Product fetch API route security feature in Forge API 2.0.0

You must now use the route tagged template function from @forge/api to construct the path that’s passed to the requestJira and requestConfluence product fetch APIs. route runs encodeURIComponent on each interpolated parameter in the template string, helping to protect against security vulnerabilities, such as path traversal and query string injection.

See the Route documentation for more details.

Run npm install @forge/api@latest in your app directory on the command line to install the latest version of Forge API.

3 Likes

Is something similar planned for Custom UI bridge requestJira and requestConfluence methods ?

2 Likes

Hi @clement_garin,

We don’t currently have similar plans for Custom UI bridge requestJira and requestConfluence. The Custom UI bridge versions are frontend requests made on behalf of the user (i.e.asUser), so there is no opportunity for privilege escalation via path traversal or query string injection. Even if we did provide this in the frontend, the user would still be able to alter the code to make the request without validating the route, which would defeat the purpose of the route function.

The reason we enforce route on asUser in the FaaS runtime is for when apps use asUser calls to authorize other possibly more dangerous calls.

Given this, if you still have a valid use case for something similar in Custom UI bridge, we’d love to hear it!

3 Likes