Skip to content

Replace insecure URL validation regex with proper URL constructor validation #808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

Replace insecure URL validation regex with proper URL constructor validation #808

wants to merge 5 commits into from
+652 −580

Conversation

Copy link
Contributor

Copilot AI commented Oct 29, 2025
edited
Loading

The prework link validation used a permissive regex /^https?:\/\/.+/ that could allow malicious URLs to pass validation.

Changes Made

  • Security: Replace regex pattern with isValidUrl() function that uses JavaScript URL constructor
  • Import: Add isValidUrl import from existing @utils/formValidations
  • Validation: Update prework link field to use validate property instead of pattern

Code Changes

// Before - insecure regex validation
pattern: {
    value: /^https?:\/\/.+/,
    message: "Please enter a valid URL (starting with http:// or https://)",
}

// After - secure URL constructor validation
validate: (value) => {
    if (!isValidUrl(value)) {
        return "Please enter a valid URL (starting with http:// or https://)";
    }
    return true;
}

The isValidUrl() function leverages the browser's native URL constructor for robust validation that prevents malformed and potentially malicious URLs while maintaining the same user experience.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

@vercel
Copy link

vercel bot commented Oct 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
vets-who-code-app Ready Ready Preview Comment Oct 29, 2025 3:44am

Copilot AI mentioned this pull request Oct 29, 2025
Merged
Copy link
Contributor Author

Copilot AI commented Oct 29, 2025

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • checkpoint.prisma.io
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child {"product":"prisma","version":"6.10.1","cli_install_type":"local","information":"","local_timestamp":"2025-10-29T03:33:24Z","project_hash":"4713398e","cli_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/.bin/prisma","cli_path_hash":"a42231ea","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"-v","schema_providers":["sqlite"],"schema_preview_features":["driverAdapters"],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-a42231ea","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child {"product":"prisma","version":"6.10.1","cli_install_type":"local","information":"","local_timestamp":"2025-10-29T03:33:27Z","project_hash":"4713398e","cli_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/.bin/prisma","cli_path_hash":"a42231ea","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"generate --postinstall \"UNABLE_TO_FIND_POSTINSTALL_TRIGGER__ENVAR_MISSING\"","schema_providers":["sqlite"],"schema_preview_features":["driverAdapters"],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-a42231ea","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)
  • https://api.github.com/repos/Vets-Who-Code/Prework
    • Triggering command: /usr/local/bin/node /home/REDACTED/work/vets-who-code-app/vets-who-code-app/node_modules/next/dist/compiled/jest-worker/processChild.js (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Address feedback on form UX fixes from PR #806 Replace insecure URL validation regex with proper URL constructor validation Oct 29, 2025
Copilot AI requested a review from jeromehardaway October 29, 2025 03:39
Copilot finished work on behalf of jeromehardaway October 29, 2025 03:39
Base automatically changed from improve-forms to master October 29, 2025 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeromehardaway jeromehardaway Awaiting requested review from jeromehardaway

At least 1 approving review is required to merge this pull request.

Assignees

@jeromehardaway jeromehardaway

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeromehardaway