Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| // manually decompress body to use it below without another decompression | ||
| const body = decompressBody(Buffer.from(await ctx.req.arrayBuffer()), ctx.req.header("Content-Encoding")); | ||
| const body = decompressBody( | ||
| Buffer.from(await ctx.req.arrayBuffer()), | ||
| ctx.req.header("Content-Encoding") as ContentEncoding, | ||
| ); |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| const body = decompressBody( | ||
| Buffer.from(await ctx.req.arrayBuffer()), | ||
| ctx.req.header("Content-Encoding") as ContentEncoding, | ||
| ); |
There was a problem hiding this comment.
Bug: Unsafe type cast may crash on unsupported encodings
The cast ctx.req.header("Content-Encoding") as ContentEncoding is unsafe. The Content-Encoding header can contain values like "identity" or other unsupported encodings that aren't in the decompressors map ("gzip" | "deflate" | "br"). When an unsupported encoding is passed, decompressors[contentEncoding] returns undefined, and calling undefined(body) throws a TypeError. The cast hides this from TypeScript but the runtime crash remains.
|
|
||
| // Custom plugin to add shebang to the CLI entry point | ||
| // This runs after all other transformations to ensure the shebang is the first line | ||
| const shebangPlugin = (): Plugin => ({ |
There was a problem hiding this comment.
Yup, as initially we were compiling using tsc, so this was added already
| enforce: "post", | ||
| generateBundle(_options, bundle) { | ||
| for (const [fileName, chunk] of Object.entries(bundle)) { | ||
| if (fileName === "run.js" && chunk.type === "chunk") { |
There was a problem hiding this comment.
Just a concern, we also have cli/run.js would that be a problem?
There was a problem hiding this comment.
The npx command uses the ./src/run.ts as described in the package.json. And this name comes from the vite config - vite.node.config.ts.
So this shouldn't be a problem
| const body = decompressBody( | ||
| Buffer.from(await ctx.req.arrayBuffer()), | ||
| ctx.req.header("Content-Encoding") as ContentEncoding, | ||
| ); |
There was a problem hiding this comment.
Bug: Unsafe type cast of Content-Encoding header allows unsupported values to cause a TypeError and server crash.
Severity: CRITICAL | Confidence: High
🔍 Detailed Analysis
The ctx.req.header("Content-Encoding") value, which can be string | undefined, is unsafely cast as ContentEncoding without runtime validation. If a client sends an unsupported Content-Encoding header (e.g., zstd), decompressors[contentEncoding] evaluates to undefined. Attempting to call this undefined value as a function results in a TypeError, causing the server to crash.
💡 Suggested Fix
Implement runtime validation for the Content-Encoding header value. If the value is not one of the supported gzip, deflate, or br encodings, return an appropriate error response instead of proceeding with decompression.
🤖 Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: packages/spotlight/src/server/routes/stream/index.ts#L81-L84
Potential issue: The `ctx.req.header("Content-Encoding")` value, which can be `string |
undefined`, is unsafely cast `as ContentEncoding` without runtime validation. If a
client sends an unsupported `Content-Encoding` header (e.g., `zstd`),
`decompressors[contentEncoding]` evaluates to `undefined`. Attempting to call this
`undefined` value as a function results in a `TypeError`, causing the server to crash.
Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 5492537
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or [setup this action to publish automatically](https://github.com/changesets/action#with-publishing). If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated. # Releases ## @spotlightjs/spotlight@4.7.1 ### Patch Changes - Report `github-ci` environment to Sentry when running in GitHub Actions CI ([#1178](#1178)) - Fix `npx @spotlightjs/spotlight` fail ([#1181](#1181)) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2 participants
closes #1180