Skip to content

Fix regex injection via unescaped percyElementId in processCorsIframesInDomSnapshot#2124

Merged
bhokaremoin merged 2 commits intoPPLT-4949-add-cors-iframe-handling-and-multi-dom-width-configfrom
copilot/sub-pr-2121
Feb 28, 2026
Merged

Fix regex injection via unescaped percyElementId in processCorsIframesInDomSnapshot#2124
bhokaremoin merged 2 commits intoPPLT-4949-add-cors-iframe-handling-and-multi-dom-width-configfrom
copilot/sub-pr-2121

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 28, 2026
edited
Loading

iframeData.percyElementId was interpolated directly into a RegExp without escaping. Since @percy/dom only sets data-percy-element-id when the attribute is absent, its value can be user-controlled, enabling regex injection that could break iframe matching or be exploited.

Changes

  • packages/core/src/utils.js: Escape percyElementId using the standard metacharacter pattern before building the RegExp; remove the now-unnecessary nosemgrep suppression comment.
// Before
const regex = new RegExp(
  `(<iframe[^>]*data-percy-element-id=["']${iframeData.percyElementId}["'][^>]*>)`
);

// After
const escapedId = iframeData.percyElementId.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
const regex = new RegExp(
  `(<iframe[^>]*data-percy-element-id=["']${escapedId}["'][^>]*>)`
);

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Feb 28, 2026
Merged
@bhokaremoin
fix: escape percyElementId before using in RegExp to prevent regex in…
d44f60d 
…jection

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>
Copilot AI changed the title [WIP] WIP Address feedback on responsive widths config endpoint Fix regex injection via unescaped percyElementId in processCorsIframesInDomSnapshot Feb 28, 2026
@bhokaremoin bhokaremoin marked this pull request as ready for review February 28, 2026 17:51
@bhokaremoin bhokaremoin requested a review from a team as a code owner February 28, 2026 17:51
@bhokaremoin bhokaremoin requested review from aryanku-dev and prklm10 and removed request for a team February 28, 2026 17:51
@bhokaremoin bhokaremoin merged commit 25bb910 into PPLT-4949-add-cors-iframe-handling-and-multi-dom-width-config Feb 28, 2026
36 checks passed
@bhokaremoin bhokaremoin deleted the copilot/sub-pr-2121 branch February 28, 2026 17:51
prklm10 pushed a commit that referenced this pull request Mar 10, 2026
@bhokaremoin
feat: Add responsive widths config endpoint and CORS iframe processin…
bb0c86f 
…g to core (#2121)

* feat: add responsive widths endpoint for multi-DOM capture

- Add GET /percy/widths-config endpoint to compute responsive widths
- Implement computeResponsiveWidths() in core utils for width/height calculation
- Add getResponsiveWidths() SDK method to fetch computed widths
- Mobile device widths include height, other widths are height-agnostic
- Returns widths sorted in ascending order

* adding unit tests

* fixing test coverage

* fixing test coverage

* feat: add CORS iframe processing support for domSnapshots

- Add processCorsIframes and processCorsIframesInDomSnapshot utilities in utils.js
- Add appendUrlSearchParam utility for adding query parameters to URLs
- Integrate CORS iframe processing in snapshot method before validation
- Process iframe resources and update HTML src attributes with width-aware URLs
- Support both single domSnapshot object and array of domSnapshots

* adding tests for cors iframes functionality

* moving creatating of iframe resource object logic to CLI from sdk, since its common

* fixing test

* adding nosemgrep comment for the regex error

* Fix regex injection via unescaped percyElementId in processCorsIframesInDomSnapshot (#2124)

* Initial plan

* fix: escape percyElementId before using in RegExp to prevent regex injection

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* Guard getResponsiveWidths return type with Array.isArray (#2126)

* Initial plan

* Use Array.isArray check in getResponsiveWidths to ensure stable array return type

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* Validate required fields in corsIframes entries to avoid throwing on malformed input (#2125)

* Initial plan

* Add validation for malformed corsIframes entries in processCorsIframesInDomSnapshot

Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>

* adding validation for widths as well

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: bhokaremoin <75439850+bhokaremoin@users.noreply.github.com>
Co-authored-by: bhokaremoin <bhokaremoin@gmail.com>

* adding no semgrep

* fix: prioritize user-passed widths over mobile widths in computeResponsiveWidths

* fixing test

* adding cors iframe in config so it can become part of domSnapshot

* fixing test with the config change

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@prklm10 prklm10 Awaiting requested review from prklm10 prklm10 was automatically assigned from percy/percy-product-reviewers

@aryanku-dev aryanku-dev Awaiting requested review from aryanku-dev aryanku-dev was automatically assigned from percy/percy-product-reviewers

Assignees

@bhokaremoin bhokaremoin

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bhokaremoin