Merged
Conversation
* Fix scale bar position in mobile mode * chore: bump version to 4.1.12-20251119 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Added Layer Refresh Rate option for loading animation time steps * Added customizable animation export options (defaults to GIF only) * Use rectangular animation areas * Suppress build warning from ffmpeg * chore: bump version to 4.1.14-20251124 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Add new callback for newActiveFeature * chore: bump version to 4.1.15-20251201 [version bump] --------- Co-authored-by: Amanda Chung <Amanda.Chung@jpl.nasa.gov> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…ile mode (#817) * Highlight buttons in extended timeline view as range indicator in mobile mode * chore: bump version to 4.1.16-20251203 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* Fix issue with local versus UTC time in expanded timeline display * Consolidate function
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+120
to
+126
| const collectionResponse = await fetch( | ||
| `${stacUrl}/collections/${collection}`, | ||
| { | ||
| method: "GET", | ||
| headers: { "content-type": "application/json" }, | ||
| } | ||
| ); |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
In general, to fix SSRF vulnerabilities when user input is used to determine part of a backend HTTP request URL, you must ensure that the user input cannot cause the server to access arbitrary resources. The best way to do this is to restrict the URL path segment (collection in this case) to a known-safe allow-list of permitted values, or to strictly validate that it is a safe value (for example, allowing only alphanumeric names, possibly including certain symbols like "-", "_", but never slashes or dots). The validation should happen immediately after extracting the user input from the request, before you use it in the fetch.
Specific steps:
- Add a validation step after extracting
collectionfromreq.params.- You can either check
collectionis in a pre-defined allow-list (most secure), or enforce that it matches a safe pattern (e.g., using a regexp to allow only "^[\w-]+$" — letters, digits, underscore, dash).
- You can either check
- If the value is unsafe, immediately reject the request with a 400 Bad Request (or similar) response.
- No external libraries are strictly required—Node's RegExp is sufficient.
- These code edits should be made at the beginning of the
/collections/:collection/exporthandler, after retrievingcollection.
Suggested changeset
1
API/Backend/Stac/routes/stac.js
| @@ -111,6 +111,21 @@ | ||
| router.get("/collections/:collection/export", async function (req, res, next) { | ||
| const { collection } = req.params; | ||
|
|
||
| // Validate collection to prevent SSRF: only allow alphanumerics, underscore, hyphen. | ||
| if (!/^[\w-]+$/.test(collection)) { | ||
| logger( | ||
| "error", | ||
| "Invalid collection name in export request", | ||
| req.originalUrl, | ||
| req, | ||
| { collection } | ||
| ); | ||
| return res.status(400).send({ | ||
| status: "failure", | ||
| message: "Invalid collection name.", | ||
| }); | ||
| } | ||
|
|
||
| const stacUrl = `http://${ | ||
| process.env.IS_DOCKER === "true" ? "stac-fastapi" : "localhost" | ||
| }:${process.env.STAC_PORT || 8881}`; |
Copilot is powered by AI and may make mistakes. Always verify output.
Comment on lines
+139
to
+142
| const itemsResponse = await fetch(nextUrl, { | ||
| method: "GET", | ||
| headers: { "content-type": "application/json" }, | ||
| }); |
Check failure
Code scanning / CodeQL
Server-side request forgery Critical
tariqksoliman
added a commit
that referenced
this pull request
Dec 22, 2025
* #810 Cesium initial * #810 Cesium 2 * Updated webpack to handle Cesium assets * Update Feature Branch (#823) * Fix scale bar position in mobile mode (#811) * Fix scale bar position in mobile mode * chore: bump version to 4.1.12-20251119 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Updates to Animation Tool (#812) * Added Layer Refresh Rate option for loading animation time steps * Added customizable animation export options (defaults to GIF only) * Use rectangular animation areas * Suppress build warning from ffmpeg * chore: bump version to 4.1.14-20251124 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * #813 STAC UI import/export (#814) * #813 STAC UI import/export 1 * #813 STAC import/export 2 * Fix Expanded TimeUI Hours timezone offset * Add new callback for newActiveFeature (#816) * Add new callback for newActiveFeature * chore: bump version to 4.1.15-20251201 [version bump] --------- Co-authored-by: Amanda Chung <Amanda.Chung@jpl.nasa.gov> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Highlight buttons in extended timeline view as range indicator in mobile mode (#817) * Highlight buttons in extended timeline view as range indicator in mobile mode * chore: bump version to 4.1.16-20251203 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * #815 Update STAC Collection metadata (#818) * #815 Update STAC Collection metadata * #815 Update STAC Collection metadata 2 * chore: bump version to 4.1.15-20251203 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * #820 Fix DrawTool - Incrementer Value Multi-User Race Conditions (#821) * #820 Fix DrawTool - Incrementer Value Multi-User Race Conditions * chore: bump version to 4.1.18-20251205 [version bump] --------- Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * Fix issue with local versus UTC time in expanded timeline display (#819) * Fix issue with local versus UTC time in expanded timeline display * Consolidate function * Improve init-db logging --------- Co-authored-by: ac-61 <ac-61@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Joe T. Roberts <5315956+jtroberts@users.noreply.github.com> Co-authored-by: Amanda Chung <Amanda.Chung@jpl.nasa.gov> * #810 Configure default panel width * #810 More Cesium improvements * #810 Improve Cesium time responsiveness and feature selection --------- Co-authored-by: Joe Roberts <joe.t.roberts@jpl.nasa.gov> Co-authored-by: ac-61 <ac-61@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Joe T. Roberts <5315956+jtroberts@users.noreply.github.com> Co-authored-by: Amanda Chung <Amanda.Chung@jpl.nasa.gov>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.