From dd9453fdff54870a3ef4f971d9664615e3ff0f4d Mon Sep 17 00:00:00 2001
From: Vivek Thuravupala <akanatuna@gmail.com>
Date: Wed, 12 Feb 2025 05:03:10 -0800
Subject: [PATCH] Short-ciruit string rendering if require invocation is
 detected (#8358)

* Short-ciruit string rendering if require invocation is detected [SEC-1323] [INS-4963]

* add sentry exception

---------

Co-authored-by: jackkav <jackkav@gmail.com>
---
 packages/insomnia/src/common/render.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/packages/insomnia/src/common/render.ts b/packages/insomnia/src/common/render.ts
index 76920f571f..f2e5c2390a 100644
--- a/packages/insomnia/src/common/render.ts
+++ b/packages/insomnia/src/common/render.ts
@@ -1,3 +1,4 @@
+import * as Sentry from '@sentry/electron/renderer';
 import clone from 'clone';
 import orderedJSON from 'json-order';
 
@@ -291,6 +292,13 @@ export async function render<T>(
     ) {
       // Do nothing to these types
     } else if (typeof x === 'string') {
+      // Detect if the string contains a require statement
+      if (/require\s*\(/ig.test(x)) {
+        console.warn('Short-circuiting `render`; string contains possible "require" invocation:', x);
+        Sentry.captureException(new Error(`Short-circuiting 'render'; string contains possible "require" invocation: ${x}`));
+        return x;
+      }
+
       try {
         // @ts-expect-error -- TSCONVERSION
         x = await templating.render(x, { context, path, ignoreUndefinedEnvVariable });