21933635344

Committed 12 Feb 2026 04:31AM UTC coverage: 28.282% (-0.09%) from 28.372%

Build # 21933635344

Build Type

Pull #120

github

Committed by

web-flow

Commit Message

Merge 85853f9b5 into 82c88cdf1

Pull Request Pull Request #120: fix(quality): SonarCloud bug, code smells, Readonly props

Run Details

388 of 2123 branches covered (18.28%)

Branch coverage included in aggregate %.

1 of 40 new or added lines in 9 files covered. (2.5%)

2 existing lines in 2 files now uncovered.

1038 of 2919 relevant lines covered (35.56%)

8.06 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

2.86

/packages/core/src/api/api.ts

/**
 * Secure API Client
 *
 * A wrapper around the global fetch function that adds request signing
 * for all calls to the MCP server.
 */
import { requestSigningService } from '../security/RequestSigningService';

const MCP_SERVER_HOST = 'mcp.thumbcode.com'; // Replace with actual host

export async function secureFetch(
  input: RequestInfo | URL,
  init?: RequestInit
): Promise<Response> {
  let url: string;
  if (typeof input === 'string') {
    url = input;
  } else if (input instanceof URL) {
    url = input.href;
  } else {
    url = input.url;
  }

  // Securely validate the hostname to prevent subdomain attacks
  // Only match exact hostname OR legitimate subdomains (prefixed with '.')
  const hostname = new URL(url).hostname;
  const isValidMcpHost =
    hostname === MCP_SERVER_HOST || hostname.endsWith(`.${MCP_SERVER_HOST}`);

  if (isValidMcpHost) {
    const method = init?.method?.toUpperCase() || 'GET';
    let body: string | undefined;
    if (!init?.body) {
      body = undefined;
    } else if (typeof init.body === 'string') {
      body = init.body;
    } else {
      body = JSON.stringify(init.body);
    }

    const signingHeaders = await requestSigningService.signRequest(url, method, body);

    if (signingHeaders) {
      init = {
        ...init,
        headers: {
          ...init?.headers,
          ...signingHeaders,
        },
      };
    }
  }

  return fetch(input, init);
}

1	/**
2	* Secure API Client
3	*
4	* A wrapper around the global fetch function that adds request signing
5	* for all calls to the MCP server.
6	*/
7	import { requestSigningService } from '../security/RequestSigningService';
8
9	const MCP_SERVER_HOST = 'mcp.thumbcode.com'; // Replace with actual host	3✔
10
11	export async function secureFetch(
12	input: RequestInfo \| URL,
13	init?: RequestInit
14	): Promise<Response> {
15	let url: string;
NEW 16	if (typeof input === 'string') {	×
NEW 17	url = input;	×
NEW 18	} else if (input instanceof URL) {	×
NEW 19	url = input.href;	×
20	} else {
NEW 21	url = input.url;	×
22	}
23
24	// Securely validate the hostname to prevent subdomain attacks
25	// Only match exact hostname OR legitimate subdomains (prefixed with '.')
26	const hostname = new URL(url).hostname;	×
27	const isValidMcpHost =
28	hostname === MCP_SERVER_HOST \|\| hostname.endsWith(`.${MCP_SERVER_HOST}`);	×
29
30	if (isValidMcpHost) {	×
31	const method = init?.method?.toUpperCase() \|\| 'GET';	×
32	let body: string \| undefined;
NEW 33	if (!init?.body) {	×
NEW 34	body = undefined;	×
NEW 35	} else if (typeof init.body === 'string') {	×
NEW 36	body = init.body;	×
37	} else {
NEW 38	body = JSON.stringify(init.body);	×
39	}
40
41	const signingHeaders = await requestSigningService.signRequest(url, method, body);	×
42
43	if (signingHeaders) {	×
44	init = {	×
45	...init,
46	headers: {
47	...init?.headers,
48	...signingHeaders,
49	},
50	};
51	}
52	}
53
54	return fetch(input, init);	×
55	}

agentic-dev-library / thumbcode / 21933635344

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous