github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 21:59:09 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[PR #1948] [CLOSED] Potential fix for Server-side request forgery #9557

New Issue
Closed
opened 2026-04-30 05:45:21 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-30 05:45:21 -05:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1948
Author: @marcschaeferger
Created: 11/29/2025
Status: Closed

Base: mainHead: fix-security/js-request-forgery

📝 Commits (4)

  • 5f66127 Potential fix for code scanning alert no. 16: Server-side request forgery
  • 8c4a661 Potential fix for code scanning alert no. 17: Server-side request forgery
  • f0104e1 Potential fix for code scanning alert no. 18: Server-side request forgery
  • ae3a2b9 fix(generatedLicense): enforce UUID v4 orgId validation

📊 Changes

3 files changed (+50 additions, -2 deletions)

View changed files

📝 server/private/routers/generatedLicense/generateNewLicense.ts (+10 -0)
📝 server/private/routers/generatedLicense/listGeneratedLicenses.ts (+4 -2)
📝 src/actions/server.ts (+36 -0)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description (generated by Copilot)

See https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/

Code generated by Copilot

This pull request introduces stricter validation for organization and resource identifiers to improve security and consistency across API endpoints. The main changes add UUID format checks for organization IDs in license-related routes and type guard functions for resource and identity provider IDs in server-side actions, with corresponding input validation in proxy functions.

Validation improvements for organization IDs:

  • Added UUID v4 format validation for orgId in generateNewLicense.ts, ensuring only valid organization IDs are accepted when generating new licenses. [1] [2]
  • Updated listGeneratedLicenses.ts to require orgId to match a UUID v4 pattern, rejecting invalid or missing organization IDs with a clear error message.

Security enhancements in server-side actions:

  • Introduced isValidResourceId and isValidIdpId type guard functions in server.ts to validate resource and identity provider IDs, restricting accepted formats.
  • Added input validation using these type guards in proxy functions (resourcePasswordProxy, resourcePincodeProxy, resourceWhitelistProxy, resourceAccessProxy, validateOidcUrlCallbackProxy, generateOidcUrlProxy), throwing errors for invalid IDs to prevent unsafe requests. [1] [2] [3] [4] [5] [6]
  • Enforced alphanumeric, dash, and underscore restrictions for orgId in generateOidcUrlProxy to further strengthen input validation.

How to test?

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1948 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 11/29/2025 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-security/js-request-forgery` --- ### 📝 Commits (4) - [`5f66127`](https://github.com/fosrl/pangolin/commit/5f661277033ff367e05d971ad7245053046beb3f) Potential fix for code scanning alert no. 16: Server-side request forgery - [`8c4a661`](https://github.com/fosrl/pangolin/commit/8c4a661cc1a675ab6ebeb5570102c9174f4a1fa5) Potential fix for code scanning alert no. 17: Server-side request forgery - [`f0104e1`](https://github.com/fosrl/pangolin/commit/f0104e13cad1f7161d57185bd8c89400b50e7292) Potential fix for code scanning alert no. 18: Server-side request forgery - [`ae3a2b9`](https://github.com/fosrl/pangolin/commit/ae3a2b9eeb6469fcfcc4f3a2e1ccda59f17d794b) fix(generatedLicense): enforce UUID v4 orgId validation ### 📊 Changes **3 files changed** (+50 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `server/private/routers/generatedLicense/generateNewLicense.ts` (+10 -0) 📝 `server/private/routers/generatedLicense/listGeneratedLicenses.ts` (+4 -2) 📝 `src/actions/server.ts` (+36 -0) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description (generated by Copilot) See https://codeql.github.com/codeql-query-help/javascript/js-request-forgery/ **Code generated by Copilot** This pull request introduces stricter validation for organization and resource identifiers to improve security and consistency across API endpoints. The main changes add UUID format checks for organization IDs in license-related routes and type guard functions for resource and identity provider IDs in server-side actions, with corresponding input validation in proxy functions. **Validation improvements for organization IDs:** * Added UUID v4 format validation for `orgId` in `generateNewLicense.ts`, ensuring only valid organization IDs are accepted when generating new licenses. [[1]](diffhunk://#diff-6c08a641d462a22060ae3f4fdfd0ee0889f7f4ac9f3dfa255a4b1c0568065c47R56-R57) [[2]](diffhunk://#diff-6c08a641d462a22060ae3f4fdfd0ee0889f7f4ac9f3dfa255a4b1c0568065c47R66-R73) * Updated `listGeneratedLicenses.ts` to require `orgId` to match a UUID v4 pattern, rejecting invalid or missing organization IDs with a clear error message. **Security enhancements in server-side actions:** * Introduced `isValidResourceId` and `isValidIdpId` type guard functions in `server.ts` to validate resource and identity provider IDs, restricting accepted formats. * Added input validation using these type guards in proxy functions (`resourcePasswordProxy`, `resourcePincodeProxy`, `resourceWhitelistProxy`, `resourceAccessProxy`, `validateOidcUrlCallbackProxy`, `generateOidcUrlProxy`), throwing errors for invalid IDs to prevent unsafe requests. [[1]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR334-R336) [[2]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR349-R351) [[3]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR364-R366) [[4]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR382-R384) [[5]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR422-R424) [[6]](diffhunk://#diff-e10bdddde4c48eed57a2e4ae3149c01574a9ae9fe8f19001704f360a13f579dbR442-R447) * Enforced alphanumeric, dash, and underscore restrictions for `orgId` in `generateOidcUrlProxy` to further strengthen input validation. ## How to test? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-04-30 05:45:21 -05:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#9557
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?