fantonangeli commented on code in PR #3353:
URL:
https://github.com/apache/incubator-kie-tools/pull/3353#discussion_r2593303646
##########
packages/cors-proxy/src/index.ts:
##########
@@ -42,12 +42,28 @@ function getAllowedOrigins(): string[] {
return originsList;
}
+function getAllowedHosts(): string[] {
+ const hosts = process.env.CORS_PROXY_ALLOWED_HOSTS ||
"localhost,*.github.com";
+ const hostsList = hosts.split(",").map((o) => o.trim());
+
+ if (hostsList.some((o) => o === "")) {
+ throw new Error("Invalid host: empty hosts are not allowed in
CORS_PROXY_ALLOWED_HOSTS.");
+ }
+
+ if (hostsList.some((o) => o === "*")) {
+ throw new Error('Invalid host: wildcard "*" is not allowed in
CORS_PROXY_ALLOWED_HOSTS.');
Review Comment:
Because `*.*` is the same as `*` I would allow the common `*`, and like in
my
[comment](https://github.com/apache/incubator-kie-tools/pull/3353#issuecomment-3617652820),
it seems we cannot make CodeQL 100% happy, so I just added a `console.warn` to
discourage the * in production.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
