-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: heroku subdomain check #842
Conversation
// split and slice isn't a great way to match arbitrary domains, | ||
// but it's good enough for ensuring we only match herokuapp.com when it is the TLD | ||
// for the hostname | ||
return hostname.split('.').slice(-2).join('.').indexOf('herokuapp.com') === -1 |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
herokuapp.com
Size Change: +41 B (0%) Total Size: 725 kB
ℹ️ View Unchanged
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the alert still showing up for this PR - this looks correct to me.
hmm, I'm not really clear about the original functionality. Is it something like: By default, we want to share super properties across subdomains, unless we're on herokuapp, which makes sense since those apps are all independent. A URL that fails the current default is something like Overall, if my understanding is correct, I feel like defaulting to false whenever we see herokuapp is much more straightforward. |
resolves https://github.com/PostHog/posthog-js/security/code-scanning/3
We checked for an herokuapp.com domain without caring about the position of the match within the hostname.
So, we would have treated
appname.herokuapp.com
andappname.herokuapp.com.intercepting-domain.io
as the same.Well, not any more!