Snupai/snupai-site
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Potential fix for code scanning alert no. 1: Incomplete URL substring sanitization #12

Merged
Snupai merged 1 commit from alert-autofix-1 into master 2025-12-02 10:58:23 +01:00
Conversation 1 Commits 1 Files changed 1 +11 -5
Snupai commented 2025-12-02 10:51:51 +01:00 (Migrated from github.com)
Copy link

Potential fix for https://github.com/Snupai/snupai-site/security/code-scanning/1

To fix the problem, the referer URL should be parsed, and its hostname property compared against an explicit whitelist of allowed hostnames. For subdomain support, the allowed hostnames should be clearly listed in an array, e.g., ['snupai.me', 'www.snupai.me']. This ensures only referers from the correct hosts are accepted. Specifically, you should replace the string referer.startsWith('https://snupai.me') logic in the isAllowedReferer function (lines 26-33) with code that parses the referer URL using the built-in URL class and checks the hostname against an array of allowed hostnames.

You will need to add an import for URL if not already available (globally available in Node.js and modern runtimes), and modify the isAllowedReferer function to use parsed referer URLs for host validation. Only edit shown code in src/app/api/ai-roast/route.ts.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

Note

Replaces substring-based referer checks with URL-parsed hostname validation against an explicit allowlist, rejecting invalid URLs.

Written by Cursor Bugbot for commit 80953e6c18. This will update automatically on new commits. Configure here.

Potential fix for [https://github.com/Snupai/snupai-site/security/code-scanning/1](https://github.com/Snupai/snupai-site/security/code-scanning/1) To fix the problem, the referer URL should be parsed, and its `hostname` property compared against an explicit whitelist of allowed hostnames. For subdomain support, the allowed hostnames should be clearly listed in an array, e.g., `['snupai.me', 'www.snupai.me']`. This ensures only referers from the correct hosts are accepted. Specifically, you should replace the string `referer.startsWith('https://snupai.me')` logic in the `isAllowedReferer` function (lines 26-33) with code that parses the referer URL using the built-in `URL` class and checks the `hostname` against an array of allowed hostnames. You will need to add an import for `URL` if not already available (globally available in Node.js and modern runtimes), and modify the `isAllowedReferer` function to use parsed referer URLs for host validation. Only edit shown code in `src/app/api/ai-roast/route.ts`. --- _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Replaces substring-based referer checks with URL-parsed hostname validation against an explicit allowlist, rejecting invalid URLs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 80953e6c181abf88249a9ae49a3a3afd91352c41. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
vercel[bot] commented 2025-12-02 10:51:55 +01:00 (Migrated from github.com)
Copy link

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
snupai-site Ready Ready Preview Comment Dec 2, 2025 9:52am
[vc]: #u+xOpttHv+PANLPc36oBVVeK3//0t5aNaMd4liTVhcE=:eyJpc01vbm9yZXBvIjp0cnVlLCJ0eXBlIjoiZ2l0aHViIiwicHJvamVjdHMiOlt7Im5hbWUiOiJzbnVwYWktc2l0ZSIsImluc3BlY3RvclVybCI6Imh0dHBzOi8vdmVyY2VsLmNvbS9zbnVwYWkvc251cGFpLXNpdGUvR2ljNWtUbVJXcWF4TXFwM3ZvczNmY0F2czV6NCIsInByZXZpZXdVcmwiOiJzbnVwYWktc2l0ZS1naXQtYWxlcnQtYXV0b2ZpeC0xLXNudXBhaS52ZXJjZWwuYXBwIiwibmV4dENvbW1pdFN0YXR1cyI6IkRFUExPWUVEIiwibGl2ZUZlZWRiYWNrIjp7InJlc29sdmVkIjowLCJ1bnJlc29sdmVkIjowLCJ0b3RhbCI6MCwibGluayI6InNudXBhaS1zaXRlLWdpdC1hbGVydC1hdXRvZml4LTEtc251cGFpLnZlcmNlbC5hcHAifSwicm9vdERpcmVjdG9yeSI6bnVsbH1dfQ== The latest updates on your projects. Learn more about [Vercel for GitHub](https://vercel.link/github-learn-more). | Project | Deployment | Preview | Comments | Updated (UTC) | | :--- | :----- | :------ | :------- | :------ | | [snupai-site](https://vercel.com/snupai/snupai-site) | ![Ready](https://vercel.com/static/status/ready.svg) [Ready](https://vercel.com/snupai/snupai-site/Gic5kTmRWqaxMqp3vos3fcAvs5z4) | [Preview](https://snupai-site-git-alert-autofix-1-snupai.vercel.app) | [Comment](https://vercel.live/open-feedback/snupai-site-git-alert-autofix-1-snupai.vercel.app?via=pr-comment-feedback-link) | Dec 2, 2025 9:52am |
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug
Something isn't working

  
dependencies
Pull requests that update a dependency file

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
javascript
Pull requests that update javascript code

  
question
Further information is requested

  
wontfix
This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
good first issue
help wanted
invalid
javascript
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Snupai/snupai-site!12
No description provided.