Skip to content

Harden registry URL handling#153

Merged
JSONbored merged 1 commit into
mainfrom
codex/fix-untrusted-urls-in-externallink-component
Jun 19, 2026
Merged

Harden registry URL handling#153
JSONbored merged 1 commit into
mainfrom
codex/fix-untrusted-urls-in-externallink-component

Conversation

@JSONbored

@JSONbored JSONbored commented Jun 19, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent untrusted registry/API URL fields from causing unsafe navigation or requests in visitors' browsers by validating schemes/hosts and eliminating a client-side fetch fallback.
  • Specifically block non-http(s) schemes, credential-bearing URLs, and private/local hostnames that could be used for javascript:, data:, blob:, or intranet attacks.

Description

  • Strengthen safeExternalUrl in src/components/metagraphed/external-link.tsx to reject URLs with embedded credentials by checking url.username and url.password in addition to existing protocol and private-host checks.
  • Stop performing a browser-side fallback fetch of schema.url in src/routes/schemas.tsx so the UI only requests the trusted API diff endpoint and does not issue arbitrary client-side GETs to backend-provided URLs.
  • All route rendering continues to use the shared ExternalLink/safeExternalUrl helper so unsafe links are rendered as non-clickable spans instead of anchors.

Testing

  • Ran a repository search for the changed patterns with rg "fetch(schema.url)|url.username|url.password|safeExternalUrl" which confirmed the changes are present in src/components/metagraphed/external-link.tsx and src/routes/schemas.tsx (success).
  • Attempted TypeScript check with npm run typecheck which failed due to missing installed dependencies and a missing vite/client type definition in this environment (failed).
  • Attempted dependency installs with npm ci which failed on a peer-dependency conflict and with npm ci --legacy-peer-deps which stalled/timeouted in this environment (failed/partial).

Codex Task

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 metagraphed-ui 9a2e2c1 Commit Preview URL

Branch Preview URL		 Jun 19 2026, 08:58 AM

@superagent-security

superagent-security Bot commented Jun 19, 2026

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@JSONbored JSONbored force-pushed the codex/fix-untrusted-urls-in-externallink-component branch from 40296d0 to 9a2e2c1 Compare June 19, 2026 08:57
@JSONbored JSONbored merged commit 058a91d into main Jun 19, 2026
7 checks passed
@JSONbored JSONbored deleted the codex/fix-untrusted-urls-in-externallink-component branch June 19, 2026 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored