From a8a92594f382962ea6d97d56381851444e2f314c Mon Sep 17 00:00:00 2001
From: Baptiste Arnaud <baptiste.arnaud95@gmail.com>
Date: Fri, 15 Mar 2024 15:05:54 +0100
Subject: [PATCH] :passport_control: Make sure customDomain can't be spoofed

Closes #569
---
 .../src/features/typebot/api/updateTypebot.ts   |  7 +++++--
 .../src/features/typebot/helpers/sanitizers.ts  | 17 +++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/apps/builder/src/features/typebot/api/updateTypebot.ts b/apps/builder/src/features/typebot/api/updateTypebot.ts
index 50e815053..ea4b3212e 100644
--- a/apps/builder/src/features/typebot/api/updateTypebot.ts
+++ b/apps/builder/src/features/typebot/api/updateTypebot.ts
@@ -10,6 +10,7 @@ import { z } from 'zod'
 import {
   isCustomDomainNotAvailable,
   isPublicIdNotAvailable,
+  sanitizeCustomDomain,
   sanitizeGroups,
   sanitizeSettings,
 } from '../helpers/sanitizers'
@@ -201,8 +202,10 @@ export const updateTypebot = authenticatedProcedure
             : typebot.publicId && isPublicIdValid(typebot.publicId)
             ? typebot.publicId
             : undefined,
-        customDomain:
-          typebot.customDomain === null ? null : typebot.customDomain,
+        customDomain: await sanitizeCustomDomain({
+          customDomain: typebot.customDomain,
+          workspaceId: existingTypebot.workspace.id,
+        }),
         isClosed: typebot.isClosed,
         whatsAppCredentialsId: typebot.whatsAppCredentialsId ?? undefined,
         updatedAt: typebot.updatedAt,
diff --git a/apps/builder/src/features/typebot/helpers/sanitizers.ts b/apps/builder/src/features/typebot/helpers/sanitizers.ts
index 44484f6e9..431fd90b3 100644
--- a/apps/builder/src/features/typebot/helpers/sanitizers.ts
+++ b/apps/builder/src/features/typebot/helpers/sanitizers.ts
@@ -163,3 +163,20 @@ export const sanitizeFolderId = async ({
   })
   return folderCount !== 0 ? folderId : undefined
 }
+
+export const sanitizeCustomDomain = async ({
+  customDomain,
+  workspaceId,
+}: {
+  customDomain?: string | null
+  workspaceId: string
+}) => {
+  if (!customDomain) return customDomain
+  const domainCount = await prisma.customDomain.count({
+    where: {
+      name: customDomain?.split('/')[0],
+      workspaceId,
+    },
+  })
+  return domainCount === 0 ? null : customDomain
+}