Studio build, media path config, and security hardening#2
Conversation
| return; | ||
| } | ||
|
|
||
| const result = await uploadMedia(req, envResult.config); |
| @@ -0,0 +1,36 @@ | |||
| export function normalizePublicMediaPath(publicMediaPath: string): string { | |||
| const trimmed = publicMediaPath.trim().replace(/\/+$/u, ""); | |||
| } | ||
|
|
||
| export function derivePublicMediaPath(mediaDir: string): string { | ||
| const normalized = mediaDir.replace(/^\/+/u, "").replace(/\/+$/u, "").trim(); |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 23f86dbb48
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return; | ||
| } | ||
|
|
||
| next(); |
There was a problem hiding this comment.
Validate configured origins before accepting same-site requests
When browsers send Sec-Fetch-Site: same-site, this next() returns before the Origin/Referer path and therefore ignores STUDIO_ALLOWED_ORIGINS. In a deployment on studio.example.com where another same-site origin such as evil.example.com is not trusted, same-site requests still carry the Studio cookie and can reach state-changing routes like logout or multipart media upload despite an allowlist being configured.
Useful? React with 👍 / 👎.
|
Closing retroactive split-stack review PR. Continuing from protected main with scoped feature PRs. |
Summary
publicMediaPathfor media uploadsStack
PR 1 of 11 (retroactive review of merged studio landing)