Skip to content

Validate redirects with security registry #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

zhelezkov
Copy link
Contributor

Summary

  • add secureFetch helper that validates redirect targets with BlinksRegistry
  • restore original fetchBlink logic in useBlink
  • mock fetch in tests instead of spinning up HTTP servers

Testing

  • bun test

https://chatgpt.com/codex/tasks/task_e_684200a9b074832094a98d66894bade1

@zhelezkov zhelezkov requested review from Copilot, fsher and tsmbl and removed request for Copilot June 5, 2025 22:31
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a security validation layer for redirects by implementing a secureFetch helper that checks redirect targets against a security registry and integrates it with the BlinkInstance API. Key changes include:

  • Introducing secureFetch in packages/blinks-core/src/utils/secure-fetch.ts.
  • Adding tests in packages/blinks-core/test/api/secure-fetch.spec.ts that validate trusted and malicious redirect scenarios.
  • Updating the API usage in packages/blinks-core/src/api/BlinkInstance/BlinkInstance.ts to utilize secureFetch.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
packages/blinks-core/test/api/secure-fetch.spec.ts New tests added to validate secureFetch for both trusted and malicious redirects.
packages/blinks-core/src/utils/secure-fetch.ts Implements secureFetch with redirects validation using BlinksRegistry.
packages/blinks-core/src/utils/index.ts Exports secureFetch.
packages/blinks-core/src/api/BlinkInstance/BlinkInstance.ts Replaces standard fetch with secureFetch to restore original fetchBlink logic.

return response;
}

throw new Error('Too many redirects');
Copy link
Preview

Copilot AI Jun 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Consider enhancing the error message by including the number of redirects attempted and the final URL, which would aid in debugging redirect loops.

Suggested change
throw new Error('Too many redirects');
throw new Error(`Too many redirects: attempted ${redirectCount} redirects, final URL was ${currentUrl}`);

Copilot uses AI. Check for mistakes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

2 participants