Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Revert "Staging to Production" #1489

Merged
merged 1 commit into from
Dec 18, 2024
Merged

Revert "Staging to Production" #1489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions assets/client/src/components/ChallengeDetails.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@
<use xlinkHref="assets/uswds/img/sprite.svg#bookmark"></use>
</svg>
Follow challenge
</span>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
)
}
}
Expand All @@ -121,7 +121,7 @@
<div className="follow-tooltip__section">
<h4>Follow challenge as guest</h4>
<p>Receive challenge updates to your email. No sign-in required</p>
<a href={preview ? "#" : `${encodeURIComponent(challenge.gov_delivery_topic_subscribe_link)}`}>
<a href={preview ? null : challenge.gov_delivery_topic_subscribe_link}>
<button className="follow-tooltip__button">Follow challenge</button>
</a>
</div>
Expand Down Expand Up @@ -323,7 +323,7 @@
return (
<img
className={challenge.upload_logo ? "custom-logo" : "challenge-logo-details-page"}
src={challenge.logo}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
alt={`Challenge image for \"${challenge.title}\"`}
/>
);
Expand All @@ -350,7 +350,7 @@
<div className="logos">
<img
className="agency-logo"
src={`${imageBase}${encodeURIComponent(challenge.agency_logo)}`}
src={imageBase + challenge.agency_logo}
alt={`Agency logo for ${challenge.agency_name}`}
/>

Expand All @@ -377,7 +377,7 @@
}
<h1 className="title">{challenge.title}</h1>
<h2 className="tagline">{challenge.tagline}</h2>
<div dangerouslySetInnerHTML={{ __html: stripHtml(challenge.brief_description).result }}></div>

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
</div>
<div className="logo-container">
{renderChallengeLogo()}
Expand All @@ -404,7 +404,7 @@
</div>
}
{!print &&
<a className="follow__btn" href={`${apiUrl}/public/previews/challenges?challenge=${encodeURIComponent(challenge.uuid)}&print=true`} target="_blank" rel="noopener noreferrer">
<a className="follow__btn" href={apiUrl + `/public/previews/challenges?challenge=${challenge.uuid}&print=true`} target="_blank">
<span className="details__btn">
<svg className="usa-icon" aria-hidden="true" focusable="false" role="img"
style={{fill: "#FA9441", height: "21px", width: "21px", position: "relative", top: "5px", right: "5px"}}>
Expand Down
6 changes: 3 additions & 3 deletions assets/client/src/components/ChallengeTile.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,13 +109,13 @@
}
}

const renderTileLogo = () => {

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
if (challenge.imported && challenge.sub_status === "archived" && challenge.logo.includes("challenge-logo-2_1")) {
return (
<div className="agency_image_wrapper">
<img
className="agency-logo"
src={`${imageBase}${encodeURIComponent(challenge.agency_logo)}`}
src={imageBase + challenge.agency_logo}
alt={truncateString(`Agency Logo: ${challenge.agency_name}`, 90)}
/>
</div>
Expand All @@ -128,23 +128,23 @@
<img src={challenge.logo} alt={truncateString(challenge.agency_name, 90)} className="width-full" />
</div>
)
}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

return (
<div className="image_wrapper">
<img
className="agency-logo"
src={`${imageBase}${encodeURIComponent(challenge.agency_logo)}`}
src={imageBase + challenge.agency_logo}
alt={truncateString(`Agency Logo: ${challenge.agency_name}`, 90)}
/>
</div>
)

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
}

return (
challenge ? (
<div key={challenge.id} className="challenge-tile card">
<a href={encodeURI(challengeTileUrl(challenge, preview))} target={challenge.external_url ? "_blank" : ""} aria-label="">
<a href={challengeTileUrl(challenge, preview)} target={challenge.external_url ? "_blank" : ""} aria-label="">
{renderTileLogo()}
<div className="challenge-tile__text-wrapper">
<h2 className="challenge-tile__title test" aria-label="" style={{ textAlign: 'left', paddingLeft: '20px', paddingTop: '20px', lineHeight: '30px' }}>{truncateString(challenge.title, 90)}</h2>
Expand Down
6 changes: 3 additions & 3 deletions assets/client/src/components/PreviewBanner.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@

return (
challenge ? (
<div className="challenge-preview__banner card p-5">

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
<div className="card-body">
<h1 className="card-title">Preview of challenge #{challenge.id}: {challenge.title}</h1>
<br/>
Expand All @@ -37,9 +37,9 @@
<div>
<span className="me-3">Preview generated on {formatDateToLLLL()}</span>
<a className="me-3" href={window.location.href}>Refresh page</a>
{!challenge.external_url && (
<a href={`${apiUrl}/public/previews/challenges?challenge=${encodeURIComponent(challenge.uuid)}&print=true`} target="_blank">Print</a>
)}
{!challenge.external_url &&
<a href={apiUrl + `/public/previews/challenges?challenge=${challenge.uuid}&print=true`} target="_blank">Print</a>
}
</div>
<br/>
<div>Link to share for internal agency review:</div>
Expand Down
4 changes: 2 additions & 2 deletions assets/client/src/components/challenge_tabs/Winners.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@
if (phaseWinner.overview_image_path) {
return (
<img
src={`${imageBase}${encodeURIComponent(phaseWinner.overview_image_path)}`}
src={imageBase + phaseWinner.overview_image_path}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the imageBase value is properly sanitized before it is used in the src attribute of the img tag. This can be achieved by validating that the imageBase is a well-formed URL and does not contain any malicious content.

  1. Import a well-known library for URL validation, such as validator.
  2. Validate the imageBase value before using it in the src attribute.
  3. If the imageBase value is not valid, use a default safe value or handle the error appropriately.
Suggested changeset 2
assets/client/src/components/challenge_tabs/Winners.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/client/src/components/challenge_tabs/Winners.js b/assets/client/src/components/challenge_tabs/Winners.js
--- a/assets/client/src/components/challenge_tabs/Winners.js
+++ b/assets/client/src/components/challenge_tabs/Winners.js
@@ -3,2 +3,3 @@
 import { ApiUrlContext } from '../../ApiUrlContext'
+import validator from 'validator';
 
@@ -6,2 +7,3 @@
   const { imageBase } = useContext(ApiUrlContext)
+  const safeImageBase = validator.isURL(imageBase) ? imageBase : '';
 
@@ -11,3 +13,3 @@
         <img
-          src={imageBase + phaseWinner.overview_image_path}
+          src={safeImageBase + phaseWinner.overview_image_path}
           alt="Phase Winner image"
EOF
@@ -3,2 +3,3 @@
import { ApiUrlContext } from '../../ApiUrlContext'
import validator from 'validator';

@@ -6,2 +7,3 @@
const { imageBase } = useContext(ApiUrlContext)
const safeImageBase = validator.isURL(imageBase) ? imageBase : '';

@@ -11,3 +13,3 @@
<img
src={imageBase + phaseWinner.overview_image_path}
src={safeImageBase + phaseWinner.overview_image_path}
alt="Phase Winner image"
assets/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/package.json b/assets/package.json
--- a/assets/package.json
+++ b/assets/package.json
@@ -44,3 +44,4 @@
     "uswds": "2.14.0",
-    "yarn": "^1.22.19"
+    "yarn": "^1.22.19",
+    "validator": "^13.12.0"
   },
EOF
@@ -44,3 +44,4 @@
"uswds": "2.14.0",
"yarn": "^1.22.19"
"yarn": "^1.22.19",
"validator": "^13.12.0"
},
This fix introduces these dependencies
Package Version Security advisories
validator (npm) 13.12.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
alt="Phase Winner image"
title="Phase Winner image"
className="phase-winner-image mt-3"
Expand All @@ -23,7 +23,7 @@
const {id, image_path, name, place_title} = winner
return (
<div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
{image_path && (<img src={`${imageBase}${encodeURIComponent(winner.image_path)}`} alt="winner image" title="winner image" className="phase-winner-image me-3" />)}
{image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the imageBase value is properly sanitized before being used in the src attribute of the img tag. This can be achieved by validating that imageBase is a safe URL. We can use a well-known library like DOMPurify to sanitize the URL.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant file.
  3. Use DOMPurify to sanitize the imageBase value before concatenating it with winner.image_path.
Suggested changeset 2
assets/client/src/components/challenge_tabs/Winners.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/client/src/components/challenge_tabs/Winners.js b/assets/client/src/components/challenge_tabs/Winners.js
--- a/assets/client/src/components/challenge_tabs/Winners.js
+++ b/assets/client/src/components/challenge_tabs/Winners.js
@@ -3,2 +3,3 @@
 import { ApiUrlContext } from '../../ApiUrlContext'
+import DOMPurify from 'dompurify';
 
@@ -6,2 +7,3 @@
   const { imageBase } = useContext(ApiUrlContext)
+  const sanitizedImageBase = DOMPurify.sanitize(imageBase);
 
@@ -11,3 +13,3 @@
         <img
-          src={imageBase + phaseWinner.overview_image_path}
+          src={sanitizedImageBase + phaseWinner.overview_image_path}
           alt="Phase Winner image"
@@ -25,3 +27,3 @@
         <div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
-          {image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
+          {image_path && <img src={sanitizedImageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
           {name && <p>{name}</p>}
EOF
@@ -3,2 +3,3 @@
import { ApiUrlContext } from '../../ApiUrlContext'
import DOMPurify from 'dompurify';

@@ -6,2 +7,3 @@
const { imageBase } = useContext(ApiUrlContext)
const sanitizedImageBase = DOMPurify.sanitize(imageBase);

@@ -11,3 +13,3 @@
<img
src={imageBase + phaseWinner.overview_image_path}
src={sanitizedImageBase + phaseWinner.overview_image_path}
alt="Phase Winner image"
@@ -25,3 +27,3 @@
<div key={id} className="d-flex flex-row align-items-center usa-tbm-1rem">
{image_path && <img src={imageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
{image_path && <img src={sanitizedImageBase + winner.image_path} alt="winner image" title="winner image" className="phase-winner-image me-3" />}
{name && <p>{name}</p>}
assets/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/package.json b/assets/package.json
--- a/assets/package.json
+++ b/assets/package.json
@@ -44,3 +44,4 @@
     "uswds": "2.14.0",
-    "yarn": "^1.22.19"
+    "yarn": "^1.22.19",
+    "dompurify": "^3.2.3"
   },
EOF
@@ -44,3 +44,4 @@
"uswds": "2.14.0",
"yarn": "^1.22.19"
"yarn": "^1.22.19",
"dompurify": "^3.2.3"
},
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
{name && <p>{name}</p>}
{place_title && <p>{` - ${place_title}`}</p>}
</div>
Expand Down
4 changes: 2 additions & 2 deletions assets/client/src/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,9 @@ const renderRouter = () => (
)

const rootElement = document.getElementById('challenge-gov-react-app')
const apiUrl = encodeURI(rootElement.getAttribute('data-api-url'))
const apiUrl = rootElement.getAttribute('data-api-url')
const publicUrl = rootElement.getAttribute('data-public-url')
const imageBase = encodeURI(rootElement.getAttribute('data-image-base'))
const imageBase = rootElement.getAttribute('data-image-base')
const bridgeApplyBlocked = rootElement.getAttribute('data-bridge-apply-blocked') != 'false'

ReactDOM.render(renderRouter(), rootElement);
Expand Down
2 changes: 1 addition & 1 deletion assets/client/src/preview.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ const renderPreview = () => (
)

const rootElement = document.getElementById('preview');
const imageBase = encodeURI(rootElement.getAttribute('data-image-base'));
const imageBase = rootElement.getAttribute('data-image-base');
ReactDOM.render(renderPreview(), rootElement);

// If you want your app to work offline and load faster, you can change
Expand Down
4 changes: 2 additions & 2 deletions assets/js/app/_custom_url_generator.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,10 @@
if (custom_url_example_text.length > 0) {
if (custom_url_input_value != "") {
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.text(challenge_title_slug)
custom_url_example_text.html(challenge_title_slug)

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that the input values are properly sanitized before being used to set HTML content. Instead of using the html() method, we should use the text() method, which sets the text content of the selected elements and automatically escapes any HTML characters.

  • Replace the html() method with the text() method to prevent the input from being interpreted as HTML.
  • This change should be made on lines 21 and 24 in the set_custom_url_example function.
Suggested changeset 1
assets/js/app/_custom_url_generator.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/app/_custom_url_generator.js b/assets/js/app/_custom_url_generator.js
--- a/assets/js/app/_custom_url_generator.js
+++ b/assets/js/app/_custom_url_generator.js
@@ -20,6 +20,6 @@
       challenge_title_slug = title_to_url_slug(custom_url_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     } else {
       challenge_title_slug = title_to_url_slug(challenge_title_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     }
EOF
@@ -20,6 +20,6 @@
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.text(challenge_title_slug)
custom_url_example_text.html(challenge_title_slug)

Check warning

Code scanning / CodeQL

DOM text reinterpreted as HTML Medium

DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.
DOM text
Loading
is reinterpreted as HTML without escaping meta-characters.

Copilot Autofix AI about 1 month ago

To fix the problem, we need to ensure that any user input is properly escaped before being inserted into the DOM. This can be achieved by using text insertion methods that automatically escape HTML, such as text() instead of html(). This change will prevent any HTML tags in the user input from being interpreted as actual HTML, thereby mitigating the XSS risk.

We will replace the html() method with the text() method on lines 21 and 24 in the set_custom_url_example function. This ensures that the user input is treated as plain text and not as HTML.

Suggested changeset 1
assets/js/app/_custom_url_generator.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/assets/js/app/_custom_url_generator.js b/assets/js/app/_custom_url_generator.js
--- a/assets/js/app/_custom_url_generator.js
+++ b/assets/js/app/_custom_url_generator.js
@@ -20,6 +20,6 @@
       challenge_title_slug = title_to_url_slug(custom_url_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     } else {
       challenge_title_slug = title_to_url_slug(challenge_title_input_value)
-      custom_url_example_text.html(challenge_title_slug)
+      custom_url_example_text.text(challenge_title_slug)
     }
EOF
@@ -20,6 +20,6 @@
challenge_title_slug = title_to_url_slug(custom_url_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
} else {
challenge_title_slug = title_to_url_slug(challenge_title_input_value)
custom_url_example_text.html(challenge_title_slug)
custom_url_example_text.text(challenge_title_slug)
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
}
}
}
Expand Down
4 changes: 2 additions & 2 deletions assets/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@
"create-react-app": "^5.0.1",
"file-loader": "^6.2.0",
"inputmask": "^5.0.5",
"jquery": "^3.7.1",
"jquery": "^3.3.1",
"moment": "^2.27.0",
"moment-timezone": "^0.5.31",
"node-quill-converter": "^0.3.3",
Expand Down Expand Up @@ -59,4 +59,4 @@
"webpack": "^5.76.0",
"webpack-cli": "^4.7.0"
}
}
}
Loading
Loading