Skip to content

fix(security): add origin allow-list check to zipball proxy route#193

Open
rotecodefraktion wants to merge 1 commit into
ipapakonstantinou:devfrom
rotecodefraktion:fix/zipball-origin-allowlist
Open

fix(security): add origin allow-list check to zipball proxy route#193
rotecodefraktion wants to merge 1 commit into
ipapakonstantinou:devfrom
rotecodefraktion:fix/zipball-origin-allowlist

Conversation

@rotecodefraktion

@rotecodefraktion rotecodefraktion commented Jun 15, 2026

Copy link
Copy Markdown

What changed

Added the existing isOriginAllowed() same-origin guard to the zipball
proxy route (src/app/api/github/zipball/route.ts), returning 403 for
disallowed origins before any work is done.

Why

The zipball route was the only GitHub proxy route without this guard
(every other route under src/app/api/ already uses isOriginAllowed).
Without it, any cross-origin page could use the proxy as an egress
amplifier for multi-MB repo archives.

How it was tested

  • npm run lint
  • npm run typecheck (clean)
  • npm testoriginAllowlist, githubSyncZipball, zipballRetry, gitProxyOptions: 17 pass
  • npm run build
  • Sync change? Touches a sync-support proxy route, but no client sync logic changed.
  • UI change? n/a

Notes

Single-file change. Reuses the already-established @/utils/originAllowlist helper.

@rotecodefraktion @claude
fix(security): add origin allow-list check to zipball proxy route
a3447e5 
The zipball route was the only GitHub proxy route without the
isOriginAllowed() same-origin guard, letting any cross-origin page
use the proxy as an egress amplifier for multi-MB repo archives.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rotecodefraktion