Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement SRI check on the external babel links #6120

Closed
9 tasks done
freaky4wrld opened this issue Jan 17, 2024 · 9 comments · Fixed by #6152
Closed
9 tasks done

Implement SRI check on the external babel links #6120

freaky4wrld opened this issue Jan 17, 2024 · 9 comments · Fixed by #6152
Assignees
Labels
Complexity: Medium Feature: Code Alerts role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Milestone

Comments

@freaky4wrld
Copy link
Member

freaky4wrld commented Jan 17, 2024

Overview

Implement SRI checks for the babel.js script tag in 'default-markdown.html' and 'default.html' to address CodeQL alert 36 and 37, enhancing script integrity and mitigating potential vulnerabilities.

Action Items

  • Implement SRI check by adding integrity and crossorigin attribute to the <script> links in the files _layouts/default-markdown.html and _layouts/default.html
  • Do remember to make the attribute crossorigin="anonymous" specifically as we don't want to share our credentials with the server
  • For integrity attribute use the SRI Generator paste the url https://cdnjs.cloudflare.com/ajax/libs/babel-standalone/6.26.0/babel.js and generate an SHA-384 hash, we are using a specified version of babel (6.26.0)
  • Paste the generated hash in the integrity attribute of the both the files, the browser will automatically check for the integrity of the external link, this feature of browser is only in the modern ones, older browsers have no support for SRI.
  • Test the changes are by
    • Firstly starting the build with docker-compose up and checking if any errors are generated during the build process
    • Next you can go to the browser-console by pressing CTRL/CMD + SHIFT + I and check for any JavaScript related errors
    • Lastly you can go to the Network Console and reload the web page, then inspect the network requests to confirm that the babel.js script is loaded successfully.
    • Test a JavaScript intensive page such as /projects or /wins inat least two browsers

Resources/Instructions

@freaky4wrld freaky4wrld added Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing Draft Issue is still in the process of being created role missing Complexity: Missing labels Jan 17, 2024

This comment was marked as outdated.

@roslynwythe

This comment was marked as resolved.

@freaky4wrld freaky4wrld added role: front end Tasks for front end developers Complexity: Medium size: 1pt Can be done in 4-6 hours Feature: Code Alerts and removed Feature Missing This label means that the issue needs to be linked to a precise feature label. size: missing role missing Complexity: Missing labels Jan 18, 2024
@freaky4wrld

This comment was marked as resolved.

@freaky4wrld freaky4wrld added ready for dev lead Issues that tech leads or merge team members need to follow up on and removed Draft Issue is still in the process of being created labels Jan 18, 2024
@roslynwythe

This comment was marked as resolved.

@freaky4wrld freaky4wrld changed the title Implement SRI (Subresource Integrity) check on the external babel links in the files _layouts/default-markdown.html and _layouts/default.html Implement SRI check on the external babel links Jan 22, 2024
@freaky4wrld

This comment was marked as resolved.

@roslynwythe roslynwythe added Ready for Prioritization and removed ready for dev lead Issues that tech leads or merge team members need to follow up on labels Jan 22, 2024
@roslynwythe

This comment was marked as resolved.

Copy link

Hi @nelsonuprety1, thank you for taking up this issue! Hfla appreciates you :)

Do let fellow developers know about your:-
i. Availability: (When are you available to work on the issue/answer questions other programmers might have about your issue?)
ii. ETA: (When do you expect this issue to be completed?)

You're awesome!

P.S. - You may not take up another issue until this issue gets merged (or closed). Thanks again :)

@nelsonuprety1
Copy link
Member

Availability: Wed 24 January, 2024
ETA: Wed 24 January, 2024

@nelsonuprety1
Copy link
Member

Please check the PR #6152 for this fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Complexity: Medium Feature: Code Alerts role: front end Tasks for front end developers size: 1pt Can be done in 4-6 hours
Projects
Development

Successfully merging a pull request may close this issue.

4 participants