Skip to content

MWPW-192736: Add check for milolibs query param#373

Open
zagi25 wants to merge 1 commit intoadobecom:stagefrom
zagi25:MWPW-192736
Open

MWPW-192736: Add check for milolibs query param#373
zagi25 wants to merge 1 commit intoadobecom:stagefrom
zagi25:MWPW-192736

Conversation

@zagi25
Copy link
Copy Markdown

@zagi25 zagi25 commented Apr 17, 2026

Whitelist branch parameter with /^[a-zA-Z0-9_-]+$/; throw on any other characters.

Ticket

https://jira.corp.adobe.com/browse/MWPW-192736

Test URLs

Before: https://stage--da-express-milo--adobecom.aem.page/
After: https://MWPW-192736--da-express-milo--zagi25.aem.page/


This PR was generated by Claude (Anthropic's Claude Code CLI).

The milolibs query param was interpolated directly into a template
literal used for a dynamic import(), letting an attacker point module
loading at an arbitrary origin and execute JS in the page context.

Add a strict whitelist (^[a-zA-Z0-9_-]+$) and throw on invalid input
in express/code/scripts/utils.js.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@aem-code-sync
Copy link
Copy Markdown

aem-code-sync bot commented Apr 17, 2026

Page Scores Audits
📱 / PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS
🖥️ / PERFORMANCE A11Y SEO BEST PRACTICES SI FCP LCP TBT CLS

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 17, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (stage@03be090). Learn more about missing BASE report.

Additional details and impacted files
@@           Coverage Diff            @@
##             stage     #373   +/-   ##
========================================
  Coverage         ?   64.86%           
========================================
  Files            ?      312           
  Lines            ?    70811           
  Branches         ?        0           
========================================
  Hits             ?    45929           
  Misses           ?    24882           
  Partials         ?        0           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zagi25 zagi25 changed the title MWPW-192736: validate milolibs branch param to prevent DOM XSS MWPW-192736: Add check for milolibs query param Apr 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants