Bypass port validation for AWS infrastructure domains

anshrma · anshrma · commit 5c3c7c6ae9fd · 2025-10-31T15:52:36.000-07:00
Allow AWS services like VPC Lattice to use non-standard ports
by skipping port whitelist checks for AWS infrastructure domains.
Port restrictions now only apply to non-AWS infrastructure URLs.
diff --git a/application_src/ui-react-cloudscape/server.js b/application_src/ui-react-cloudscape/server.js
@@ -70,9 +70,11 @@ const validateUrl = (url) => {
       throw new Error(`Hostname not in whitelist: ${hostname}`);
     }
     
-    // Additional port restrictions - must be in whitelist
+    // Additional port restrictions - must be in whitelist for non-AWS infrastructure
     const port = parsedUrl.port ? parseInt(parsedUrl.port) : (parsedUrl.protocol === 'https:' ? 443 : 80);
-    if (parsedUrl.port && !ALLOWED_PORTS.includes(port)) {
+    
+    // For AWS infrastructure domains, allow any port (VPC Lattice may use non-standard ports)
+    if (parsedUrl.port && !isAWSInfrastructure && !ALLOWED_PORTS.includes(port)) {
       throw new Error(`Port not in whitelist: ${port}`);
     }
     

Original file line number	Diff line number	Diff line change
`@@ -70,9 +70,11 @@ const validateUrl = (url) => {`
`70`	`70`	throw new Error(`Hostname not in whitelist: ${hostname}`);
`71`	`71`	`}`
`72`	`72`
`73`		`- // Additional port restrictions - must be in whitelist`
	`73`	`+ // Additional port restrictions - must be in whitelist for non-AWS infrastructure`
`74`	`74`	`const port = parsedUrl.port ? parseInt(parsedUrl.port) : (parsedUrl.protocol === 'https:' ? 443 : 80);`
`75`		`- if (parsedUrl.port && !ALLOWED_PORTS.includes(port)) {`
	`75`	`+`
	`76`	`+ // For AWS infrastructure domains, allow any port (VPC Lattice may use non-standard ports)`
	`77`	`+ if (parsedUrl.port && !isAWSInfrastructure && !ALLOWED_PORTS.includes(port)) {`
`76`	`78`	throw new Error(`Port not in whitelist: ${port}`);
`77`	`79`	`}`
`78`	`80`