Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sanitize CI #385

Closed
wants to merge 4 commits into from
Closed

Sanitize CI #385

wants to merge 4 commits into from

Conversation

djesic
Copy link
Contributor

@djesic djesic commented Jul 17, 2023

Code scanning alerts do have a # but they can't be referenced if they are not issues, so here's what this fixes:

  • Alerts 1-6 : Icon replacements. We don't open or visit the URL, and the matching is for the beginning of the URL. I would dismiss these alerts
  • Alert 7: wrap in encodeURIComponent()
  • Alert 8,9,10,11: wrap in new sanitize() js function in helpers/main.js that escapes < > & ' "

@djesic djesic requested a review from ArneTR July 17, 2023 10:26
@djesic
Copy link
Contributor Author

djesic commented Jul 17, 2023

@dan-mm
Copy link
Contributor

dan-mm commented Jul 17, 2023

@dan-mm all tests were passing, but there was an issue: https://github.com/green-coding-berlin/green-metrics-tool/actions/runs/5574522161/jobs/10183235301?pr=385#step:5:63

Aye, its a bug I introduced in v2 of the eco-ci, looking at it now

@ArneTR
Copy link
Member

ArneTR commented Jul 18, 2023

  1. Are all the security vulnerabilities from https://github.com/green-coding-berlin/green-metrics-tool/security/code-scanning handled here or is this supposed to be in a different PR? It looks to me like quite some are missing?

  2. Also I two comments in the review

  3. I think we should rather use the word escape than sanitze, as we are not really removing anything. @dan-mm Can you confirm on the wording?

}
else if(badges_data.data[0][8] == 'gitlab') {
repo_link = `https://gitlab.com/${url_params.get('repo')}`;
repo_link = `https://gitlab.com/${sanitize(url_params.get('repo'))}`;
}
//${repo_link}
const repo_link_node = `<a href="${repo_link}" target="_blank">${url_params.get('repo')}</a>`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is url_params.get('repo') not sanitzed here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed. Fixed in last commit

@@ -5,7 +5,7 @@ const compareButton = () => {
checkedBoxes.forEach(checkbox => {
link = `${link}${checkbox.value},`;
});
window.location = link.substr(0,link.length-1);
window.location = encodeURIComponent(link.substr(0, link.length - 1));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is this supposed to do? Which part of the checkboxes is supposed to be malicious?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't honestly understand the vulnerability here, but this was the recommendation on how to resolve it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It was a ChatGPT suggestion:

To fix the warning about DOM text being reinterpreted as HTML without escaping meta-characters, you need to properly escape the text before assigning it to window.location. You can use the encodeURIComponent function to achieve this. Here's an updated version of the code:

window.location = encodeURIComponent(link.substr(0, link.length - 1));

By using encodeURIComponent, you ensure that any special characters in the link string are properly encoded, preventing any unintended interpretation as HTML meta-characters.

However, please note that directly manipulating window.location like this can have security implications. It's important to ensure that the link variable contains a trusted URL and to validate it before using it in this context.

@djesic
Copy link
Contributor Author

djesic commented Jul 18, 2023

  1. Are all the security vulnerabilities from https://github.com/green-coding-berlin/green-metrics-tool/security/code-scanning handled here or is this supposed to be in a different PR? It looks to me like quite some are missing?
  2. Also I two comments in the review
  3. I think we should rather use the word escape than sanitze, as we are not really removing anything. @dan-mm Can you confirm on the wording?
  1. See my opening comment.
  2. Replied
  3. Renamed to escapeString (escape was reserved)

@dan-mm
Copy link
Contributor

dan-mm commented Jul 18, 2023

  1. I think we should rather use the word escape than sanitze, as we are not really removing anything. @dan-mm Can you confirm on the wording?

escape sounds better to me.

fwiw, I already encode some of these strings when the eco-ci sends them to our API to begin with - but its good to check them on this end anyways in case that ever changes / they ever come in from a different source.

@ArneTR ArneTR changed the base branch from dev to main July 25, 2023 10:24
@ribalba
Copy link
Member

ribalba commented Aug 3, 2023

Work has been ported to #411

@ribalba ribalba closed this Aug 3, 2023
@ribalba ribalba deleted the sanitize_js branch August 3, 2023 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants