From 9c77d09710c79aaab1064f788446419b9dae68b2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dafydd=20Ll=C5=B7r=20Pearson?= <DafyddLlyr@gmail.com>
Date: Wed, 20 Sep 2023 10:32:26 +0100
Subject: [PATCH] fix: Incomplete URL substring sanitation (#2227)

---
 editor.planx.uk/src/airbrake.test.ts |  2 +-
 editor.planx.uk/src/airbrake.ts      | 31 +++++++++++++++++++++-------
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/editor.planx.uk/src/airbrake.test.ts b/editor.planx.uk/src/airbrake.test.ts
index 14f69a88b4..ba6155aa97 100644
--- a/editor.planx.uk/src/airbrake.test.ts
+++ b/editor.planx.uk/src/airbrake.test.ts
@@ -26,7 +26,7 @@ describe("logger", () => {
 
   test("Notifier is configured in a production-like environment", () => {
     windowSpy.mockImplementation(() => ({
-      location: { host: "blah.planx.uk" },
+      location: { host: "editor.planx.uk" },
     }));
     process.env = Object.assign({
       REACT_APP_ENV: "production",
diff --git a/editor.planx.uk/src/airbrake.ts b/editor.planx.uk/src/airbrake.ts
index f5423cd11d..ac01a3d4d2 100644
--- a/editor.planx.uk/src/airbrake.ts
+++ b/editor.planx.uk/src/airbrake.ts
@@ -3,6 +3,29 @@ import { isLiveEnv } from "utils";
 
 export const logger = getErrorLogger();
 
+/**
+ * Checking a partial host can be unsafe, e.g.
+ * window.location.host.endsWith("gov.uk")
+ */
+function getEnvForAllowedHosts(host: string) {
+  switch (host) {
+    case "planningservices.newcastle.gov.uk":
+    case "planningservices.medway.gov.uk":
+    case "planningservices.doncaster.gov.uk":
+    case "planningservices.lambeth.gov.uk":
+    case "planningservices.southwark.gov.uk":
+    case "planningservices.buckinghamshire.gov.uk":
+    case "editor.planx.uk":
+      return "production"
+
+    case "editor.planx.dev":
+      return "staging"
+
+    default:
+      "pullrequest";
+  }
+}
+
 function log(...args: any[]) {
   return process.env.SUPPRESS_LOGS
     ? () => {
@@ -31,13 +54,7 @@ function getErrorLogger(): ErrorLogger {
   return new Notifier({
     projectId: Number(process.env.REACT_APP_AIRBRAKE_PROJECT_ID!),
     projectKey: process.env.REACT_APP_AIRBRAKE_PROJECT_KEY!,
-    environment:
-      window.location.host.endsWith("planx.uk") ||
-      window.location.host.endsWith("gov.uk")
-        ? "production"
-        : window.location.host.endsWith("planx.dev")
-        ? "staging"
-        : "pullrequest",
+    environment: getEnvForAllowedHosts(window.location.host)
   });
 }