@sap/approuter - npm Package Compare versions

Comparing version 16.7.1 to 16.7.2

CHANGELOG.md

@@ -8,2 +8,8 @@ # Change Log
 
+## 16.7.2 - 2024-09-04
+
+### Fixed
+- Improved Missing zone information" error message
+- Request input validation.
+
 ## 16.7.1 - 2024-08-23
@@ -10,0 +16,0 @@

lib/utils/ias-utils.js

@@ -33,3 +33,3 @@ 'use strict';
     if (!req.zoneInfo){
-      return cb('Missing zone information');
+      return cb('Missing zone information. Check IAS configuration and trust. See KBA 3479740.');
     }
@@ -36,0 +36,0 @@ iasOptions.tenant = tenant;

lib/utils/url-utils.js

@@ -44,6 +44,14 @@ 'use strict';
   buildAppRouterUrl: function (req) {
+    const allowedProtos = ['http', 'https'];
     const reqHeaders = req.headers;
     const forwardedProtocol = reqHeaders['x-forwarded-proto'];
     const host = getRedirectHost(req);
-
+    if (process.env.ACCEPTED_FORWARD_PROTOCOLS) {
+      allowedProtos.push(process.env.ACCEPTED_FORWARD_PROTOCOLS);
+    }
+    if (forwardedProtocol && !allowedProtos.includes(forwardedProtocol)) {
+      const error = new VError('Invalid request protocol: ' + forwardedProtocol);
+      error.status = 400;
+      throw error;
+    }
     if (forwardedProtocol) {
@@ -50,0 +58,0 @@ return forwardedProtocol + '://' + host;

package.json

 {
   "name": "@sap/approuter",
   "description": "Node.js based application router",
-  "version": "16.7.1",
+  "version": "16.7.2",
   "repository": {},
@@ -6,0 +6,0 @@ "main": "approuter.js",

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

741533

increased by0.07%

Lines of code

12034

increased by0.07%

Worsened metrics

Number of low supply chain risk alerts

129

increased by1.57%

No dependency changes