Skip to content

security: validate api client base URLs#178

Open
es3298 wants to merge 1 commit into
StableRoute-Org:mainfrom
es3298:security/api-client-base-url-validation-144
Open

security: validate api client base URLs#178
es3298 wants to merge 1 commit into
StableRoute-Org:mainfrom
es3298:security/api-client-base-url-validation-144

Conversation

@es3298

@es3298 es3298 commented Jul 5, 2026

Copy link
Copy Markdown

Summary

  • validate NEXT_PUBLIC_STABLEROUTE_API_BASE once with new URL(...) and allow only http/https schemes
  • resolve API request paths through a guarded helper so absolute, protocol-relative, and backslash origin-escape paths are rejected before fetch
  • keep valid localhost/http(s) behavior compatible and avoid exposing raw misconfigured base values in thrown messages
  • document the API base/path constraints in the README

Closes #144

Threat model

A misconfigured public API base or a caller-provided absolute path could redirect frontend requests away from the configured StableRoute API origin. This patch fails closed before fetch for invalid base schemes, malformed base URLs, absolute/protocol-relative paths, and URL parser edge cases that would resolve to another origin. Error messages are intentionally generic so raw config values are not leaked.

Validation

  • npm test -- src/lib/__tests__/apiClient.test.ts --runInBand
  • npm test -- src/lib/__tests__/apiClient.test.ts --runInBand --coverage --collectCoverageFrom=src/lib/apiClient.ts
    • apiClient.ts: 96% statements, 100% branches, 100% lines
  • npm run lint
  • git diff --check

Notes

  • npm run build is still blocked by the existing upstream src/app/quote/Client.tsx assetsDiffer type error.
  • npm test -- --runInBand is still blocked by existing upstream assetsDiffer quote test failures and the existing theme storage no-op expectation failure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Reject non-http(s) and cross-origin API base values inside apiFetch

2 participants