Skip to content

Commit

Permalink
feat(metadata): add safe path validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@willian-viana
willian-viana committed Sep 25, 2024
1 parent 943dcda commit 56218c8
Showing 1 changed file with 14 additions and 7 deletions.
21 changes: 14 additions & 7 deletions pages/api/metadata/[...params].js
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,21 @@
import { GFW_DATA_API, GFW_STAGING_DATA_API } from 'utils/apis';
import { GFW_DATA_API } from 'utils/apis';
import axios from 'axios';

const ENVIRONMENT = process.env.NEXT_PUBLIC_FEATURE_ENV;
const GFW_METADATA_API_URL =
ENVIRONMENT === 'staging' ? GFW_STAGING_DATA_API : GFW_DATA_API;

export default async (req, res) => {
try {
const path = req.query.params.join('/');
const url = `${GFW_METADATA_API_URL}/${path}`;
const allowedPaths = {
[`dataset/${req.query.params[1]}`]: `dataset/${req.query.params[1]}`,
};

const userPath = req.query.params.join('/');
const safePath = allowedPaths[userPath];

if (!safePath) {
return res.status(400).end('Invalid path');
}

const url = `${GFW_DATA_API}/${safePath}`;

const datasetMetadata = await axios.get(url);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.
const datasetVersionMetadata = await axios.get(`${url}/latest/metadata`);

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Expand Down

0 comments on commit 56218c8

Please sign in to comment.