typebot.io

mirror of https://github.com/baptisteArno/typebot.io.git synced 2026-06-05 21:04:43 +08:00

History

Baptiste Arnaud 23818bb0e5 🐛 Fix SSRF redirect bypass in HTTP Request and Code blocks (#2432 ) ## Summary - Fix SSRF via open redirect bypass (GHSA-jxv3-m939-w95c): HTTP Request block now uses `safeKy` instead of `ky`, and Code block's sandboxed `fetch` now follows redirects manually with `redirect: "manual"` + re-validation of each `Location` hop via `validateHttpReqUrl`. - Improved safeKy tests: redirect bypass tests now run end-to-end through `safeKy` (not just indirect Location header checks), including chained redirect scenarios. - Skip Vercel preview builds: `nx-ignore` now exits early with code 0 when `VERCEL_ENV=preview`. ## Test plan - [x] `bunx nx test @typebot.io/lib` — 76 tests pass (0 fail, 6 skip) - [x] `NODE_ENV=development bun test packages/lib/src/safeKy.test.ts` — 8 tests pass (redirect bypass verified end-to-end) - [x] `bunx nx typecheck @typebot.io/bot-engine` — passes - [x] `bunx nx typecheck @typebot.io/variables` — passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-07 16:41:25 +02:00
..
nx-ignore	🐛 Fix SSRF redirect bypass in HTTP Request and Code blocks (#2432 )	2026-04-07 16:41:25 +02:00
setup-worktree.ts	♻️ Migrate to NX (#2418 )	2026-03-18 15:29:32 +00:00

Baptiste Arnaud 23818bb0e5

🐛 Fix SSRF redirect bypass in HTTP Request and Code blocks (#2432 )

## Summary

- **Fix SSRF via open redirect bypass** (GHSA-jxv3-m939-w95c): HTTP
Request block now uses `safeKy` instead of `ky`, and Code block's
sandboxed `fetch` now follows redirects manually with `redirect:
"manual"` + re-validation of each `Location` hop via
`validateHttpReqUrl`.
- **Improved safeKy tests**: redirect bypass tests now run end-to-end
through `safeKy` (not just indirect Location header checks), including
chained redirect scenarios.
- **Skip Vercel preview builds**: `nx-ignore` now exits early with code
0 when `VERCEL_ENV=preview`.

## Test plan

- [x] `bunx nx test @typebot.io/lib` — 76 tests pass (0 fail, 6 skip)
- [x] `NODE_ENV=development bun test packages/lib/src/safeKy.test.ts` —
8 tests pass (redirect bypass verified end-to-end)
- [x] `bunx nx typecheck @typebot.io/bot-engine` — passes
- [x] `bunx nx typecheck @typebot.io/variables` — passes

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-07 16:41:25 +02:00

nx-ignore

🐛 Fix SSRF redirect bypass in HTTP Request and Code blocks (#2432 )

2026-04-07 16:41:25 +02:00

setup-worktree.ts

♻️ Migrate to NX (#2418 )

2026-03-18 15:29:32 +00:00