chore: import upstream snapshot with attribution
Spell checking / Check Spelling (push) Has been cancelled
Spell checking / Update PR (push) Has been cancelled
Publish Dev Docs Website / build (push) Failing after 1s
Publish Dev Docs Website / deploy (push) Has been skipped
Spell checking / Report (Push) (push) Has been cancelled
Spell checking / Report (PR) (push) Has been cancelled
Spell checking / Check Spelling (push) Has been cancelled
Spell checking / Update PR (push) Has been cancelled
Publish Dev Docs Website / build (push) Failing after 1s
Publish Dev Docs Website / deploy (push) Has been skipped
Spell checking / Report (Push) (push) Has been cancelled
Spell checking / Report (PR) (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,35 @@
|
||||
// Centralized control over when the GitHub bearer token may be attached to an
|
||||
// outgoing request.
|
||||
//
|
||||
// Image and ZIP URLs are extracted from untrusted issue/PR Markdown and can
|
||||
// point to any host. The GitHub bearer token (GITHUB_TOKEN) must therefore only
|
||||
// ever be sent to explicitly allowlisted GitHub API hosts, never to URLs that
|
||||
// originate from issue content. Sending it elsewhere would leak the token to an
|
||||
// attacker-controlled server.
|
||||
|
||||
export const AUTH_ALLOWED_HOSTS = new Set([
|
||||
"api.github.com"
|
||||
]);
|
||||
|
||||
// Returns true only when it is safe to attach the GitHub bearer token to the
|
||||
// given URL: the request must be HTTPS and target an allowlisted GitHub API host.
|
||||
export function shouldSendGitHubToken(rawUrl) {
|
||||
let parsed;
|
||||
try {
|
||||
parsed = new URL(rawUrl);
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
return parsed.protocol === "https:" && AUTH_ALLOWED_HOSTS.has(parsed.hostname.toLowerCase());
|
||||
}
|
||||
|
||||
// Builds request headers, attaching Authorization only when the target URL is an
|
||||
// allowlisted GitHub API host. Arbitrary image/ZIP URLs from issue content never
|
||||
// receive the token.
|
||||
export function headersForUrl(rawUrl, token, extra = {}) {
|
||||
return {
|
||||
...extra,
|
||||
...(token && shouldSendGitHubToken(rawUrl) ? { "Authorization": `Bearer ${token}` } : {}),
|
||||
"User-Agent": "issue-images-mcp"
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user