From 2e75bcbc7c1906f3d2950579052ff80616d44570 Mon Sep 17 00:00:00 2001
From: sachinh-amazon <188173965+sachinh-amazon@users.noreply.github.com>
Date: Fri, 2 Jan 2026 09:54:16 +0100
Subject: [PATCH] Add patch to validate referer for vscode-remote-resource API
 (#109)

---
 patches/sagemaker.series                       |  1 +
 .../validate-http-request-referer.diff         | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 patches/sagemaker/validate-http-request-referer.diff

diff --git a/patches/sagemaker.series b/patches/sagemaker.series
index 1e21882..3271493 100644
--- a/patches/sagemaker.series
+++ b/patches/sagemaker.series
@@ -40,3 +40,4 @@ sagemaker/post-startup-notifications.diff
 sagemaker/sagemaker-extensions-sync.diff
 sagemaker/fix-port-forwarding.diff
 sagemaker/display-both-versions-in-about.diff
+sagemaker/validate-http-request-referer.diff
diff --git a/patches/sagemaker/validate-http-request-referer.diff b/patches/sagemaker/validate-http-request-referer.diff
new file mode 100644
index 0000000..72d3e56
--- /dev/null
+++ b/patches/sagemaker/validate-http-request-referer.diff
@@ -0,0 +1,18 @@
+Index: code-editor-src/src/vs/server/node/remoteExtensionHostAgentServer.ts
+===================================================================
+--- code-editor-src.orig/src/vs/server/node/remoteExtensionHostAgentServer.ts
++++ code-editor-src/src/vs/server/node/remoteExtensionHostAgentServer.ts
+@@ -172,6 +172,13 @@ class RemoteExtensionHostAgentServer ext
+ 		if (pathname === '/vscode-remote-resource') {
+ 			// Handle HTTP requests for resources rendered in the rich client (images, fonts, etc.)
+ 			// These resources could be files shipped with extensions or even workspace files.
++			if (req.headers.referer && req.headers.host) {
++				const parsedRefererUrl = url.parse(req.headers.referer, true);
++				if (parsedRefererUrl.host !== req.headers.host) {
++					return serveError(req, res, 403, `Forbidden.`);
++				}
++			}
++			
+ 			const desiredPath = parsedUrl.query['path'];
+ 			if (typeof desiredPath !== 'string') {
+ 				return serveError(req, res, 400, `Bad request.`);