Skip to content

fix: guard against invalid origin header value #5288

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 28, 2025
Merged

fix: guard against invalid origin header value #5288

merged 1 commit into from
Sep 28, 2025

Conversation

@schiller-manuel
Copy link
Contributor

@schiller-manuel schiller-manuel commented Sep 28, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes
    • Improved request origin detection to validate the Origin header before use.
    • Gracefully handles invalid or malformed Origin values by falling back to the request URL or a safe default.
    • Reduces unexpected errors and improves server stability when handling requests with incorrect headers.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Sep 28, 2025
edited
Loading

Walkthrough

The request origin resolution logic in createStartHandler was updated to validate the Origin header as a URL, using a try/catch. If invalid or absent, it now falls back to deriving the origin from the request URL, and finally to a default http://localhost.

Changes

Cohort / File(s) Summary of Changes
Origin validation in start handler
packages/start-server-core/src/createStartHandler.ts		 Updated getOrigin() to parse and validate the Origin header with URL constructor inside try/catch; on failure, derive origin from request URL; final fallback to http://localhost. Replaces previous direct Origin return behavior.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Client
  participant Server as Start Handler
  participant Util as getOrigin()

  Client->>Server: Incoming request
  Server->>Util: getOrigin(req)
  alt Origin header present
    Util->>Util: try new URL(Origin)
    alt Valid URL
      Util-->>Server: return Origin
    else Invalid URL (catch)
      Util->>Util: derive from request URL
      alt Derivation succeeds
        Util-->>Server: return derived origin
      else Derivation fails
        Util-->>Server: return "http://localhost"
      end
    end
  else No Origin header
    Util->>Util: derive from request URL
    alt Derivation succeeds
      Util-->>Server: return derived origin
    else Derivation fails
      Util-->>Server: return "http://localhost"
    end
  end
  Server-->>Client: Continue handling with resolved origin
Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

In headers I sniff, with a twitch of my nose,
If Origin’s a tangle, the URL won’t compose.
I hop to the request, trace crumbs through the trail,
And if that path’s missing, localhost won’t fail.
Ears up, tail bright—resolved just right! 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title succinctly indicates the primary change—adding a guard against invalid origin header values—matching the PR summary and focusing on the main fix implemented.
✨ Finishing touches
  • 📝 Generate Docstrings
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch invalid-origin
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef7318f and 67246e2.

📒 Files selected for processing (1)
  • packages/start-server-core/src/createStartHandler.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

Use TypeScript in strict mode with extensive type safety across the codebase

Files:

  • packages/start-server-core/src/createStartHandler.ts
packages/{*-start,start-*}/**

📄 CodeRabbit inference engine (AGENTS.md)

Name and place Start framework packages under packages/-start/ or packages/start-/

Files:

  • packages/start-server-core/src/createStartHandler.ts
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Preview
🔇 Additional comments (1)
packages/start-server-core/src/createStartHandler.ts (1)

100-104: Good catch on invalid Origin inputs.

Validating the header with new URL before using it shields the downstream new URL(input, getOrigin()) calls from malformed values like 'null', letting us safely fall back to the request URL or localhost. Nice hardening step.

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link

nx-cloud bot commented Sep 28, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit 67246e2

Command Status Duration Result
nx affected --targets=test:eslint,test:unit,tes... ✅ Succeeded 5m 23s View ↗
nx run-many --target=build --exclude=examples/*... ✅ Succeeded 1m 4s View ↗

☁️ Nx Cloud last updated this comment at 2025-09-28 23:49:19 UTC

@pkg-pr-new
Copy link

pkg-pr-new bot commented Sep 28, 2025

More templates

@tanstack/arktype-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/arktype-adapter@5288

@tanstack/directive-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/directive-functions-plugin@5288

@tanstack/eslint-plugin-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/eslint-plugin-router@5288

@tanstack/history

npm i https://pkg.pr.new/TanStack/router/@tanstack/history@5288

@tanstack/nitro-v2-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/nitro-v2-vite-plugin@5288

@tanstack/react-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router@5288

@tanstack/react-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-devtools@5288

@tanstack/react-router-ssr-query

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-router-ssr-query@5288

@tanstack/react-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start@5288

@tanstack/react-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-client@5288

@tanstack/react-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/react-start-server@5288

@tanstack/router-cli

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-cli@5288

@tanstack/router-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-core@5288

@tanstack/router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools@5288

@tanstack/router-devtools-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-devtools-core@5288

@tanstack/router-generator

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-generator@5288

@tanstack/router-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-plugin@5288

@tanstack/router-ssr-query-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-ssr-query-core@5288

@tanstack/router-utils

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-utils@5288

@tanstack/router-vite-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/router-vite-plugin@5288

@tanstack/server-functions-plugin

npm i https://pkg.pr.new/TanStack/router/@tanstack/server-functions-plugin@5288

@tanstack/solid-router

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router@5288

@tanstack/solid-router-devtools

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-router-devtools@5288

@tanstack/solid-start

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start@5288

@tanstack/solid-start-client

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-client@5288

@tanstack/solid-start-server

npm i https://pkg.pr.new/TanStack/router/@tanstack/solid-start-server@5288

@tanstack/start-client-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-client-core@5288

@tanstack/start-plugin-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-plugin-core@5288

@tanstack/start-server-core

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-server-core@5288

@tanstack/start-static-server-functions

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-static-server-functions@5288

@tanstack/start-storage-context

npm i https://pkg.pr.new/TanStack/router/@tanstack/start-storage-context@5288

@tanstack/valibot-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/valibot-adapter@5288

@tanstack/virtual-file-routes

npm i https://pkg.pr.new/TanStack/router/@tanstack/virtual-file-routes@5288

@tanstack/zod-adapter

npm i https://pkg.pr.new/TanStack/router/@tanstack/zod-adapter@5288

commit: 67246e2

@schiller-manuel schiller-manuel merged commit de70ba9 into main Sep 28, 2025
6 checks passed
@schiller-manuel schiller-manuel deleted the invalid-origin branch September 28, 2025 23:49
@coderabbitai coderabbitai bot mentioned this pull request Sep 30, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

package: start-server-core

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@schiller-manuel