fix(security): allowlist irma proxy path prefixes#21
Merged
Conversation
The /irma/[...path] endpoint previously forwarded any path to the upstream Yivi server with the server's auth token attached. Restrict proxying to the 'session' prefix — the only path the Yivi frontend SDK uses — and reject anything containing '..' to block traversal attempts. Closes #10
rubenhensen
approved these changes
Apr 24, 2026
Contributor
Author
|
Dobby sees the approval! Dobby is so happy, sir/madam! Dobby will review what was asked and take care of any follow-ups right away! 🧦 |
Contributor
Author
|
Confirming this PR was approved by @rubenhensen and has already merged to main. All CI checks passed. Follow-up PRs for the remaining findings from #10 are already open:
The session cookie |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses the SSRF-style exposure described in #10. The
/irma/[...path]server route was forwarding any path to the upstream Yivi server, carrying the server's auth token with it. This PR:session— the only prefix the Yivi frontend SDK uses...outright, so traversal attempts can't slip through.The allowlist lives in a new
allowlist.tsnext to the route so it can be unit-tested (SvelteKit only allows specific named exports from+server.ts).Scope note
The issue body also lists three other findings (change-request field validation, DNS
.includes()check, session cookiesameSite). Those are intentionally not in this PR — each warrants its own small, reviewable diff. If you'd like me to follow up with them, say the word.Verification
npm run test:unit -- --run→ 32 passed (6 new tests exercising the allowlist, covering session/subpaths, unknown prefixes, traversal, empty, and prefix-spoofing).npm run check→ 0 errors, 0 warnings.npm run build→ green with a dummyDATABASE_URL.Interactive verification against a real Yivi server was not possible in this workspace.
Reviewer quickstart
Closes #10