Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "Staging to Production" #1489

Merged
merged 1 commit into from
Dec 18, 2024
Merged

Revert "Staging to Production" #1489

merged 1 commit into from
Dec 18, 2024

Conversation

jdonis
Copy link
Contributor

@jdonis jdonis commented Dec 18, 2024

Reverts #1456

@jdonis jdonis requested a review from kkrug December 18, 2024 14:46
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 18, 2024
View reviewed changes
assets/client/src/components/challenge_tabs/Winners.js
@@ -9,7 +9,7 @@
if (phaseWinner.overview_image_path) {
return (
<img
src={`${imageBase}${encodeURIComponent(phaseWinner.overview_image_path)}`}
src={imageBase + phaseWinner.overview_image_path}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the imageBase value is properly sanitized before it is used in the src attribute of the img tag. This can be achieved by validating that the imageBase is a well-formed URL and does not contain any malicious content.

  1. Import a well-known library for URL validation, such as validator.
  2. Validate the imageBase value before using it in the src attribute.
  3. If the imageBase value is not valid, use a default safe value or handle the error appropriately.
Suggested changeset 2
assets/client/src/components/challenge_tabs/Winners.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/client/src/components/challenge_tabs/Winners.js b/assets/client/src/components/challenge_tabs/Winners.js
--- a/assets/client/src/components/challenge_tabs/Winners.js
+++ b/assets/client/src/components/challenge_tabs/Winners.js
@@ -3,2 +3,3 @@
 import { ApiUrlContext } from '../../ApiUrlContext'
+import validator from 'validator';
 
@@ -6,2 +7,3 @@
   const { imageBase } = useContext(ApiUrlContext)
+  const safeImageBase = validator.isURL(imageBase) ? imageBase : '';
 
@@ -11,3 +13,3 @@
         <img
-          src={imageBase + phaseWinner.overview_image_path}
+          src={safeImageBase + phaseWinner.overview_image_path}
           alt="Phase Winner image"
EOF
@@ -3,2 +3,3 @@
import { ApiUrlContext } from '../../ApiUrlContext'
import validator from 'validator';

@@ -6,2 +7,3 @@
const { imageBase } = useContext(ApiUrlContext)
const safeImageBase = validator.isURL(imageBase) ? imageBase : '';

@@ -11,3 +13,3 @@
<img
src={imageBase + phaseWinner.overview_image_path}
src={safeImageBase + phaseWinner.overview_image_path}
alt="Phase Winner image"
assets/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/package.json b/assets/package.json
--- a/assets/package.json
+++ b/assets/package.json
@@ -44,3 +44,4 @@
     "uswds": "2.14.0",
-    "yarn": "^1.22.19"
+    "yarn": "^1.22.19",
+    "validator": "^13.12.0"
   },
EOF
@@ -44,3 +44,4 @@
"uswds": "2.14.0",
"yarn": "^1.22.19"
"yarn": "^1.22.19",
"validator": "^13.12.0"
},
This fix introduces these dependencies
Package Version Security advisories
validator (npm) 13.12.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
assets/client/src/components/challenge_tabs/Winners.js
@@ -23,7 +23,7 @@
const {id, image_path, name, place_title} = winner
return (
<div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
{image_path && (<img src={`${imageBase}${encodeURIComponent(winner.image_path)}`} alt="winner image" title="winner image" className="phase-winner-image me-3" />)}
{image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the imageBase value is properly sanitized before being used in the src attribute of the img tag. This can be achieved by validating that imageBase is a safe URL. We can use a well-known library like DOMPurify to sanitize the URL.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant file.
  3. Use DOMPurify to sanitize the imageBase value before concatenating it with winner.image_path.
Suggested changeset 2
assets/client/src/components/challenge_tabs/Winners.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/client/src/components/challenge_tabs/Winners.js b/assets/client/src/components/challenge_tabs/Winners.js
--- a/assets/client/src/components/challenge_tabs/Winners.js
+++ b/assets/client/src/components/challenge_tabs/Winners.js
@@ -3,2 +3,3 @@
 import { ApiUrlContext } from '../../ApiUrlContext'
+import DOMPurify from 'dompurify';
 
@@ -6,2 +7,3 @@
   const { imageBase } = useContext(ApiUrlContext)
+  const sanitizedImageBase = DOMPurify.sanitize(imageBase);
 
@@ -11,3 +13,3 @@
         <img
-          src={imageBase + phaseWinner.overview_image_path}
+          src={sanitizedImageBase + phaseWinner.overview_image_path}
           alt="Phase Winner image"
@@ -25,3 +27,3 @@
         <div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
-          {image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
+          {image_path && <img src={sanitizedImageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
           {name && <p>{name}</p>}
EOF
@@ -3,2 +3,3 @@
import { ApiUrlContext } from '../../ApiUrlContext'
import DOMPurify from 'dompurify';

@@ -6,2 +7,3 @@
const { imageBase } = useContext(ApiUrlContext)
const sanitizedImageBase = DOMPurify.sanitize(imageBase);

@@ -11,3 +13,3 @@
<img
src={imageBase + phaseWinner.overview_image_path}
src={sanitizedImageBase + phaseWinner.overview_image_path}
alt="Phase Winner image"
@@ -25,3 +27,3 @@
<div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
{image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
{image_path && <img src={sanitizedImageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
{name && <p>{name}</p>}
assets/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/package.json b/assets/package.json
--- a/assets/package.json
+++ b/assets/package.json
@@ -44,3 +44,4 @@
     "uswds": "2.14.0",
-    "yarn": "^1.22.19"
+    "yarn": "^1.22.19",
+    "dompurify": "^3.2.3"
   },
EOF
@@ -44,3 +44,4 @@
"uswds": "2.14.0",
"yarn": "^1.22.19"
"yarn": "^1.22.19",
"dompurify": "^3.2.3"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
assets/js/app/_custom_url_generator.js
@@ -18,10 +18,10 @@
if (custom_url_example_text.length > 0) {
if (custom_url_input_value != "") {
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.text(challenge_title_slug)
custom_url_example_text.html(challenge_title_slug)

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the input values are properly sanitized before being used to set HTML content. Instead of using the html() method, we should use the text() method, which sets the text content of the selected elements and automatically escapes any HTML characters.

  • Replace the html() method with the text() method to prevent the input from being interpreted as HTML.
  • This change should be made on lines 21 and 24 in the set_custom_url_example function.
Suggested changeset 1
assets/js/app/_custom_url_generator.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/app/_custom_url_generator.js b/assets/js/app/_custom_url_generator.js
--- a/assets/js/app/_custom_url_generator.js
+++ b/assets/js/app/_custom_url_generator.js
@@ -20,6 +20,6 @@
       challenge_title_slug = title_to_url_slug(custom_url_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     } else {
       challenge_title_slug = title_to_url_slug(challenge_title_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     }
EOF
@@ -20,6 +20,6 @@
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
assets/js/app/_custom_url_generator.js
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.text(challenge_title_slug)
custom_url_example_text.html(challenge_title_slug)

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that any user input is properly escaped before being inserted into the DOM. This can be achieved by using text insertion methods that automatically escape HTML, such as text() instead of html(). This change will prevent any HTML tags in the user input from being interpreted as actual HTML, thereby mitigating the XSS risk.

We will replace the html() method with the text() method on lines 21 and 24 in the set_custom_url_example function. This ensures that the user input is treated as plain text and not as HTML.

Suggested changeset 1
assets/js/app/_custom_url_generator.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/app/_custom_url_generator.js b/assets/js/app/_custom_url_generator.js
--- a/assets/js/app/_custom_url_generator.js
+++ b/assets/js/app/_custom_url_generator.js
@@ -20,6 +20,6 @@
       challenge_title_slug = title_to_url_slug(custom_url_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     } else {
       challenge_title_slug = title_to_url_slug(challenge_title_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     }
EOF
@@ -20,6 +20,6 @@
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@kkrug kkrug merged commit 827862d into production Dec 18, 2024
4 of 5 checks passed
@kkrug kkrug deleted the revert-1456-staging branch December 18, 2024 14:52
@r-bartlett-gsa r-bartlett-gsa added this to the Sprint 12/31/24 milestone Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kkrug kkrug kkrug approved these changes

Assignees

@jdonis jdonis

Labels
None yet
Projects
None yet
Milestone
Sprint 12/31/24
Development

Successfully merging this pull request may close these issues.
3 participants
@jdonis @kkrug @r-bartlett-gsa