Validate allowed origins list - Githubissues

getsentry / sentry

Developer-first error tracking and performance monitoring

https://sentry.io

Other

38.98k stars 4.18k forks source link

Validate allowed origins list #77998

Open aliu39 opened 1 month ago

aliu39 commented 1 month ago

Need to investigate/brainstorm if this is best done on the BE or FE.

on BE: validate in the POST handler
on FE: find a way to access the form component's content, either onChange or onSubmit

This is currently set in a project option POST request, as one string (newline-separated list). Should validate:

each is a valid URL without empty paths/domains (//, ..) or illegal characters
scheme: decided with @ryan953 we'll only allow http and https for now. Missing scheme will be auto-formatted to one of the 2 (on FE)
wildcard character (*): also decided with Ryan we'll only allow this for the left-most subdomain.

Display an appropriate error and help text on the FE. Could make use of the form component's onSubmitFail.

ryan953 commented 1 month ago

We should at least validate input on the backend.

Someone could use the api directly and skip the frontend validation, or just edit the frontend to turn off the validation. So if we want valid data the backend is where it needs to be checked. This will be true for all inputs on any page you work on.