fix: Prevent OTEL token injection to spoofed origins#12727
Merged
Conversation
Contributor
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
anthonyshew
pushed a commit
that referenced
this pull request
May 7, 2026
## Release v2.9.10-canary.1 > [!CAUTION] > Versioned docs aliasing FAILED. [View logs](https://github.com/vercel/turborepo/actions/runs/25414005119) ### Changes - fix: Preserve lockfiles during dry-run conversion (#12717) (`3192551`) - ci: Fix LSP workflow container matrix (#12718) (`ac55ec9`) - release(turborepo): 2.9.9-canary.4 (#12716) (`25c71b0`) - release(turborepo): 2.9.9 (#12719) (`acfe475`) - fix: Respect SCM env vars in `turbo query affected` (#12722) (`3caa8fb`) - ci: Package VSCode extension in release workflow (#12723) (`329a545`) - fix: Avoid raw create-turbo example telemetry (#12725) (`ec0b8dd`) - fix: Escape graph HTML payloads (#12726) (`89b4f4e`) - fix: Prevent OTEL token injection to spoofed origins (#12727) (`1fbc725`) - fix: Retry HTTP status failures (#12728) (`e389d66`) - fix: Validate microfrontend proxy Host header (#12730) (`eb46170`) - fix: Redact task hash env debug logs (#12733) (`6d9fc06`) - fix: Filter microfrontend proxy environments (#12732) (`9b28a75`) - fix: Preserve FSEvents mount points for device-relative paths (#12729) (`6ce73e0`) - fix: Validate proxy Host headers (#12731) (`9f70395`) - fix: Resolve TypeScript `.js` extension imports to `.ts` files in boundaries (#12644) (`b47f6dc`) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
anthonyshew
pushed a commit
that referenced
this pull request
May 7, 2026
## Release v2.9.10 > [!CAUTION] > Versioned docs aliasing FAILED. [View logs](https://github.com/vercel/turborepo/actions/runs/25509373774) ### Changes - release(turborepo): 2.9.9-canary.4 (#12716) (`25c71b0`) - release(turborepo): 2.9.9 (#12719) (`acfe475`) - fix: Respect SCM env vars in `turbo query affected` (#12722) (`3caa8fb`) - ci: Package VSCode extension in release workflow (#12723) (`329a545`) - fix: Avoid raw create-turbo example telemetry (#12725) (`ec0b8dd`) - fix: Escape graph HTML payloads (#12726) (`89b4f4e`) - fix: Prevent OTEL token injection to spoofed origins (#12727) (`1fbc725`) - fix: Retry HTTP status failures (#12728) (`e389d66`) - fix: Validate microfrontend proxy Host header (#12730) (`eb46170`) - fix: Redact task hash env debug logs (#12733) (`6d9fc06`) - fix: Filter microfrontend proxy environments (#12732) (`9b28a75`) - fix: Preserve FSEvents mount points for device-relative paths (#12729) (`6ce73e0`) - fix: Validate proxy Host headers (#12731) (`9f70395`) - fix: Resolve TypeScript `.js` extension imports to `.ts` files in boundaries (#12644) (`b47f6dc`) - fix: Use random temp path for repo downloads (#12736) (`106698c`) - release(turborepo): 2.9.10-canary.1 (#12734) (`b1001c1`) - fix: Reject OTel endpoints with userinfo (#12737) (`a6efc3f`) - fix: Authenticate local devtools WebSocket (#12738) (`8276be8`) - fix: Handle clipboard exec errors (#12739) (`3305766`) - fix: Restrict Vercel token reuse to trusted API origins (#12740) (`18a3a22`) - fix: Keep workspace config discovery inside root (#12741) (`86c0365`) - fix: Hardening for daemon IPC endpoints (#12742) (`13a9a8b`) - fix: Enforce cache filesystem boundaries (#12743) (`a50e863`) --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
useRemoteCacheTokenfrom injecting the remote cache bearer token unless the parsed OTEL endpoint and API URL share the same normalized origin.host:port@attackerendpoints cannot masquerade as the API host.Testing
cargo fmt --check -p turborepo-libcargo test -p turborepo-lib origins_match_testscargo test -p turborepo-lib --libpnpm exec lint-staged,turbo run format check:toml,cargo fmt --check,cargo lint,cargo check --workspaceLinear: TURBO-5515