Skip to content

fix(extension): harden booking URL handling#138

Draft
dhairyashiil wants to merge 3 commits into
calcom:mainfrom
dhairyashiil:codex/security-extension-hardening
Draft

fix(extension): harden booking URL handling#138
dhairyashiil wants to merge 3 commits into
calcom:mainfrom
dhairyashiil:codex/security-extension-hardening

Conversation

@dhairyashiil

Copy link
Copy Markdown
Member

Summary

Hardens extension-controlled URLs by sanitizing booking links before preview/copy/insert, validating OAuth authorization and token endpoints, escaping rendered error text, and avoiding wildcard iframe postMessage replies.

Reviewer notes

  • Booking URLs are now limited to Cal.com-owned hosts: cal.com, www.cal.com, cal.eu, and www.cal.eu.
  • Please confirm whether the extension needs to support custom domains or self-hosted booking hosts. If yes, we should add an explicit allowlist/config path before merging.
  • OAuth authorization must resolve to the expected Cal.com app authorize route, and token exchange must use the expected Cal.com API token route.

Validation

  • bun --filter extension test -- lib/utils.test.ts
  • bun --filter extension typecheck
  • bun --filter extension build
  • git diff --check HEAD~1..HEAD

@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

@dhairyashiil is attempting to deploy a commit to the cal Team on Vercel.

A member of the Team first needs to authorize it.

@dhairyashiil dhairyashiil marked this pull request as ready for review July 2, 2026 21:06
@dhairyashiil dhairyashiil enabled auto-merge (squash) July 2, 2026 21:06

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 2 potential issues.

Open in Devin Review

Comment thread apps/extension/lib/utils.ts
Comment thread apps/extension/lib/utils.ts Outdated

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 issues found across 7 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="apps/extension/lib/utils.ts">

<violation number="1" location="apps/extension/lib/utils.ts:12">
P2: The hardcoded `SAFE_BOOKING_HOSTS` allowlist will silently reject booking URLs on custom domains (Cal.com supports custom booking domains like `booking.mycompany.com`). When a user has a custom domain configured, the API-returned `bookingUrl` will fail the host check and the function will fall back to `https://cal.com/username/slug`, which may not be the correct booking page for that user. Consider adding an explicit configuration path or documenting this as a known limitation before merging.</violation>
</file>

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread apps/extension/lib/utils.ts Outdated
Comment thread apps/extension/entrypoints/background/index.ts Outdated
Comment thread apps/extension/lib/utils.ts
Comment thread apps/extension/entrypoints/content.ts

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 6 files (changes from recent commits).

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread apps/extension/lib/utils.ts Outdated
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

@volnei volnei left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a comment

return { ok: false, reason: "Invalid OAuth token endpoint" };
}

if (url.protocol !== "https:" || !SAFE_OAUTH_API_ORIGINS.has(url.origin)) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This validator rejects the endpoints the companion app actually uses. The iframe sends https://app.cal.com/api/auth/oauth/token for exchange (apps/mobile/services/oauthService.ts:352, calcomBaseUrl comes from getCalAppUrl which returns app.cal.com/app.cal.eu) and https://app.cal.com/api/auth/oauth/refreshToken for refresh (line 547), both routed through handleTokenExchange. Suggest validating against an explicit set of known-good full endpoints (app.cal.com and app.cal.eu origins with the /api/auth/oauth/token and /api/auth/oauth/refreshToken paths), and adding tests that use these real URLs so the contract cannot drift again. As it stands, extension OAuth login and refresh will fail for everyone.

@github-actions github-actions Bot marked this pull request as draft July 3, 2026 21:28
auto-merge was automatically disabled July 3, 2026 21:28

Pull request was converted to draft

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants