Skip to content

fix: use strict hostname check for GitHub URLs in OSS sponsorship router#272

Open
kiloconnect[bot] wants to merge 1 commit intomainfrom
session/agent_a08d8e4d-c784-47d2-8673-c709543ab42b
Open

fix: use strict hostname check for GitHub URLs in OSS sponsorship router#272
kiloconnect[bot] wants to merge 1 commit intomainfrom
session/agent_a08d8e4d-c784-47d2-8673-c709543ab42b

Conversation

@kiloconnect
Copy link
Contributor

@kiloconnect kiloconnect bot commented Feb 17, 2026

Summary

Replace loose .includes('github.com') check with exact hostname comparison to prevent lookalike domains like github.com.evil.com.

Changes

  • Add isStrictGitHubUrl() function that validates URLs via exact hostname comparison (github.com / www.github.com)
  • Apply it as a Zod .refine() on the CSV row schema's githubUrl field
  • Replace loose .includes('github.com') check in extractRepoNameFromUrl() with strict hostname equality

Replace loose .includes('github.com') check with exact hostname
comparison to prevent lookalike domains like github.com.evil.com.
Add isStrictGitHubUrl validator and apply it as a Zod refinement
on the CSV row schema.
function isStrictGitHubUrl(url: string): boolean {
try {
const parsed = new URL(url);
return parsed.hostname === 'github.com' || parsed.hostname === 'www.github.com';
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[WARNING]: isStrictGitHubUrl() allows non-HTTPS GitHub URLs

If this URL is ever used as a clickable link (emails, UI, logs), allowing http: increases exposure to downgrade/MITM. Consider requiring https: in addition to the strict hostname check.

Suggested change
return parsed.hostname === 'github.com' || parsed.hostname === 'www.github.com';
return parsed.protocol === 'https:' && (parsed.hostname === 'github.com' || parsed.hostname === 'www.github.com');

@kiloconnect
Copy link
Contributor Author

kiloconnect bot commented Feb 17, 2026

Code Review Summary

Status: 1 Issues Found | Recommendation: Address before merge

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 0
Issue Details (click to expand)

WARNING

File Line Issue
src/routers/admin/oss-sponsorship-router.ts 33 isStrictGitHubUrl() allows non-HTTPS GitHub URLs
Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File Line Issue
None
Files Reviewed (1 files)
  • src/routers/admin/oss-sponsorship-router.ts - 1 issue

Fix these issues in Kilo Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants