Skip to content

Feat/add assignee autocomplete #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CJ13th wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Feat/add assignee autocomplete #123

CJ13th wants to merge 5 commits into from

Conversation

@CJ13th
Copy link
Contributor

@CJ13th CJ13th commented Feb 6, 2025

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 25, 2025
View reviewed changes
app/api/update-task/route.ts
Comment on lines +22 to +29
const response = await fetch(`http://localhost:8000/tasks/${taskId}`, {
method: "PUT",
headers: {
"Content-Type": "application/json",
Authorization: `Bearer ${GITHUB_TOKEN}`,
},
body: JSON.stringify({ assignee_user_id: assignedUserId }),
});

Check failure

Code scanning / CodeQL

Server-side request forgery Critical

The
URL
Loading
of this request depends on a
user-provided value
Loading
.

Copilot Autofix

AI 6 months ago

To fix the SSRF vulnerability, we need to validate and sanitize the taskId parameter before using it in the URL. Specifically:

  1. Restrict the format of taskId: Ensure that taskId adheres to a predefined format (e.g., alphanumeric or UUID) to prevent malicious input.
  2. Use an allow-list: If possible, validate taskId against an allow-list of known valid task IDs.
  3. Avoid direct concatenation: Construct the URL using safe methods that prevent injection or path traversal.

The best approach here is to validate taskId using a regular expression to ensure it conforms to a safe format (e.g., alphanumeric or UUID). This ensures that only legitimate task IDs are used in the request.

Suggested changeset 1
app/api/update-task/route.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/api/update-task/route.ts b/app/api/update-task/route.ts
--- a/app/api/update-task/route.ts
+++ b/app/api/update-task/route.ts
@@ -6,5 +6,6 @@
 
-    if (!taskId || !assignedUserId) {
+    const taskIdRegex = /^[a-zA-Z0-9_-]+$/; // Allow alphanumeric, underscores, and hyphens
+    if (!taskId || !assignedUserId || !taskIdRegex.test(taskId)) {
       return NextResponse.json(
-        { error: "Missing required fields" },
+        { error: "Invalid or missing required fields" },
         { status: 400 },
@@ -21,3 +22,3 @@
 
-    const response = await fetch(`http://localhost:8000/tasks/${taskId}`, {
+    const response = await fetch(`http://localhost:8000/tasks/${encodeURIComponent(taskId)}`, {
       method: "PUT",
EOF
@@ -6,5 +6,6 @@

if (!taskId || !assignedUserId) {
const taskIdRegex = /^[a-zA-Z0-9_-]+$/; // Allow alphanumeric, underscores, and hyphens
if (!taskId || !assignedUserId || !taskIdRegex.test(taskId)) {
return NextResponse.json(
{ error: "Missing required fields" },
{ error: "Invalid or missing required fields" },
{ status: 400 },
@@ -21,3 +22,3 @@

const response = await fetch(`http://localhost:8000/tasks/${taskId}`, {
const response = await fetch(`http://localhost:8000/tasks/${encodeURIComponent(taskId)}`, {
method: "PUT",
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CJ13th