feat(nextjs): Automatically skip middleware requests for tunnel route #16812
Conversation
![semgrep-code-getsentry[bot]](https://avatars.githubusercontent.com/u/1396951?s=60&v=4){kind=small}
| const isTunnelRequest = url.pathname.startsWith(tunnelRoute); | ||
|
|
||
| if (isTunnelRequest) { | ||
| return NextResponse.next() as ReturnType<H>; |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 44 lists a dependency (next) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of next are vulnerable to Improper Authorization. Improper authorization handling in Next.js applications enables attackers to bypass security controls for paths directly under the application's root directory, potentially exposing sensitive data or functionality. This issue affects versions prior to Next.js 14.2.15, where authorization logic based solely on pathname fails to account for certain direct page accesses.
To resolve this comment:
Check if you use authorization to protect a page directly under the application's root directory (for example, https://example.com/foo) and you do NOT host your application on Vercel.
- If you're affected, upgrade this dependency to at least version 14.2.15 at yarn.lock.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
#16626 added the option to generate a randomly generated tunnel route per build. This PR adds functionality for automatically skipping tunnel route requests in the nextjs middleware, as this had to be set up manually by the user until now.