Merge branch 'remix-run:dev' into dev

Author: AnandShiva

.changeset/fuzzy-worms-decide.md

@@ -0,0 +1,5 @@
+---
+"react-router": patch
+---
+
+Escape HTML in scroll restoration keys

.changeset/hungry-pears-battle.md

@@ -0,0 +1,5 @@
+---
+"react-router": patch
+---
+
+Validate redirect locations

.changeset/spotty-masks-beg.md

@@ -0,0 +1,6 @@
+---
+"@react-router/dev": minor
+"react-router": minor
+---
+
+Add additional layer of CSRF protection by rejecting submissions to UI routes from external origins. If you need to permit access to specific external origins, you can specify them in the `react-router.config.ts` config `allowedActionOrigins` field.

docs/api/rsc/matchRSCServerRequest.md

@@ -70,6 +70,7 @@ matchRSCServerRequest({
 
 ```tsx
 async function matchRSCServerRequest({
+  allowedActionOrigins,
   createTemporaryReferenceSet,
   basename,
   decodeReply,
@@ -82,6 +83,7 @@ async function matchRSCServerRequest({
   routes,
   generateResponse,
 }: {
+  allowedActionOrigins?: string[];
   createTemporaryReferenceSet: () => unknown;
   basename?: string;
   decodeReply?: DecodeReplyFunction;
@@ -107,6 +109,10 @@ async function matchRSCServerRequest({
 
 ## Params
 
+### opts.allowedActionOrigins
+
+Origin patterns that are allowed to execute actions.
+
 ### opts.basename
 
 The basename to use when matching the request.

integration/vite-presets-test.ts

@@ -238,6 +238,7 @@ test.describe("Vite / presets", async () => {
         "serverBundles",
         "serverModuleFormat",
         "ssr",
+        "allowedActionOrigins",
         "unstable_routeConfig",
       ]);
 

packages/react-router-dev/config/config.ts

@@ -211,6 +211,12 @@ export type ReactRouterConfig = {
    * SPA without server-rendering. Default's to `true`.
    */
   ssr?: boolean;
+
+  /**
+   * The allowed origins for actions / mutations. Does not apply to routes
+   * without a component. micromatch glob patterns are supported.
+   */
+  allowedActionOrigins?: string[];
 };
 
 export type ResolvedReactRouterConfig = Readonly<{
@@ -277,6 +283,11 @@ export type ResolvedReactRouterConfig = Readonly<{
    * SPA without server-rendering. Default's to `true`.
    */
   ssr: boolean;
+  /**
+   * The allowed origins for actions / mutations. Does not apply to routes
+   * without a component. micromatch glob patterns are supported.
+   */
+  allowedActionOrigins: string[] | false;
   /**
    * The resolved array of route config entries exported from `routes.ts`
    */
@@ -645,6 +656,8 @@ async function resolveConfig({
       userAndPresetConfigs.future?.v8_viteEnvironmentApi ?? false,
   };
 
+  let allowedActionOrigins = userAndPresetConfigs.allowedActionOrigins ?? false;
+
   let reactRouterConfig: ResolvedReactRouterConfig = deepFreeze({
     appDirectory,
     basename,
@@ -658,6 +671,7 @@ async function resolveConfig({
     serverBundles,
     serverModuleFormat,
     ssr,
+    allowedActionOrigins,
     unstable_routeConfig: routeConfig,
   } satisfies ResolvedReactRouterConfig);
 

packages/react-router-dev/typegen/generate.ts

@@ -48,6 +48,7 @@ export function generateServerBuild(ctx: Context): VirtualFile {
       export const routeDiscovery: ServerBuild["routeDiscovery"];
       export const routes: ServerBuild["routes"];
       export const ssr: ServerBuild["ssr"];
+      export const allowedActionOrigins: ServerBuild["allowedActionOrigins"];
       export const unstable_getCriticalCss: ServerBuild["unstable_getCriticalCss"];
     }
   `;

packages/react-router-dev/vite/plugin.ts

@@ -871,7 +871,9 @@ export const reactRouterVitePlugin: ReactRouterVitePlugin = () => {
               }
             `
           : ""
-      }`;
+      }
+      export const allowedActionOrigins = ${JSON.stringify(ctx.reactRouterConfig.allowedActionOrigins)};
+    `;
   };
 
   let loadViteManifest = async (directory: string) => {

packages/react-router/lib/actions.ts

@@ -0,0 +1,122 @@
+export function throwIfPotentialCSRFAttack(
+  headers: Headers,
+  allowedActionOrigins: string[] | undefined,
+) {
+  let originHeader = headers.get("origin");
+  let originDomain =
+    typeof originHeader === "string" && originHeader !== "null"
+      ? new URL(originHeader).host
+      : originHeader;
+  let host = parseHostHeader(headers);
+
+  if (originDomain && (!host || originDomain !== host.value)) {
+    if (!isAllowedOrigin(originDomain, allowedActionOrigins)) {
+      if (host) {
+        // This seems to be an CSRF attack. We should not proceed with the action.
+        throw new Error(
+          `${host.type} header does not match \`origin\` header from a forwarded ` +
+            `action request. Aborting the action.`,
+        );
+      } else {
+        // This is an attack. We should not proceed with the action.
+        throw new Error(
+          "`x-forwarded-host` or `host` headers are not provided. One of these " +
+            "is needed to compare the `origin` header from a forwarded action " +
+            "request. Aborting the action.",
+        );
+      }
+    }
+  }
+}
+
+// Implementation of micromatch by Next.js https://github.com/vercel/next.js/blob/ea927b583d24f42e538001bf13370e38c91d17bf/packages/next/src/server/app-render/csrf-protection.ts#L6
+function matchWildcardDomain(domain: string, pattern: string) {
+  const domainParts = domain.split(".");
+  const patternParts = pattern.split(".");
+
+  if (patternParts.length < 1) {
+    // pattern is empty and therefore invalid to match against
+    return false;
+  }
+
+  if (domainParts.length < patternParts.length) {
+    // domain has too few segments and thus cannot match
+    return false;
+  }
+
+  // Prevent wildcards from matching entire domains (e.g. '**' or '*.com')
+  // This ensures wildcards can only match subdomains, not the main domain
+  if (
+    patternParts.length === 1 &&
+    (patternParts[0] === "*" || patternParts[0] === "**")
+  ) {
+    return false;
+  }
+
+  while (patternParts.length) {
+    const patternPart = patternParts.pop();
+    const domainPart = domainParts.pop();
+
+    switch (patternPart) {
+      case "": {
+        // invalid pattern. pattern segments must be non empty
+        return false;
+      }
+      case "*": {
+        // wildcard matches anything so we continue if the domain part is non-empty
+        if (domainPart) {
+          continue;
+        } else {
+          return false;
+        }
+      }
+      case "**": {
+        // if this is not the last item in the pattern the pattern is invalid
+        if (patternParts.length > 0) {
+          return false;
+        }
+        // recursive wildcard matches anything so we terminate here if the domain part is non empty
+        return domainPart !== undefined;
+      }
+      case undefined:
+      default: {
+        if (domainPart !== patternPart) {
+          return false;
+        }
+      }
+    }
+  }
+
+  // We exhausted the pattern. If we also exhausted the domain we have a match
+  return domainParts.length === 0;
+}
+
+function isAllowedOrigin(
+  originDomain: string,
+  allowedActionOrigins: string[] | undefined = [],
+) {
+  return allowedActionOrigins.some(
+    (allowedOrigin) =>
+      allowedOrigin &&
+      (allowedOrigin === originDomain ||
+        matchWildcardDomain(originDomain, allowedOrigin)),
+  );
+}
+
+function parseHostHeader(headers: Headers) {
+  let forwardedHostHeader = headers.get("x-forwarded-host");
+  let forwardedHostValue = forwardedHostHeader?.split(",")[0]?.trim();
+  let hostHeader = headers.get("host");
+
+  return forwardedHostValue
+    ? {
+        type: "x-forwarded-host",
+        value: forwardedHostValue,
+      }
+    : hostHeader
+      ? {
+          type: "host",
+          value: hostHeader,
+        }
+      : undefined;
+}

packages/react-router/lib/dom/lib.tsx

@@ -97,6 +97,7 @@ import {
 } from "../hooks";
 import type { SerializeFrom } from "../types/route-data";
 import type { unstable_ClientInstrumentation } from "../router/instrumentation";
+import { escapeHtml } from "./ssr/markup";
 
 ////////////////////////////////////////////////////////////////////////////////
 //#region Global Stuff
@@ -2033,9 +2034,9 @@ export function ScrollRestoration({
       {...props}
       suppressHydrationWarning
       dangerouslySetInnerHTML={{
-        __html: `(${restoreScroll})(${JSON.stringify(
-          storageKey || SCROLL_RESTORATION_STORAGE_KEY,
-        )}, ${JSON.stringify(ssrKey)})`,
+        __html: `(${restoreScroll})(${escapeHtml(
+          JSON.stringify(storageKey || SCROLL_RESTORATION_STORAGE_KEY),
+        )}, ${escapeHtml(JSON.stringify(ssrKey))})`,
       }}
     />
   );