fix codeql 0217

package.json

@@ -86,6 +86,7 @@
     "electron-window-state": "5.0.3",
     "escape-html": "^1.0.3",
     "express": "4.21.2",
+    "he": "^1.2.0",
     "i18next": "20.6.1",
     "immutable": "4.0.0-rc.12",
     "jsonschema": "1.2.4",
@@ -106,8 +107,7 @@
     "typescript-fsa": "3.0.0-beta-2",
     "typescript-fsa-reducers": "1.0.0",
     "uuid": "3.3.3",
-    "ws": "8.17.1",
-    "he": "^1.2.0"
+    "ws": "8.17.1"
   },
   "devDependencies": {
     "@redux-saga/testing-utils": "1.1.3",
@@ -118,6 +118,7 @@
     "@types/enzyme-adapter-react-16": "1.0.5",
     "@types/escape-html": "^1.0.4",
     "@types/express": "4.16.0",
+    "@types/he": "^1.2.3",
     "@types/jest": "26.0.24",
     "@types/jest-plugin-context": "2.9.0",
     "@types/node": "18.16.15",

src/server/serverBase.ts

@@ -202,18 +202,23 @@ const modelRepoUri = '/api/ModelRepo';
 export const handleModelRepoPostRequest = async (req: express.Request, res: express.Response) => {
     const controllerRequest = req.body;
     const userUri = controllerRequest?.uri;
-    if (!controllerRequest || !userUri) {
-        res.status(BAD_REQUEST).send();
-    }
+    const ALLOWED_DOMAINS = ["github.com", "bitbucket.org", "azure.com"];
 
-    if (!(await isSafeUrl(userUri))) {
+    const isAllowedDomain = (url: string) => {
+        try {
+            const parsedUrl = new URL(url);
+            return ALLOWED_DOMAINS.includes(parsedUrl.hostname);
+        } catch {
+            return false; // Invalid URL
+        }
+    };
+
+    if (!isAllowedDomain(userUri)) {
         return res.status(403).send({ error: "Forbidden: Unsafe URL." });
     }
 
-    // Reconstruct a sanitized URL
-    const safeUrl = `${userUri.origin}${userUri.pathname}`;   
     try {
-        const response = await fetch(safeUrl,
+        const response = await fetch(userUri,
             {
                 body: controllerRequest.body || null,
                 headers: controllerRequest.headers || null,