Skip to content

feat(/api/unicode/names): add unicode codepoint to name service#424

Open
sidvishnoi wants to merge 5 commits into
mainfrom
unicode-names
Open

feat(/api/unicode/names): add unicode codepoint to name service#424
sidvishnoi wants to merge 5 commits into
mainfrom
unicode-names

Conversation

@sidvishnoi

@sidvishnoi sidvishnoi commented Jun 22, 2024

Copy link
Copy Markdown
Member

Part of speced/respec#4462

@sidvishnoi sidvishnoi requested a review from marcoscaceres July 7, 2024 15:47
@sidvishnoi sidvishnoi marked this pull request as ready for review July 7, 2024 15:55
Comment thread routes/api/unicode/lib/scraper.ts Outdated

@marcoscaceres marcoscaceres left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@marcoscaceres

Copy link
Copy Markdown
Collaborator

@sidvishnoi, do you want this one merged?

parseLine read parts[1] unconditionally, throwing on any line without a ';' (e.g. a blank or trailing line) and aborting the whole scrape. Guard for fewer than two fields and skip the line instead.
@marcoscaceres

Copy link
Copy Markdown
Collaborator

Design question on routes/api/unicode/index.ts: router.post("/update", updateRoute) is unauthenticated, whereas the sibling update endpoints are gated — e.g. caniuse uses caniuse.post("/update", authGithubWebhook(env("CANIUSE_SECRET")), updateRoute).

As written, anyone can POST /api/unicode/update and trigger a full UnicodeData.txt download + disk rewrite on the shared box, which is a cheap resource-abuse / DoS vector. Unicode isn't a GitHub webhook source so there's no HMAC signature to verify, but it might be worth either gating it behind a shared secret (a UNICODE_SECRET like the others) or not exposing it as a public route at all (cron/manual trigger only). What's the intended trigger model here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants