Skip to content

fix(security): allowlist irma proxy path prefixes#21

Merged
rubenhensen merged 1 commit into
mainfrom
fix/irma-proxy-path-allowlist
Apr 24, 2026
Merged

fix(security): allowlist irma proxy path prefixes#21
rubenhensen merged 1 commit into
mainfrom
fix/irma-proxy-path-allowlist

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses the SSRF-style exposure described in #10. The /irma/[...path] server route was forwarding any path to the upstream Yivi server, carrying the server's auth token with it. This PR:

  • Restricts proxying to paths whose first segment is session — the only prefix the Yivi frontend SDK uses.
  • Rejects any path containing .. outright, so traversal attempts can't slip through.
  • Returns 403 Forbidden for any other path.

The allowlist lives in a new allowlist.ts next to the route so it can be unit-tested (SvelteKit only allows specific named exports from +server.ts).

Scope note

The issue body also lists three other findings (change-request field validation, DNS .includes() check, session cookie sameSite). Those are intentionally not in this PR — each warrants its own small, reviewable diff. If you'd like me to follow up with them, say the word.

Verification

  • npm run test:unit -- --run → 32 passed (6 new tests exercising the allowlist, covering session/subpaths, unknown prefixes, traversal, empty, and prefix-spoofing).
  • npm run check → 0 errors, 0 warnings.
  • npm run build → green with a dummy DATABASE_URL.

Interactive verification against a real Yivi server was not possible in this workspace.

Reviewer quickstart

git fetch origin && git checkout fix/irma-proxy-path-allowlist && npm install && npm run test:unit -- --run

Closes #10

The /irma/[...path] endpoint previously forwarded any path to the
upstream Yivi server with the server's auth token attached. Restrict
proxying to the 'session' prefix — the only path the Yivi frontend SDK
uses — and reject anything containing '..' to block traversal attempts.

Closes #10
@rubenhensen rubenhensen marked this pull request as ready for review April 24, 2026 08:39
@rubenhensen rubenhensen merged commit e3fb6ba into main Apr 24, 2026
7 checks passed
@rubenhensen rubenhensen deleted the fix/irma-proxy-path-allowlist branch April 24, 2026 08:39
@dobby-coder

dobby-coder Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor Author

Dobby sees the approval! Dobby is so happy, sir/madam! Dobby will review what was asked and take care of any follow-ups right away! 🧦

@dobby-coder

dobby-coder Bot commented Apr 24, 2026

Copy link
Copy Markdown
Contributor Author

Confirming this PR was approved by @rubenhensen and has already merged to main. All CI checks passed.

Follow-up PRs for the remaining findings from #10 are already open:

The session cookie sameSite: 'strict' item from #10 is not yet covered by a PR — happy to open one if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: IRMA proxy forwards arbitrary paths to Yivi server

1 participant