Skip to content

fix(security): collapse origin-allowlist duplication, finish sanitizer/comparison seams#500

Merged
mohanadft merged 1 commit into
mainfrom
refactor/deepen-security-seams
Jul 11, 2026
Merged

fix(security): collapse origin-allowlist duplication, finish sanitizer/comparison seams#500
mohanadft merged 1 commit into
mainfrom
refactor/deepen-security-seams

Conversation

@mohanadft

Copy link
Copy Markdown
Collaborator

Summary

From an architecture review of the codebase, three "Strong" deepening candidates:

  • Origin-allowlist collapsedonation-complete.ts, membership-complete.ts, pipe.ts, e4p-pledge-sign.ts, and endorsement-request.ts each reimplemented CORS/origin checking slightly differently (byte-identical in two cases, divergent preview-domain handling in others). Extracted src/utils/origin.ts with isAllowedOrigin(origin, policy) / corsHeaders() — policy is configurable per route so each route's actual rules are preserved, not flattened into one behavior.
  • Constant-time comparison seamsentry-webhook.ts hand-rolled its own constant-time signature comparison instead of using the existing constantTimeEqual in src/utils/crypto.ts (used correctly by basicAuth.ts). Now routes through it.
  • Sanitizer dedupProjectsNew.tsx and api/projects.ts each had their own copy of URL/email sanitization; src/components/projects/projectData.ts already had the canonical implementation (proven by ProjectDrawer.tsx). Both now import from it.

Plus one "Worth exploring" candidate:

  • Notion property-extraction dedupsrc/store/notionClient.ts's five fetcher functions each re-implemented the same Notion property-parsing logic (title/rich-text extraction, files→URL resolution with fallback). Extracted fileUrl/titleText/richText helpers; all fetchers keep identical external signatures and return shapes.

No behavior changes to any route's actual origin policy, sanitization rules, or Notion data shape — this is pure internal deduplication.

Test plan

  • pnpm check passes clean (0 errors, 0 warnings)
  • pnpm format:check clean on all touched files
  • Manual smoke test of donation/membership completion flows in a preview deploy
  • Manual smoke test of e4p pledge sign and endorsement request forms
  • Confirm Sentry → Mattermost webhook still fires on a real Sentry event
  • Confirm /api/projects still renders correctly on both /projects and /projects-new

…izer/comparison seams

Five API routes each reimplemented CORS/origin-allowlist checking
slightly differently; extract a shared isAllowedOrigin()/corsHeaders()
in src/utils/origin.ts, configured per-route policy so each route's
actual (differing) rules are preserved rather than flattened.

Also: sentry-webhook.ts now routes its signature check through the
existing constantTimeEqual seam instead of a hand-rolled comparison;
ProjectsNew.tsx and api/projects.ts now call the canonical
sanitizeUrl/sanitizeEmail from projectData.ts instead of maintaining
duplicate copies; notionClient.ts's five fetchers now share
fileUrl/titleText/richText helpers instead of repeating Notion
property-parsing inline five times.
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 8dafa58
Status: ✅  Deploy successful!
Preview URL: https://18e223a6.website-aun.pages.dev
Branch Preview URL: https://refactor-deepen-security-sea.website-aun.pages.dev

View logs

@mohanadft mohanadft merged commit 7773078 into main Jul 11, 2026
5 checks passed
@mohanadft mohanadft deleted the refactor/deepen-security-seams branch July 11, 2026 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant