Fix CORS origin trimming, unused import, and fragile error handling (FRE-4749)
- P2: Add .map(s => s.trim()) to trim whitespace from comma-separated ALLOWED_ORIGINS - P3: Remove unused setSentryUser import from @shieldai/monitoring - P3: Replace fragile string prefix matching with boolean isValidProtocol sentinel Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Senior Engineer
@@ -27,7 +27,7 @@ export const apiEnv = envSchema.parse({
|
|||||||
* In development, falls back to localhost.
|
* In development, falls back to localhost.
|
||||||
*/
|
*/
|
||||||
export function getCorsOrigins(): string | string[] {
|
export function getCorsOrigins(): string | string[] {
|
||||||
const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').filter(Boolean);
|
const origins = (apiEnv.ALLOWED_ORIGINS || '').split(',').map(s => s.trim()).filter(Boolean);
|
||||||
|
|
||||||
if (apiEnv.NODE_ENV === 'production') {
|
if (apiEnv.NODE_ENV === 'production') {
|
||||||
if (origins.length === 0) {
|
if (origins.length === 0) {
|
||||||
@@ -42,15 +42,17 @@ export function getCorsOrigins(): string | string[] {
|
|||||||
'CORS origin validation (FRE-4749): wildcard (*) ALLOWED_ORIGIN in production.'
|
'CORS origin validation (FRE-4749): wildcard (*) ALLOWED_ORIGIN in production.'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
let isValidProtocol = true;
|
||||||
try {
|
try {
|
||||||
const url = new URL(origin);
|
const url = new URL(origin);
|
||||||
if (url.protocol !== 'https:' && url.protocol !== 'http:') {
|
if (url.protocol !== 'https:' && url.protocol !== 'http:') {
|
||||||
|
isValidProtocol = false;
|
||||||
throw new Error(
|
throw new Error(
|
||||||
`CORS origin validation (FRE-4749): invalid protocol "${url.protocol}" in "${origin}". Expected http: or https:`
|
`CORS origin validation (FRE-4749): invalid protocol "${url.protocol}" in "${origin}". Expected http: or https:`
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
if (err instanceof Error && err.message.startsWith('CORS origin')) throw err;
|
if (err instanceof Error && !isValidProtocol) throw err;
|
||||||
throw new Error(
|
throw new Error(
|
||||||
`CORS origin validation (FRE-4749): malformed origin "${origin}": ${err instanceof Error ? err.message : String(err)}`
|
`CORS origin validation (FRE-4749): malformed origin "${origin}": ${err instanceof Error ? err.message : String(err)}`
|
||||||
);
|
);
|
||||||
|
|||||||
@@ -8,7 +8,7 @@ import { errorHandlingMiddleware } from './middleware/error-handling.middleware'
|
|||||||
import { loggingMiddleware } from './middleware/logging.middleware';
|
import { loggingMiddleware } from './middleware/logging.middleware';
|
||||||
import { apiEnv, loggingConfig, getCorsOrigins } from './config/api.config';
|
import { apiEnv, loggingConfig, getCorsOrigins } from './config/api.config';
|
||||||
import { routes } from './routes';
|
import { routes } from './routes';
|
||||||
import { initDatadog, initSentry, setSentryUser } from '@shieldai/monitoring';
|
import { initDatadog, initSentry } from '@shieldai/monitoring';
|
||||||
|
|
||||||
const fastify = Fastify({
|
const fastify = Fastify({
|
||||||
logger: loggingConfig,
|
logger: loggingConfig,
|
||||||
|
|||||||
Reference in New Issue
Block a user