From 56c810a6357a1fda89e0d1f239024e4e9119a313 Mon Sep 17 00:00:00 2001 From: Legion's <64915515+Dargon789@users.noreply.github.com> Date: Mon, 2 Dec 2024 01:27:30 +0700 Subject: [PATCH 1/3] Create SECURITY.md Signed-off-by: Legion's <64915515+Dargon789@users.noreply.github.com> --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..034e8480320 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 780a6758ca43506ee2b57e46d7e5147c12599b4e Mon Sep 17 00:00:00 2001 From: Legion's <64915515+Dargon789@users.noreply.github.com> Date: Mon, 2 Dec 2024 07:07:13 +0700 Subject: [PATCH 2/3] Create SECURITY.md Signed-off-by: Legion's <64915515+Dargon789@users.noreply.github.com> --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000000..034e8480320 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 6ebe379bbfd9dff1afad9b6076ede590eb9f9038 Mon Sep 17 00:00:00 2001 From: Legion's <64915515+Dargon789@users.noreply.github.com> Date: Mon, 2 Dec 2024 07:09:53 +0700 Subject: [PATCH 3/3] Fix code scanning alert no. 1: Incomplete URL substring sanitization Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Legion's <64915515+Dargon789@users.noreply.github.com> --- .../[contractAddress]/embed/embed-setup.tsx | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/apps/dashboard/src/app/(dashboard)/(chain)/[chain_id]/[contractAddress]/embed/embed-setup.tsx b/apps/dashboard/src/app/(dashboard)/(chain)/[chain_id]/[contractAddress]/embed/embed-setup.tsx index d21b2d46eb9..8d0f8a4de12 100644 --- a/apps/dashboard/src/app/(dashboard)/(chain)/[chain_id]/[contractAddress]/embed/embed-setup.tsx +++ b/apps/dashboard/src/app/(dashboard)/(chain)/[chain_id]/[contractAddress]/embed/embed-setup.tsx @@ -209,16 +209,24 @@ export const EmbedSetup: React.FC = ({ const apiKeys = useApiKeys(); const createKeyMutation = useCreateApiKey(); - const validApiKey = (apiKeys.data || []).find( - (apiKey) => - (apiKey.domains.includes("*") || - apiKey.domains.includes("embed.ipfscdn.io") || - apiKey.domains.includes("*.ipfscdn.io")) && + const validApiKey = (apiKeys.data || []).find((apiKey) => { + const allowedHosts = ["embed.ipfscdn.io", "*.ipfscdn.io"]; + const isValidDomain = apiKey.domains.includes("*") || apiKey.domains.some((domain) => { + try { + const url = new URL(domain); + return allowedHosts.includes(url.host); + } catch (e) { + return false; + } + }); + return ( + isValidDomain && (apiKey.services || []) .find((service) => service.name === "storage") ?.actions.includes("read") && - !!(apiKey.services || []).find((service) => service.name === "rpc"), - ); + !!(apiKey.services || []).find((service) => service.name === "rpc") + ); + }); const chainId = contract.chain.id; const { idToChain } = useAllChainsData();