Open
Conversation
- Validate API key format (trim whitespace, reject < 8 chars) - Add regex validation to dateRangeSchema for known formats - Sanitize error messages: return status code only, not raw API bodies - Validate baseUrl is HTTPS to prevent SSRF - Add max length (1024) to page/goal filter schemas - Add Cache-Control: no-store and X-Content-Type-Options: nosniff headers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Uses Cloudflare Rate Limiting binding to throttle requests by CF-Connecting-IP. Fails open if binding unavailable (dev mode). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Date range regex rejects valid Plausible
24hvalue- Added \d+h to dateRangeSchema regex and updated schema messages to include 24h.
Or push these changes by commenting:
@cursor push 38b2b6d6c2
Preview (38b2b6d6c2)
diff --git a/src/schemas.ts b/src/schemas.ts
--- a/src/schemas.ts
+++ b/src/schemas.ts
@@ -58,11 +58,11 @@
export const dateRangeSchema = z
.string()
.regex(
- /^(\d+d|\d+mo|day|month|year|all|\d{4}-\d{2}-\d{2},\d{4}-\d{2}-\d{2})$/,
- 'Must be "Nd", "Nmo", "day", "month", "year", "all", or "YYYY-MM-DD,YYYY-MM-DD"'
+ /^(\d+d|\d+h|\d+mo|day|month|year|all|\d{4}-\d{2}-\d{2},\d{4}-\d{2}-\d{2})$/,
+ 'Must be "Nd", "Nh", "Nmo", "day", "month", "year", "all", or "YYYY-MM-DD,YYYY-MM-DD"'
)
.describe(
- 'Date range: "7d", "30d", "12mo", "month", "year", "all", or "YYYY-MM-DD,YYYY-MM-DD"'
+ 'Date range: "24h", "7d", "30d", "12mo", "month", "year", "all", or "YYYY-MM-DD,YYYY-MM-DD"'
);
export const pageSchema = zThis Bugbot Autofix run was free. To enable autofix for future PRs, go to the Cursor dashboard.
Addresses Bugbot review: the regex was missing \d+h for Plausible's supported hourly date range format. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Deploy script now reads version from package.json instead of git SHA, aligning Sentry releases with semver tags. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sets up getsentry/craft for GitHub releases with semver versioning. Trigger via Actions > Release > Run workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes bugbot review: period_a and period_b were using bare z.string() instead of the validated dateRangeSchema, bypassing format checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fixes bugbot review: short keys now get "Invalid API key. Key is too short." instead of the misleading "Missing" message. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 878909e. Configure here.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Wrap createServer in try/catch so a misconfigured baseUrl returns a proper 500 JSON response instead of crashing every request. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dateRangeSchemafor known Plausible date formatsbaseUrlis HTTPS to prevent SSRFmax(1024)length bounds to page/goal filter schemasCache-Control: no-storeandX-Content-Type-Options: nosniffheadersTest plan
bun run buildpassesbun run test— all 53 tests passbaseUrlthrows at construction timeAddresses SEC-1266
🤖 Generated with Claude Code