Skip to content

fix: the post /reset endpoint in the real-time servi... in git_routes.ts #41898

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
orbisai0security wants to merge 4 commits into
base: release
Choose a base branch
from
+67 −1
Open

fix: the post /reset endpoint in the real-time servi... in git_routes.ts #41898

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
23011a8
fix: V-002 security vulnerability
orbisai0security Jun 13, 2026
07ef29e
fix: the post /reset endpoint in the real-time servi... in git_routes.ts
orbisai0security Jun 13, 2026
254ee2f
fix: address code review comments on PR #41898
orbisai0security Jun 21, 2026
fd6f47b
fix: address remaining CodeRabbit review comments on PR #41898
orbisai0security Jun 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions app/client/packages/rts/src/middlewares/AuthMiddleware.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
import type { Request, Response, NextFunction } from "express";

export function requireInternalAuth(req: Request, res: Response, next: NextFunction) {
const secret = process.env.APPSMITH_RTS_SECRET;
if (!secret) {
console.warn("[AuthMiddleware] APPSMITH_RTS_SECRET is not set; rejecting request to protected endpoint");
return res.status(401).json({ success: false, message: "Unauthorized" });
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
const header = req.headers["x-rts-secret"];
if (!header || header !== secret) {
return res.status(401).json({ success: false, message: "Unauthorized" });
}
next();
}
10 changes: 9 additions & 1 deletion app/client/packages/rts/src/routes/git_routes.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,19 @@
import express from "express";
import { body } from "express-validator";
import GitController from "@controllers/git";
import { Validator } from "@middlewares/Validator";
import { requireInternalAuth } from "@middlewares/AuthMiddleware";

const router = express.Router();
const gitController = new GitController();
const validator = new Validator();

router.post("/reset", validator.validateRequest, gitController.reset);
router.post(
"/reset",
body("repoPath").isString().notEmpty().withMessage("repoPath is required and must be a string"),
requireInternalAuth,
validator.validateRequest,
gitController.reset,
);
Comment thread
coderabbitai[bot] marked this conversation as resolved.

export default router;
44 changes: 44 additions & 0 deletions tests/invariant_git_routes.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
import request from 'supertest';
import express from 'express';
import gitRoutes from '../../../src/routes/git_routes';

describe('Protected endpoints reject unauthenticated requests', () => {
let app: express.Application;
let originalSecret: string | undefined;

beforeAll(() => {
originalSecret = process.env.APPSMITH_RTS_SECRET;
process.env.APPSMITH_RTS_SECRET = 'test-secret';
app = express();
app.use(express.json());
app.use('/git', gitRoutes);
});
Comment on lines +9 to +15

@coderabbitai coderabbitai Bot Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Add a regression case for an unset APPSMITH_RTS_SECRET.

Line 11 forces the secret for every case, so this suite never exercises the new fail-closed branch that should return 401 when the env var is missing. Please add one case that removes the env var before the request and asserts the rejection path too.

🧰 Tools
🪛 ast-grep (0.44.0)

[warning] 11-11: Express application should use Helmet
Context: express()
Note: [CWE-693] Protection Mechanism Failure (Express app without Helmet security headers).

(missing-helmet-typescript)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/invariant_git_routes.test.ts` around lines 9 - 15, The current
invariant_git_routes.test.ts setup in beforeAll always sets APPSMITH_RTS_SECRET,
so it never covers the new fail-closed behavior. Add a regression test around
gitRoutes that temporarily removes APPSMITH_RTS_SECRET before issuing the
request and asserts the route returns 401, then restore the original env value
so other cases still run with the test secret. Use the existing app setup and
route names to locate the test logic.


afterAll(() => {
if (originalSecret === undefined) {
delete process.env.APPSMITH_RTS_SECRET;
} else {
process.env.APPSMITH_RTS_SECRET = originalSecret;
}
});
Comment thread
coderabbitai[bot] marked this conversation as resolved.

const payloads = [
{ name: 'missing_auth_header', headers: {}, expectedStatus: 401 },
{ name: 'invalid_token', headers: { 'x-rts-secret': 'invalid_token_xyz' }, expectedStatus: 401 },
{ name: 'expired_token', headers: { 'x-rts-secret': 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2MDAwMDAwMDB9.invalid' }, expectedStatus: 401 },
{ name: 'malformed_auth', headers: { 'x-rts-secret': 'InvalidScheme token123' }, expectedStatus: 401 },
{ name: 'empty_token', headers: { 'x-rts-secret': '' }, expectedStatus: 401 },
];

test.each(payloads)(
'POST /reset rejects unauthenticated request: $name',
async ({ headers, expectedStatus }) => {
const response = await request(app)
.post('/git/reset')
.set(headers)
.send({ repoPath: 'test-repo' });

expect(response.status).toBe(expectedStatus);
}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
);
});