ui in i…
6308be5 
…ntegration documents
@TheophileDiot
Merge branch 'dev' of https://github.com/bunkerity/bunkerweb into dev
9795c44
@TheophileDiot
Road to 1.6.8~rc3 🚀
64f86e6
@TheophileDiot
[#1963] refactor: move variable declarations to the top of configurat…
d2fbb91 
…ion files for better organization
@TheophileDiot
[#3105] fix: enhance duration update logic to handle custom expiratio…
3bc78a2 
…n and timezone offsets
@TheophileDiot
[#3108] feat: add REVERSE_PROXY_REQUEST_BUFFERING setting to control …
f15f4c5 
…request body buffering behavior + lint files with precommit
github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 28, 2026
View reviewed changes
Comment thread src/ui/app/static/js/pages/unauthorized.js
return (
endpoint.startsWith("/") &&
!endpoint.includes("://") &&
!endpoint.trim().toLowerCase().startsWith("javascript:") &&

Check failure

Code scanning / CodeQL

Incomplete URL scheme check High

This check does not consider data: and vbscript:.

Copilot Autofix

AI 4 months ago

To fix the problem, extend the existing scheme check so that it also rejects data: and vbscript: schemes, in addition to javascript:. This keeps the current behavior (returning/allowing only “safe” endpoints) while closing the gap CodeQL identified.

Specifically, in src/ui/app/static/js/pages/unauthorized.js, inside isSafeEndpoint, we should modify the condition on line 13 to compute the lowercased, trimmed endpoint once (for clarity) and then reject if it starts with any of "javascript:", "data:", or "vbscript:". Because we can’t change behavior elsewhere, we’ll keep all existing checks (startsWith("/"), !includes("://"), etc.) and just expand the scheme-filtering logic. No new imports or helper functions are needed; all changes stay within the shown function.

Suggested changeset 1
src/ui/app/static/js/pages/unauthorized.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/ui/app/static/js/pages/unauthorized.js b/src/ui/app/static/js/pages/unauthorized.js
--- a/src/ui/app/static/js/pages/unauthorized.js
+++ b/src/ui/app/static/js/pages/unauthorized.js
@@ -7,10 +7,13 @@
     if (typeof endpoint !== "string") return false;
     // Only allow relative paths starting with /
     // Disallow `:` or `//` to prevent scheme/protocol and protocol-relative URLs
+    const normalizedEndpoint = endpoint.trim().toLowerCase();
     return (
       endpoint.startsWith("/") &&
       !endpoint.includes("://") &&
-      !endpoint.trim().toLowerCase().startsWith("javascript:") &&
+      !normalizedEndpoint.startsWith("javascript:") &&
+      !normalizedEndpoint.startsWith("data:") &&
+      !normalizedEndpoint.startsWith("vbscript:") &&
       !endpoint.includes("<") &&
       !endpoint.includes(">")
     );
EOF
@@ -7,10 +7,13 @@
if (typeof endpoint !== "string") return false;
// Only allow relative paths starting with /
// Disallow `:` or `//` to prevent scheme/protocol and protocol-relative URLs
const normalizedEndpoint = endpoint.trim().toLowerCase();
return (
endpoint.startsWith("/") &&
!endpoint.includes("://") &&
!endpoint.trim().toLowerCase().startsWith("javascript:") &&
!normalizedEndpoint.startsWith("javascript:") &&
!normalizedEndpoint.startsWith("data:") &&
!normalizedEndpoint.startsWith("vbscript:") &&
!endpoint.includes("<") &&
!endpoint.includes(">")
);
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@TheophileDiot TheophileDiot merged commit a25ff76 into staging Jan 28, 2026
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fl0ppy-d1sk fl0ppy-d1sk Awaiting requested review from fl0ppy-d1sk fl0ppy-d1sk is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TheophileDiot @github-advanced-security @Anadris