Skip to content

Replace permissive URL regex with secure validation in apply form #807

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jeromehardaway merged 5 commits into from
Oct 29, 2025
Merged

Replace permissive URL regex with secure validation in apply form #807

jeromehardaway merged 5 commits into from
Oct 29, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 29, 2025
edited
Loading

The prework link validation used a permissive regex /^https?:\/\/.+/ that accepts malformed URLs like https:// or http://malformed..url, creating a security vulnerability.

Changes

  • Security: Replace regex pattern with isValidUrl() function using URL constructor
  • Validation: Convert from pattern to validate for better error handling
  • Types: Fix readonly array type issue in form field validation

Implementation

// Before: Permissive regex accepts malformed URLs
pattern: {
    value: /^https?:\/\/.+/,
    message: "Please enter a valid URL (starting with http:// or https://)",
}

// After: Proper URL validation rejects malformed URLs
validate: (value) => 
    isValidUrl(value) || "Please enter a valid URL (starting with http:// or https://)",

The isValidUrl() function leverages the browser's URL constructor to properly validate URLs while maintaining compatibility with legitimate prework hosting platforms.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Oct 29, 2025
Merged
@vercel
Copy link

vercel bot commented Oct 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
vets-who-code-app Ready Ready Preview Comment Oct 29, 2025 3:49am

Base automatically changed from improve-forms to master October 29, 2025 03:39
Copy link
Contributor Author

Copilot AI commented Oct 29, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint.prisma.io
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child {"product":"prisma","version":"6.10.1","cli_install_type":"local","information":"","local_timestamp":"2025-10-29T03:34:10Z","project_hash":"4713398e","cli_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/.bin/prisma","cli_path_hash":"a42231ea","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"-v","schema_providers":["sqlite"],"schema_preview_features":["driverAdapters"],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-a42231ea","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child {"product":"prisma","version":"6.10.1","cli_install_type":"local","information":"","local_timestamp":"2025-10-29T03:34:12Z","project_hash":"4713398e","cli_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/.bin/prisma","cli_path_hash":"a42231ea","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"generate --postinstall \"UNABLE_TO_FIND_POSTINSTALL_TRIGGER__ENVAR_MISSING\"","schema_providers":["sqlite"],"schema_preview_features":["driverAdapters"],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-a42231ea","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)
  • https://api.github.com/repos/Vets-Who-Code/Prework
  • https://api.github.com/repos/Vets-Who-Code/vets-who-code-app
  • https://api.github.com/repos/Vets-Who-Code/web-curriculum
  • https://api.github.com/repos/Vets-Who-Code/windows-dev-guide
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/next/dist/compiled/jest-worker/processChild.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Fix form UX issues based on PR #806 feedback Replace permissive URL regex with secure validation in apply form Oct 29, 2025
Copilot AI requested a review from jeromehardaway October 29, 2025 03:40
@jeromehardaway jeromehardaway marked this pull request as ready for review October 29, 2025 03:43
@jeromehardaway jeromehardaway merged commit 570ca0c into master Oct 29, 2025
4 checks passed
@jeromehardaway jeromehardaway deleted the copilot/sub-pr-806 branch October 29, 2025 03:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jeromehardaway jeromehardaway jeromehardaway approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jeromehardaway jeromehardaway

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeromehardaway