Enhance SSRF protections and input validation in blockchain API#712
Merged
Conversation
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…g in path regex The Copilot autofix in PR #704 introduced two issues: 1. mempool.ts: Math.max(0, Math.trunc(Number(startIndex))) produces NaN for undefined/non-numeric inputs and Infinity for Infinity input, creating invalid URLs like .../txs/NaN. Replace with Number.isFinite guard that safely falls back to 0. 2. blockchain-api.ts: ALLOWED_PATHS regex character class included %, allowing percent-encoded path traversal sequences like %2e%2e that bypass URL parser normalization. No caller uses percent-encoded pathnames, so removing % is safe defense-in-depth. https://claude.ai/code/session_01U1iKew457tGYZEGdynvC3P
…idate currency and range - Route getHistoricalPrice() through fetchJson() instead of raw fetch(), closing the main SSRF bypass that CodeQL flagged - Add runtime VALID_CURRENCIES validation at all server action boundaries (blockchain-api, market, both tax report flows) to prevent query parameter injection via the currency field - Replace raw fetch() in both tax report flow getDailyPrices() with fetchJson(), bringing them under the host/path allowlist - Sanitize market page range parameter as a positive integer - Use encodeURIComponent on all user-influenced query parameters - Tighten Zod schemas from z.string() to z.enum for currency fields - Export VALID_CURRENCIES const array from types.ts for shared validation https://claude.ai/code/session_01U1iKew457tGYZEGdynvC3P
Refactor currency validation and API calls with centralized utilities
…igins The CodeQL taint tracker follows user input through new URL(url) → parsedUrl.toString() → fetch(), and doesn't recognize Set.has() or regex checks as sanitizers. Break the taint chain by looking up the origin from getTrustedOrigin() which returns hardcoded string literals via an if/else chain, then reconstructing the URL with new URL(path, origin). Also strips credentials and fragment from parsed URLs for defense in depth. https://claude.ai/code/session_011pxQ2tSP9bsZzKdmA8gzz8
Sanitize blockchain API URLs to prevent injection attacks
…meters Replace raw URL string parameter with typed (host, pathname, query) signature so fetch() receives URLs built from hardcoded origin literals, breaking the taint chain that CodeQL traces from user input to the HTTP request. https://claude.ai/code/session_01QFzfvaefjkSBejad6YnKGC
Refactor API client to use typed host parameters instead of URLs
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
…n permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Potential fix for code scanning alert no. 1: Workflow does not contain permissions
Potential fix for code scanning alert no. 2: Workflow does not contain permissions
Add defense-in-depth check verifying the constructed URL's origin matches the trusted constant before passing it to fetch(). This satisfies CodeQL's js/request-forgery taint analysis (CWE-918). https://claude.ai/code/session_01FVAfRA8x2LzXSPQbqsmxhS
Add origin validation to fetchJson in blockchain-api
…uction Add strict format validation (regex) and encodeURIComponent() for Bitcoin addresses and transaction IDs at every entry point in blockchain-api.ts. This breaks the taint chain that CodeQL traces from user input to fetch(), resolving the js/request-forgery alert on line 69. https://claude.ai/code/session_01CTf6E4bTxV38GUC1L5UazP
Replace tainted suffix passthrough (addressMatch[2]) with string literal mapping and add exhaustive path validation so no branch of esploraGet can pass unsanitized user data to fetchJson. https://claude.ai/code/session_01CTf6E4bTxV38GUC1L5UazP
Add input validation for Bitcoin addresses and transaction IDs
Potential fix for code scanning alert no. 3: Server-side request forgery
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.