From 499578fe18599c9a01c9624c8efbe7378da3c45f Mon Sep 17 00:00:00 2001 From: Sebastion Date: Thu, 28 May 2026 17:29:07 +0100 Subject: [PATCH 1/2] fix: restrict PostHog proxy to allowed paths (CWE-918) --- src/routes/api/jackson-pollock/$.ts | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/src/routes/api/jackson-pollock/$.ts b/src/routes/api/jackson-pollock/$.ts index ef7f72c2..ba0e397d 100644 --- a/src/routes/api/jackson-pollock/$.ts +++ b/src/routes/api/jackson-pollock/$.ts @@ -4,6 +4,23 @@ import { preflight } from '@/server/api'; const POSTHOG_API_HOST = 'us.i.posthog.com'; const POSTHOG_ASSET_HOST = 'us-assets.i.posthog.com'; +const ALLOWED_PATHS = [ + '/decide', + '/e', + '/engage', + '/capture', + '/batch', + '/s', + '/i/v0/e', +]; + +function isAllowedPath(path: string): boolean { + if (path.startsWith('/static/')) return true; + return ALLOWED_PATHS.some( + (allowed) => path === allowed || path === allowed + '/', + ); +} + export const Route = createFileRoute('/api/jackson-pollock/$')({ server: { handlers: { @@ -22,14 +39,16 @@ async function proxyPostHog({ request }: { request: Request }) { routeIndex === -1 ? '/' : url.pathname.slice(routeIndex + routePath.length) || '/'; + + if (!isAllowedPath(path)) { + return new Response('Not Found', { status: 404 }); + } + const hostname = path.startsWith('/static/') ? POSTHOG_ASSET_HOST : POSTHOG_API_HOST; - const nextUrl = new URL(url); - nextUrl.protocol = 'https'; - nextUrl.hostname = hostname; - nextUrl.port = ''; - nextUrl.pathname = path; + const nextUrl = new URL(`https://${hostname}${path}`); + nextUrl.search = url.search; const headers = new Headers(); for (const name of ['accept', 'content-type', 'user-agent']) { From 7bfd0d70c377369d771fbefe6f7016d08882fc2c Mon Sep 17 00:00:00 2001 From: Sebastion Date: Thu, 28 May 2026 22:47:47 +0100 Subject: [PATCH 2/2] fix: add /array/* to proxy allowlist and asset-host routing --- src/routes/api/jackson-pollock/$.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/routes/api/jackson-pollock/$.ts b/src/routes/api/jackson-pollock/$.ts index ba0e397d..334bc4c6 100644 --- a/src/routes/api/jackson-pollock/$.ts +++ b/src/routes/api/jackson-pollock/$.ts @@ -16,6 +16,7 @@ const ALLOWED_PATHS = [ function isAllowedPath(path: string): boolean { if (path.startsWith('/static/')) return true; + if (path.startsWith('/array/')) return true; return ALLOWED_PATHS.some( (allowed) => path === allowed || path === allowed + '/', ); @@ -44,7 +45,7 @@ async function proxyPostHog({ request }: { request: Request }) { return new Response('Not Found', { status: 404 }); } - const hostname = path.startsWith('/static/') + const hostname = path.startsWith('/static/') || path.startsWith('/array/') ? POSTHOG_ASSET_HOST : POSTHOG_API_HOST; const nextUrl = new URL(`https://${hostname}${path}`);