🔒 Fix fallback of allowedOrigin to localhost in production#381
🔒 Fix fallback of allowedOrigin to localhost in production#381is0692vs wants to merge 7 commits into
Conversation
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub. 1 Skipped Deployment
|
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
|
Warning Review limit reached
Next review available in: 17 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughGETハンドラ内でallowedOriginの決定方法を変更した。APP_URL環境変数が未設定の場合、NODE_ENVがproductionであれば500エラーで処理を中断し、それ以外の環境ではlocalhost URLにフォールバックするよう分岐処理を追加した。 ChangesallowedOrigin決定ロジックの修正
Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request improves environment variable validation in the card API route by returning a 500 error in production if the APP_URL environment variable is not configured. The reviewer suggested trimming APP_URL to prevent issues with accidental leading or trailing whitespace.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| const url = new URL(request.url); | ||
| const options = parseCardQueryParams(url.searchParams); | ||
| const allowedOrigin = process.env.APP_URL || "http://localhost:3000"; | ||
| let allowedOrigin = process.env.APP_URL; |
There was a problem hiding this comment.
Trimming the APP_URL environment variable prevents potential issues caused by accidental leading or trailing whitespace in configuration files, which could otherwise result in malformed font URLs or failed origin validation checks.
| let allowedOrigin = process.env.APP_URL; | |
| let allowedOrigin = process.env.APP_URL?.trim(); |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
|
@greptile review |
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/app/api/card/`[username]/route.ts:
- Around line 22-23: In the route handler for card rendering, replace the
plain-text production 500 response with the same SVG error fallback used by the
other error paths via renderErrorCardResponse, so the response format stays
consistent for embedded <img> usage. Also remove the internal APP_URL detail
from the message by using a generic server configuration error string, and make
sure the 500 response includes the same Cache-Control behavior as the rest of
the image route; if renderErrorCardResponse needs a fontUrl, update its call or
signature in a way that works without exposing APP_URL.
- Around line 20-26: Add a test for the production-only early return in the card
route when APP_URL is missing. Update the route logic in route.ts’s
allowedOrigin handling only if needed, and cover the branch where
process.env.NODE_ENV is "production" and process.env.APP_URL is unset so the
handler returns a 500 Response with the server configuration error message. Use
the existing route handler symbols in src/app/api/card/[username]/route.ts and
mirror the style of route.test.ts to assert this fallback path directly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7787d9d2-18dd-4d18-a60c-2911d96f7591
📒 Files selected for processing (1)
src/app/api/card/[username]/route.ts
|
@greptile review production設定エラーのSVG応答・キャッシュ保持、APP_URLのtrim、production分岐テストを追加しました。再レビューをお願いします。 |
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
Co-authored-by: is0692vs <135803462+is0692vs@users.noreply.github.com>
|
長期間未整理のPRです。必要なセキュリティ修正は現行mainを起点に最小差分で再作成するため、古いPRとheadブランチを整理します。 |
🎯 What: The vulnerability fixed
In
src/app/api/card/[username]/route.ts, if theAPP_URLenvironment variable is not explicitly set, theallowedOriginfalls back tohttp://localhost:3000.This insecure fallback might cause fonts or other internal fetch requests to hit a local developer endpoint instead of the intended service in production environments. Crucially, this variable is used via
renderCardResponseas the trustedallowedOrigininisTrustedFontUrl(invalidators.ts), potentially meaning that the production environment would implicitly trustlocalhost:3000URLs when it shouldn't.🛡️ Solution: How the fix addresses the vulnerability
The code now properly verifies the presence of the
APP_URLenvironment variable. IfAPP_URLis empty and the environment isproduction, the server now explicitly returns a500 Server configuration error. In non-production environments, it safely falls back tohttp://localhost:3000.PR created automatically by Jules for task 9766932802489647517 started by @is0692vs
Greptile Summary
本番環境で
APP_URLが未設定の場合にlocalhost:3000へフォールバックしてしまう脆弱性を修正するPRです。APP_URLに.trim()を追加してホワイトスペースのみの値も無効と見なすようにし、本番環境ではrenderErrorCardResponseを使った SVG エラーカード(500)を返すよう変更しています。route.ts:APP_URLの検証を強化し、本番環境では既存のエラーパス(429・404・503)と同形式の SVG エラーレスポンスを返すよう統一。route.test.ts:afterEachでvi.unstubAllEnvs()によるクリーンアップを追加し、本番環境かつAPP_URL未設定のシナリオをカバーする新規テストを追加。Confidence Score: 5/5
変更範囲は限定的で、既存のエラーハンドリングパターンと一貫した修正です。安全にマージ可能です。
変更内容は GET ハンドラー内の早期リターンロジックの追加と .trim() の適用のみで、既存の正常系・異常系のコードパスには影響しません。前回レビューで指摘されていたレスポンス形式の不整合とエラーメッセージでの内部変数名の露出もいずれも解消されています。
特に注意が必要なファイルはありません。
Important Files Changed
Flowchart
%%{init: {'theme': 'neutral'}}%% flowchart TD A[GET /api/card/:username] --> B[Read APP_URL and trim] B --> C{allowedOrigin truthy?} C -- Yes --> D[Use APP_URL as allowedOrigin] C -- No --> E{NODE_ENV is production?} E -- Yes --> F[renderErrorCardResponse\nstatus 500 + ERROR_CACHE] E -- No --> G[Fallback to localhost:3000] G --> D D --> H[Build fontUrl from allowedOrigin] H --> I{Rate limit exceeded?} I -- Yes --> J[renderErrorCardResponse 429] I -- No --> K[fetchCardData] K -- null --> L[renderErrorCardResponse 404] K -- throws --> M[renderErrorCardResponse 503] K -- data --> N[renderCardResponse 200]%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% flowchart TD A[GET /api/card/:username] --> B[Read APP_URL and trim] B --> C{allowedOrigin truthy?} C -- Yes --> D[Use APP_URL as allowedOrigin] C -- No --> E{NODE_ENV is production?} E -- Yes --> F[renderErrorCardResponse\nstatus 500 + ERROR_CACHE] E -- No --> G[Fallback to localhost:3000] G --> D D --> H[Build fontUrl from allowedOrigin] H --> I{Rate limit exceeded?} I -- Yes --> J[renderErrorCardResponse 429] I -- No --> K[fetchCardData] K -- null --> L[renderErrorCardResponse 404] K -- throws --> M[renderErrorCardResponse 503] K -- data --> N[renderCardResponse 200]Reviews (3): Last reviewed commit: "Fix APP_URL environment variable fallbac..." | Re-trigger Greptile