Skip to content

[dev] [claudfuen] claudio/comp-210-self-serve-implementation-v1#932

Merged
claudfuen merged 3 commits into
mainfrom
claudio/comp-210-self-serve-implementation-v1
Jun 16, 2025
Merged

[dev] [claudfuen] claudio/comp-210-self-serve-implementation-v1#932
claudfuen merged 3 commits into
mainfrom
claudio/comp-210-self-serve-implementation-v1

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 16, 2025

This is an automated pull request to merge claudio/comp-210-self-serve-implementation-v1 into dev.
It was created by the [Auto Pull Request] action.

@linear
Copy link
Copy Markdown

linear Bot commented Jun 16, 2025

COMP-210 Self Serve Implementation V1

@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 16, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
app ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 16, 2025 2:52pm
comp-framework-editor ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 16, 2025 2:52pm
comp-trust ✅ Ready (Inspect) Visit Preview 💬 Add feedback Jun 16, 2025 2:52pm
1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
comp-portal ⬜️ Skipped (Inspect) Jun 16, 2025 2:52pm

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 16, 2025
View reviewed changes
Comment thread apps/app/src/app/s3.ts
} catch (error) {
// If URL parsing fails, it might be a relative path/key
// Only accept it if it doesn't look like it's trying to be an amazonaws URL
if (!url.includes("amazonaws.com") && url.split("/").length > 1) {
if (!url.includes('amazonaws.com') && url.split('/').length > 1) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
amazonaws.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.
Comment thread apps/portal/src/utils/s3.ts
}

export function extractS3KeyFromUrl(url: string): string {
const fullUrlMatch = url.match(/amazonaws\.com\/(.+)$/);
if (fullUrlMatch?.[1]) {
return decodeURIComponent(fullUrlMatch[1]);
}
if (!url.includes("amazonaws.com") && url.split("/").length > 1) {
if (!url.includes('amazonaws.com') && url.split('/').length > 1) {

Check failure

Code scanning / CodeQL

Incomplete URL substring sanitization High

'
amazonaws.com
Loading
' can be anywhere in the URL, and arbitrary hosts may come before or after it.

Copilot Autofix

AI 11 months ago

To fix the issue, the code should parse the URL and validate its host explicitly instead of relying on a substring check. This ensures that the host matches the expected domain (amazonaws.com) and prevents bypasses caused by embedding the substring in other parts of the URL.

Steps to fix:

  1. Use the URL constructor to parse the URL and extract its host.
  2. Validate that the host ends with .amazonaws.com to account for subdomains like s3.amazonaws.com.
  3. Replace the substring check (url.includes('amazonaws.com')) with the host validation.

Required changes:

  • Modify the extractS3KeyFromUrl function to use the URL constructor for parsing and host validation.
  • Ensure the function throws an error if the host does not match the expected domain.
Suggested changeset 1
apps/portal/src/utils/s3.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/apps/portal/src/utils/s3.ts b/apps/portal/src/utils/s3.ts
--- a/apps/portal/src/utils/s3.ts
+++ b/apps/portal/src/utils/s3.ts
@@ -42,4 +42,10 @@
   }
-  if (!url.includes('amazonaws.com') && url.split('/').length > 1) {
-    return url;
+  try {
+    const parsedUrl = new URL(url);
+    if (!parsedUrl.host.endsWith('.amazonaws.com') && url.split('/').length > 1) {
+      return url;
+    }
+  } catch (error) {
+    console.error('Invalid URL format:', url, error);
+    throw new Error('Invalid URL format');
   }
EOF
@@ -42,4 +42,10 @@
}
if (!url.includes('amazonaws.com') && url.split('/').length > 1) {
return url;
try {
const parsedUrl = new URL(url);
if (!parsedUrl.host.endsWith('.amazonaws.com') && url.split('/').length > 1) {
return url;
}
} catch (error) {
console.error('Invalid URL format:', url, error);
throw new Error('Invalid URL format');
}
Copilot is powered by AI and may make mistakes. Always verify output.
@claudfuen
feat: enhance Stripe checkout session handling by validating organiza…
3901d8d 
…tion membership and managing customer records
@vercel vercel Bot temporarily deployed to Preview – comp-portal June 16, 2025 14:49 Inactive
cursor[bot]

This comment was marked as outdated.

Sign in to view

@vercel vercel Bot temporarily deployed to Preview – comp-portal June 16, 2025 14:51 Inactive
cursor[bot]
cursor Bot reviewed Jun 16, 2025
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ BugBot reviewed your changes and found no bugs!

Was this report helpful? Give feedback by reacting with 👍 or 👎

@claudfuen claudfuen merged commit 824fcec into main Jun 16, 2025
10 of 11 checks passed
@claudfuen
Copy link
Copy Markdown
Contributor

claudfuen commented Jun 24, 2025

🎉 This PR is included in version 1.42.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@claudfuen claudfuen claudfuen approved these changes

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claudfuen @github-advanced-security