From f18404f6f89ed57ae29e125641d584680951b25e Mon Sep 17 00:00:00 2001
From: Haozhe Wu <347492564@qq.com>
Date: Mon, 23 Mar 2026 12:44:25 +0800
Subject: [PATCH] fix(security): prevent Host header injection in story.js
 (#2102)

* fix(security): prevent Host header injection in story.js

req.headers.host is attacker-controlled and used to construct the
redirect Location header and OG meta tag URLs. An attacker sending
Host: evil.com gets users redirected to evil.com (open redirect) and
social bots see OG tags pointing to evil.com (preview poisoning).

Hardcode the canonical domain instead of trusting the Host header.

* fix(security): replace req.headers.host with hardcoded canonical domain in og-story.js

---------

Co-authored-by: warren618 <warren618@users.noreply.github.com>
Co-authored-by: Elie Habib <elie.habib@gmail.com>
---
 api/og-story.js | 2 +-
 api/story.js    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/og-story.js b/api/og-story.js
index 196c46bb9..8140268ff 100644
--- a/api/og-story.js
+++ b/api/og-story.js
@@ -31,7 +31,7 @@ function normalizeLevel(rawLevel) {
 }
 
 export default function handler(req, res) {
-  const url = new URL(req.url, `https://${req.headers.host}`);
+  const url = new URL(req.url, 'https://worldmonitor.app');
   const countryCode = (url.searchParams.get('c') || '').toUpperCase();
   const type = url.searchParams.get('t') || 'ciianalysis';
   const score = url.searchParams.get('s');
diff --git a/api/story.js b/api/story.js
index 6986cef32..422881f65 100644
--- a/api/story.js
+++ b/api/story.js
@@ -16,7 +16,7 @@ const COUNTRY_NAMES = {
 const BOT_UA = /twitterbot|facebookexternalhit|linkedinbot|slackbot|telegrambot|whatsapp|discordbot|redditbot|googlebot/i;
 
 export default function handler(req, res) {
-  const url = new URL(req.url, `https://${req.headers.host}`);
+  const url = new URL(req.url, 'https://worldmonitor.app');
   const countryCode = (url.searchParams.get('c') || '').toUpperCase();
   const type = url.searchParams.get('t') || 'ciianalysis';
   const ts = url.searchParams.get('ts') || '';
@@ -26,7 +26,7 @@ export default function handler(req, res) {
   const ua = req.headers['user-agent'] || '';
   const isBot = BOT_UA.test(ua);
 
-  const baseUrl = `https://${req.headers.host}`;
+  const baseUrl = 'https://worldmonitor.app';
   const spaUrl = `${baseUrl}/?c=${countryCode}&t=${type}${ts ? `&ts=${ts}` : ''}`;
 
   // Real users → redirect to SPA