From 662631a27948d431e6bd37fed15077b1bcccc7f8 Mon Sep 17 00:00:00 2001 From: Fuwn Date: Mon, 1 Jun 2026 15:37:21 +0000 Subject: fix(security): allow-list web-push endpoints to stop SSRF Stored push subscriptions carry a client-supplied `endpoint`, and the notifications job POSTed to it with no host check, so a subscription with an internal/metadata URL turned the Trigger.dev worker into a blind SSRF primitive. Add isAllowedPushEndpoint (https + known vendor hosts: FCM, Mozilla, Apple, WNS), skip non-conforming endpoints in the job, and reject them at subscribe time. Browser-minted subscriptions always match a vendor host, so real delivery is unchanged; a behaviour-gate test asserts vendor endpoints pass and internal/non-https/look-alikes fail. --- src/routes/api/notifications/subscribe/+server.ts | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) (limited to 'src/routes/api/notifications/subscribe') diff --git a/src/routes/api/notifications/subscribe/+server.ts b/src/routes/api/notifications/subscribe/+server.ts index 51dbf340..b1913e5d 100644 --- a/src/routes/api/notifications/subscribe/+server.ts +++ b/src/routes/api/notifications/subscribe/+server.ts @@ -3,6 +3,7 @@ import { safeUserIdentity } from "$lib/Data/AniList/identity"; import { setUserSubscription } from "$lib/Database/SB/User/notifications"; import { decodeAuthCookieOrNull } from "$lib/Effect/authCookie"; import { decodeRequestJsonOrThrow } from "$lib/Effect/requestBody"; +import { isAllowedPushEndpoint } from "$lib/Utility/pushEndpoint"; const unauthorised = new Response("Unauthorised", { status: 401 }); @@ -20,12 +21,20 @@ export const POST = async ({ cookies, request, url }) => { if (!userId) return unauthorised; + const subscription = await decodeRequestJsonOrThrow( + request, + Schema.Record(Schema.String, Schema.Unknown), + ); + + if ( + typeof subscription.endpoint !== "string" || + !isAllowedPushEndpoint(subscription.endpoint) + ) + return new Response("Invalid push endpoint", { status: 400 }); + await setUserSubscription( userId, - (await decodeRequestJsonOrThrow( - request, - Schema.Record(Schema.String, Schema.Unknown), - )) as unknown as JSON, + subscription as unknown as JSON, fingerprint, ); -- cgit v1.2.3