feat: add safe url check for preview endpoint in request handling

nadeem-cs · nadeem-cs · commit afc3e148ce4c · 2026-01-28T11:38:38.000+05:30
diff --git a/src/lib/request.ts b/src/lib/request.ts
@@ -25,6 +25,27 @@ function buildFullUrl(baseURL: string | undefined, url: string, queryString: str
   return `${base}${url}?${queryString}`;
 }
 
+/**
+ * Safely checks if a URL points to the preview endpoint by parsing the hostname
+ * This prevents substring matching vulnerabilities (e.g., evil.com/rest-preview.contentstack.com)
+ */
+function isPreviewEndpoint(url: string): boolean {
+  try {
+    // Ensure URL has a protocol for proper parsing
+    let urlToParse = url;
+    if (!url.startsWith('http://') && !url.startsWith('https://')) {
+      urlToParse = `https://${url}`;
+    }
+    
+    const parsedUrl = new URL(urlToParse);
+    // Check hostname exactly, not as substring
+    return parsedUrl.hostname === 'rest-preview.contentstack.com';
+  } catch {
+    // If URL parsing fails, default to false for safety
+    return false;
+  }
+}
+
 /**
  * Makes the HTTP request with proper URL handling
  */
@@ -36,8 +57,8 @@ async function makeRequest(
 ): Promise<any> {
   // Determine URL length threshold based on whether it's a preview endpoint
   // rest-preview.contentstack.com has stricter limits, so use lower threshold
-  const isPreviewEndpoint = actualFullUrl.includes('rest-preview.contentstack.com');
-  const urlLengthThreshold = isPreviewEndpoint ? 1500 : 2000;
+  const isPreview = isPreviewEndpoint(actualFullUrl);
+  const urlLengthThreshold = isPreview ? 1500 : 2000;
 
   // If URL is too long, use direct axios request with full URL
   if (actualFullUrl.length > urlLengthThreshold) {
