Potential fix for code scanning alert no. 38: Server-side request forgery

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
2026-03-09 11:42:54 -05:00 · 2025-05-05 23:39:30 -04:00
1 changed files with 14 additions and 1 deletions
--- a/packages/sync-server/src/app-simplefin/app-simplefin.js
+++ b/packages/sync-server/src/app-simplefin/app-simplefin.js
@@ -310,13 +310,26 @@ function parseAccessKey(accessKey) {

 async function getAccessKey(base64Token) {
  const token = Buffer.from(base64Token, 'base64').toString();
+  
+  // Allowlist of trusted base URLs
+  const allowedBaseUrls = ['https://api.simplefin.com', 'https://secure.simplefin.com'];
+  let tokenUrl;
+  try {
+    tokenUrl = new URL(token);
+    if (!allowedBaseUrls.some(base => tokenUrl.href.startsWith(base))) {
+      throw new Error('Invalid token URL');
+    }
+  } catch (e) {
+    throw new Error('Malformed or untrusted token URL');
+  }
+
  const options = {
    method: 'POST',
    port: 443,
    headers: { 'Content-Length': 0 },
  };
  return new Promise((resolve, reject) => {
-    const req = https.request(new URL(token), options, res => {
+    const req = https.request(tokenUrl, options, res => {
      res.on('data', d => {
        resolve(d.toString());
      });