hashicorp / boundary-ui

Monorepo for Boundary UIs and addons.

http://boundary-ui.vercel.app

Other

87 stars 28 forks source link

fix: 🐛 add regex literal for isLocalHost check #2484

Closed cameronperera closed 2 weeks ago

cameronperera commented 2 weeks ago

Description

This is a fix for an issue found in a security audit. (see ticket for more details). ✅ Closes: https://hashicorp.atlassian.net/browse/ICU-13242

My thinking here is we cannot check the whole href as the port is dynamic. However, adding a : at the end should prevent someone from using a clusterURL similar to these: http://localhost.somedomain.com/, http://localhostdomain.com/.

Screenshots (if appropriate)

How to Test

Using the Desktop Client, authenticate using an OIDC auth-method and it should still be able to trigger opening a window in your browser if using http://localhost:xxxx.

Checklist

[ ] I have added before and after screenshots for UI changes
[ ] I have added JSON response output for API changes
[ ] I have added steps to reproduce and test for bug fixes in the description
[ ] I have commented on my code, particularly in hard-to-understand areas
[ ] My changes generate no new warnings
[ ] I have added tests that prove my fix is effective or that my feature works

vercel[bot] commented 2 weeks ago

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
boundary-ui	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 13, 2024 5:47pm
boundary-ui-desktop	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 13, 2024 5:47pm