Skip to content

fix: prevent path traversal in playground manifest URL validation#3487

Merged
gavinbarron merged 1 commit into
mainfrom
fix/path-traversal-manifest-url
May 18, 2026
Merged

fix: prevent path traversal in playground manifest URL validation#3487
gavinbarron merged 1 commit into
mainfrom
fix/path-traversal-manifest-url

Conversation

@gavinbarron
Copy link
Copy Markdown
Member

@gavinbarron gavinbarron commented May 18, 2026

The Editor component validated manifest URLs using startsWith() which is bypassed by '../' path traversal segments. An attacker could load arbitrary manifests from other GitHub repos, enabling RCE and token exfiltration on mgt.dev.

Changes:

  • Normalize URLs with URL constructor before prefix check (resolves ../)
  • Validate content URLs from manifest against trusted prefix
  • Extract isValidManifestUrl to shared utility with tests
  • Add workflow_dispatch workflow for manual storybook production deploys

Closes #3486

PR Type

  • Bugfix

Description of the changes

PR checklist

  • Project builds (yarn build) and changes have been tested in at least two supported browsers (Edge + non-Chromium based browser)
  • All public APIs (classes, methods, etc) have been documented following the jsdoc syntax
  • Stories have been added and existing stories have been tested - N/A
  • Added appropriate documentation. Docs PR: N/A
  • License header has been added to all new source files (yarn setLicense)
  • Contains NO breaking changes

Other information

@gavinbarron
fix: prevent path traversal in playground manifest URL validation
77700e7 
The Editor component validated manifest URLs using startsWith() which
is bypassed by '../' path traversal segments. An attacker could load
arbitrary manifests from other GitHub repos, enabling RCE and token
exfiltration on mgt.dev.

Changes:
- Normalize URLs with URL constructor before prefix check (resolves ../)
- Validate content URLs from manifest against trusted prefix
- Extract isValidManifestUrl to shared utility with tests
- Add workflow_dispatch workflow for manual storybook production deploys

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@gavinbarron gavinbarron requested a review from a team as a code owner May 18, 2026 17:33
@microsoft-github-policy-service
Copy link
Copy Markdown
Contributor

microsoft-github-policy-service Bot commented May 18, 2026

Thank you for creating a Pull Request @@gavinbarron.

This is a checklist for the PR reviewer(s) to complete before approving and merging this PR:

  • I have verified a documentation PR has been linked and is approved (or not applicable)
  • I have ran this PR locally and have tested the fix/feature
  • I have verified that stories have been added to storybook (or not applicable)
  • I have tested existing stories in storybook to verify no regression has occured
  • I have tested the solution in at least two browsers (Edge + 1 non-Chromium based browser)

@gavinbarron gavinbarron enabled auto-merge (squash) May 18, 2026 17:34
@github-project-automation github-project-automation Bot moved this to Done ✔️ in Graph Toolkit May 18, 2026
@gavinbarron gavinbarron merged commit d0f7f32 into main May 18, 2026
11 of 12 checks passed
@gavinbarron gavinbarron deleted the fix/path-traversal-manifest-url branch May 18, 2026 17:42
@github-project-automation github-project-automation Bot moved this from Done ✔️ to Shipped 🚀 in Graph Toolkit May 18, 2026
@release-please-token-provider release-please-token-provider Bot mentioned this pull request Sep 5, 2025
Open
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

📖 The updated storybook is available here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebastienlevert sebastienlevert sebastienlevert approved these changes

Assignees

No one assigned

Labels

Build: Storybook

Projects

Graph Toolkit
Status: Shipped 🚀

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Fix path traversal issue

2 participants

@gavinbarron @sebastienlevert