Skip to content

fix: Escape unsafe JS characters in channel routes#770

Open
odaysec wants to merge 3 commits into
vercel:mainfrom
odaysec:patch-1
Open

fix: Escape unsafe JS characters in channel routes#770
odaysec wants to merge 3 commits into
vercel:mainfrom
odaysec:patch-1

Conversation

@odaysec

@odaysec odaysec commented Jul 14, 2026

Copy link
Copy Markdown

Updated dispatchChannelWebSocketRequest and dispatchChannelRequest to escape unsafe JavaScript code characters in routeKey.

Description

Using string concatenation to construct JavaScript code can be error-prone, or in the worst case, enable code injection if an input is constructed by an attacker.

The constructs a function that assigns the number 42 to the property key on an object obj. However, if key contains </script>, then the generated code will break out of a </script> if inserted into a </script> tag.

PR Checklist

  • I linked an issue with prior discussion confirming this change is wanted
  • I ran the relevant checks from CONTRIBUTING.md
  • I added tests and documentation where relevant
  • I added a changeset if this touches the published eve package
  • DCO sign-off passes for every commit (git commit --signoff)

Updated dispatchChannelWebSocketRequest and dispatchChannelRequest to escape unsafe JavaScript code characters in routeKey.
@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@odaysec is attempting to deploy a commit to the Vercel Team on Vercel.

A member of the Team first needs to authorize it.

Comment thread packages/eve/src/internal/nitro/host/channel-routes.ts

@odaysec odaysec left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use a dedicated escaping helper for values inserted into generated JavaScript module source. Keep JSON.stringify(...) (to preserve string-literal semantics) and then post-process to escape dangerous characters (<, >, /, backslashes, line separators, control chars) so generated module text cannot be broken by special sequences.

Best fix in this file:

  1. Add a local charMap and escapeUnsafeJsCodeChars helper near the existing constants/helpers.
  2. Replace direct JSON.stringify(routeKey) interpolations in generated export lines with escapeUnsafeJsCodeChars(JSON.stringify(routeKey)).
  3. Keep behavior unchanged otherwise (same values, same routing logic, same module generation layout).

Signed-off-by: Jörmungandrk <[email protected]>
@vercel vercel Bot temporarily deployed to Preview – eve-docs-1644 July 14, 2026 08:13 Inactive
@vercel vercel Bot temporarily deployed to Preview – eve-docs-4759 July 14, 2026 08:13 Inactive
@vercel

vercel Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
eve-docs-1644 Skipped Skipped Jul 14, 2026 8:42am
eve-docs-4759 Skipped Skipped Jul 14, 2026 8:42am

@vercel vercel Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additional Suggestion:

Call to undefined includesWorkflowBundles at line 298 causes a "Cannot find name" TypeScript error, breaking the build.

Fix on Vercel

Comment thread packages/eve/src/internal/nitro/host/configure-nitro-routes.ts Outdated
Co-authored-by: vercel[bot] <35613825+vercel[bot]@users.noreply.github.com>
@vercel vercel Bot temporarily deployed to Preview – eve-docs-1644 July 14, 2026 08:42 Inactive
@vercel vercel Bot temporarily deployed to Preview – eve-docs-4759 July 14, 2026 08:42 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant