fix codeql

chargome · chargome · commit c7eb68055623 · 2026-03-13T14:32:55.000+01:00
diff --git a/packages/nextjs/src/server/vercelQueuesMonitoring.ts b/packages/nextjs/src/server/vercelQueuesMonitoring.ts
@@ -88,7 +88,7 @@ export function maybeEnrichQueueProducerSpan(span: Span): void {
     return;
   }
 
-  if (!parsed.hostname.endsWith('vercel-queue.com')) {
+  if (parsed.hostname !== 'vercel-queue.com' && !parsed.hostname.endsWith('.vercel-queue.com')) {
     return;
   }
 
diff --git a/packages/nextjs/test/server/vercelQueuesMonitoring.test.ts b/packages/nextjs/test/server/vercelQueuesMonitoring.test.ts
@@ -125,6 +125,12 @@ describe('vercelQueuesMonitoring', () => {
       expect(span._data['messaging.system']).toBeUndefined();
     });
 
+    it('does nothing for hostname that is a suffix match but not a subdomain', () => {
+      const span = createMockSpan({ 'url.full': 'https://evil-vercel-queue.com/api/v3/topic/orders' });
+      maybeEnrichQueueProducerSpan(span as any);
+      expect(span._data['messaging.system']).toBeUndefined();
+    });
+
     it('does nothing for vercel-queue.com URLs without topic path', () => {
       const span = createMockSpan({ 'url.full': 'https://queue.vercel-queue.com/api/v3/other' });
       maybeEnrichQueueProducerSpan(span as any);

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,7 @@ export function maybeEnrichQueueProducerSpan(span: Span): void {`
`88`	`88`	`return;`
`89`	`89`	`}`
`90`	`90`
`91`		`- if (!parsed.hostname.endsWith('vercel-queue.com')) {`
	`91`	`+ if (parsed.hostname !== 'vercel-queue.com' && !parsed.hostname.endsWith('.vercel-queue.com')) {`
`92`	`92`	`return;`
`93`	`93`	`}`
`94`	`94`