From a82a394e63ed0bd94e569690994f54c729d1fdd8 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Mon, 1 Dec 2025 16:03:57 +0100 Subject: [PATCH 01/13] improve special case santize --- src/sanitize.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/sanitize.ts b/src/sanitize.ts index 6f9e505..be1af20 100644 --- a/src/sanitize.ts +++ b/src/sanitize.ts @@ -262,7 +262,10 @@ export const sanitizeHTMLWithConfig = ( // Some texts from Agentic AI starts with a ", ">"); + if (text?.startsWith("/g, ">"); + } const configToUse = customAllowedHtmlTags ? { ...config, ALLOWED_TAGS: customAllowedHtmlTags } From 85ea4bdc81de807f67f982130e4ac2895b7daa05 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Mon, 1 Dec 2025 16:04:56 +0100 Subject: [PATCH 02/13] implement codeql local scanning + patches --- .gitignore | 5 +- codeql-config.yml | 93 ++++++++++++ codeql-results-dist.sarif | 1 + package.json | 7 +- scripts/codeql-scan.sh | 218 +++++++++++++++++++++++++++++ scripts/postbuild-secure-patch.mjs | 187 +++++++++++++++++++++++++ 6 files changed, 508 insertions(+), 3 deletions(-) create mode 100644 codeql-config.yml create mode 100644 codeql-results-dist.sarif create mode 100644 scripts/codeql-scan.sh create mode 100644 scripts/postbuild-secure-patch.mjs diff --git a/.gitignore b/.gitignore index 6f8f1dc..bc058d6 100644 --- a/.gitignore +++ b/.gitignore @@ -28,4 +28,7 @@ dist-ssr *.module.css.d.ts # Packed files -*.tgz \ No newline at end of file +*.tgz + +codeql-results.sarif +codeql-db diff --git a/codeql-config.yml b/codeql-config.yml new file mode 100644 index 0000000..87c925f --- /dev/null +++ b/codeql-config.yml @@ -0,0 +1,93 @@ +# CodeQL configuration for local scanning of a TypeScript + Vite library. +# Includes application sources in src plus third-party code in node_modules +# while aggressively excluding low-value / very large subtrees to keep the +# database size and analysis time manageable. +# +# Usage with CodeQL CLI: +# codeql database create codeql-db \ +# --language=javascript \ +# --source-root=. \ +# --codescanning-config=codeql-config.yml \ +# --command="npm run build" +# +# (If you only need type info and no emitted JS, you can use --command="true" +# because Vite + TS compilation output will already exist in dist if built.) +# +# If analysis becomes too slow, first remove node_modules entirely and only +# re-enable a curated subset (e.g. crypto libs) by copying them to a vendor/ dir. + +name: "Chat Components local scan (src + prod node_modules)" + +paths: + - src + - node_modules + +# Exclusions are deliberately verbose; prune or uncomment as needed. +paths-ignore: + # Build outputs / bundles + - dist/** + - node_modules/**/dist/** + - node_modules/**/build/** + - node_modules/**/lib/** # Many packages ship transpiled output here + - node_modules/**/coverage/** + - node_modules/**/.cache/** + + # Tests, fixtures, examples + - node_modules/**/test/** + - node_modules/**/tests/** + - node_modules/**/__tests__/** + - node_modules/**/testing/** + - node_modules/**/benchmark/** + - node_modules/**/bench/** + - node_modules/**/example/** + - node_modules/**/examples/** + - node_modules/**/fixtures/** + - node_modules/**/mocks/** + - node_modules/**/spec/** + - node_modules/**/__mocks__/** + + # Documentation & metadata + - node_modules/**/docs/** + - node_modules/**/doc/** + - node_modules/**/documentation/** + - node_modules/**/.github/** + - node_modules/**/scripts/** # Build / maintenance scripts seldom security-relevant + + # Front-end demo tooling in dependencies + - node_modules/**/cypress/** + - node_modules/**/storybook/** + - node_modules/**/playwright/** + - node_modules/**/wdio/** + - node_modules/**/selenium/** + + # IDE/project artifacts + - node_modules/**/.vscode/** + - node_modules/**/.idea/** + + # Declaration files (optional exclusion — they are not executable code) + - node_modules/**/*.d.ts + + # Large, frequently safe-to-ignore frameworks (uncomment if size is too big): + - node_modules/react/** + - node_modules/react-dom/** + - node_modules/typescript/** # Compiler sources rarely help app vuln discovery + - node_modules/@types/** # Pure type declarations + - node_modules/babel-*/** # Tooling + - node_modules/eslint/** # Tooling + - node_modules/@eslint/** # Tooling +# No queries specified; choose suites explicitly at analyze time +# e.g. javascript-code-scanning.qls, javascript-security-extended.qls, javascript-security-and-quality.qls +# Advanced options (leave commented unless needed): +# packs: +# - codeql/javascript-experimental@@latest +# query-filters: +# - exclude: +# id: js/useless-equality-check +# +# For very large dependency trees consider a two-tier approach: +# 1. Daily / PR scans with only `src` +# 2. Weekly deep scan enabling node_modules (this config) +# +# To trim size further, run a pre-step to remove redundant folders: +# find node_modules -type d -name dist -prune -exec rm -rf {} + +# find node_modules -type d -name coverage -prune -exec rm -rf {} + diff --git a/codeql-results-dist.sarif b/codeql-results-dist.sarif new file mode 100644 index 0000000..d136ac3 --- /dev/null +++ b/codeql-results-dist.sarif @@ -0,0 +1 @@ +{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.23.6","notifications":[{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"js/baseline/expected-extracted-files","name":"js/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"js/angular/disabling-sce","name":"js/angular/disabling-sce","shortDescription":{"text":"Disabling SCE"},"fullDescription":{"text":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","maintainability","frameworks/angularjs","external/cwe/cwe-116"],"description":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities.","id":"js/angular/disabling-sce","kind":"problem","name":"Disabling SCE","precision":"very-high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/angular/double-compilation","name":"js/angular/double-compilation","shortDescription":{"text":"Double compilation"},"fullDescription":{"text":"Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["reliability","frameworks/angularjs","security","external/cwe/cwe-1176"],"description":"Recompiling an already compiled part of the DOM can lead to\n unexpected behavior of directives, performance problems, and memory leaks.","id":"js/angular/double-compilation","kind":"problem","name":"Double compilation","precision":"very-high","problem.severity":"warning","security-severity":"8.8"}},{"id":"js/angular/insecure-url-whitelist","name":"js/angular/insecure-url-whitelist","shortDescription":{"text":"Insecure URL whitelist"},"fullDescription":{"text":"URL whitelists that are too permissive can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","frameworks/angularjs","external/cwe/cwe-183","external/cwe/cwe-625"],"description":"URL whitelists that are too permissive can cause security vulnerabilities.","id":"js/angular/insecure-url-whitelist","kind":"problem","name":"Insecure URL whitelist","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/identity-replacement","name":"js/identity-replacement","shortDescription":{"text":"Replacement of a substring with itself"},"fullDescription":{"text":"Replacing a substring with itself has no effect and may indicate a mistake."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116"],"description":"Replacing a substring with itself has no effect and may indicate a mistake.","id":"js/identity-replacement","kind":"problem","name":"Replacement of a substring with itself","precision":"very-high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/code-injection","name":"js/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user arbitrary\n code execution.","id":"js/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/unsafe-dynamic-method-access","name":"js/unsafe-dynamic-method-access","shortDescription":{"text":"Unsafe dynamic method access"},"fullDescription":{"text":"Invoking user-controlled methods on certain objects can lead to remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094"],"description":"Invoking user-controlled methods on certain objects can lead to remote code execution.","id":"js/unsafe-dynamic-method-access","kind":"path-problem","name":"Unsafe dynamic method access","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/bad-code-sanitization","name":"js/bad-code-sanitization","shortDescription":{"text":"Improper code sanitization"},"fullDescription":{"text":"Escaping code as HTML does not provide protection against code injection."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Escaping code as HTML does not provide protection against code injection.","id":"js/bad-code-sanitization","kind":"path-problem","name":"Improper code sanitization","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/exposure-of-private-files","name":"js/exposure-of-private-files","shortDescription":{"text":"Exposure of private files"},"fullDescription":{"text":"Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-200","external/cwe/cwe-219","external/cwe/cwe-548"],"description":"Exposing a node_modules folder, or the project folder to the public, can cause exposure\n of private information.","id":"js/exposure-of-private-files","kind":"problem","name":"Exposure of private files","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/client-side-unvalidated-url-redirection","name":"js/client-side-unvalidated-url-redirection","shortDescription":{"text":"Client-side URL redirect"},"fullDescription":{"text":"Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-601"],"description":"Client-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"js/client-side-unvalidated-url-redirection","kind":"path-problem","name":"Client-side URL redirect","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/server-side-unvalidated-url-redirection","name":"js/server-side-unvalidated-url-redirection","shortDescription":{"text":"Server-side URL redirect"},"fullDescription":{"text":"Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"Server-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"js/server-side-unvalidated-url-redirection","kind":"path-problem","name":"Server-side URL redirect","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/insufficient-key-size","name":"js/insufficient-key-size","shortDescription":{"text":"Use of a weak cryptographic key"},"fullDescription":{"text":"Using a weak cryptographic key can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Using a weak cryptographic key can allow an attacker to compromise security.","id":"js/insufficient-key-size","kind":"problem","name":"Use of a weak cryptographic key","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/weak-cryptographic-algorithm","name":"js/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"js/weak-cryptographic-algorithm","kind":"path-problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/biased-cryptographic-random","name":"js/biased-cryptographic-random","shortDescription":{"text":"Creating biased random numbers from a cryptographically secure source"},"fullDescription":{"text":"Some mathematical operations on random numbers can cause bias in the results and compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Some mathematical operations on random numbers can cause bias in\n the results and compromise security.","id":"js/biased-cryptographic-random","kind":"problem","name":"Creating biased random numbers from a cryptographically secure source","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/insufficient-password-hash","name":"js/insufficient-password-hash","shortDescription":{"text":"Use of password hash with insufficient computational effort"},"fullDescription":{"text":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-916"],"description":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.","id":"js/insufficient-password-hash","kind":"path-problem","name":"Use of password hash with insufficient computational effort","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/cors-permissive-configuration","name":"js/cors-permissive-configuration","shortDescription":{"text":"Permissive CORS configuration"},"fullDescription":{"text":"Cross-origin resource sharing (CORS) policy allows overly broad access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-942"],"description":"Cross-origin resource sharing (CORS) policy allows overly broad access.","id":"js/cors-permissive-configuration","kind":"path-problem","name":"Permissive CORS configuration","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/sensitive-get-query","name":"js/sensitive-get-query","shortDescription":{"text":"Sensitive data read from GET request"},"fullDescription":{"text":"Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-598"],"description":"Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.","id":"js/sensitive-get-query","kind":"problem","name":"Sensitive data read from GET request","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/sql-injection","name":"js/sql-injection","shortDescription":{"text":"Database query built from user-controlled sources"},"fullDescription":{"text":"Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089","external/cwe/cwe-090","external/cwe/cwe-943"],"description":"Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/sql-injection","kind":"path-problem","name":"Database query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"4.0"}},{"id":"js/host-header-forgery-in-email-generation","name":"js/host-header-forgery-in-email-generation","shortDescription":{"text":"Host header poisoning in email generation"},"fullDescription":{"text":"Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-640"],"description":"Using the HTTP Host header to construct a link in an email can facilitate phishing\n attacks and leak password reset tokens.","id":"js/host-header-forgery-in-email-generation","kind":"path-problem","name":"Host header poisoning in email generation","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/resource-exhaustion-from-deep-object-traversal","name":"js/resource-exhaustion-from-deep-object-traversal","shortDescription":{"text":"Resources exhaustion from deep object traversal"},"fullDescription":{"text":"Processing user-controlled object hierarchies inefficiently can lead to denial of service."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-400"],"description":"Processing user-controlled object hierarchies inefficiently can lead to denial of service.","id":"js/resource-exhaustion-from-deep-object-traversal","kind":"path-problem","name":"Resources exhaustion from deep object traversal","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/disabling-certificate-validation","name":"js/disabling-certificate-validation","shortDescription":{"text":"Disabling certificate validation"},"fullDescription":{"text":"Disabling cryptographic certificate validation can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-295","external/cwe/cwe-297"],"description":"Disabling cryptographic certificate validation can cause security vulnerabilities.","id":"js/disabling-certificate-validation","kind":"problem","name":"Disabling certificate validation","precision":"very-high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/insecure-helmet-configuration","name":"js/insecure-helmet-configuration","shortDescription":{"text":"Insecure configuration of Helmet security middleware"},"fullDescription":{"text":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-693","external/cwe/cwe-1021"],"description":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.","id":"js/insecure-helmet-configuration","kind":"problem","name":"Insecure configuration of Helmet security middleware","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/incomplete-sanitization","name":"js/incomplete-sanitization","shortDescription":{"text":"Incomplete string escaping or encoding"},"fullDescription":{"text":"A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.","id":"js/incomplete-sanitization","kind":"problem","name":"Incomplete string escaping or encoding","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.","id":"js/incomplete-multi-character-sanitization","kind":"problem","name":"Incomplete multi-character sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n ampersand, the meta-character has to be escaped first to avoid double-escaping,\n and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-html-attribute-sanitization","name":"js/incomplete-html-attribute-sanitization","shortDescription":{"text":"Incomplete HTML attribute sanitization"},"fullDescription":{"text":"Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"Writing incompletely sanitized values to HTML\n attribute strings can lead to a cross-site\n scripting vulnerability.","id":"js/incomplete-html-attribute-sanitization","kind":"path-problem","name":"Incomplete HTML attribute sanitization","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-polluting-assignment","name":"js/prototype-polluting-assignment","shortDescription":{"text":"Prototype-polluting assignment"},"fullDescription":{"text":"Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Modifying an object obtained via a user-controlled property name may\n lead to accidental mutation of the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-polluting-assignment","kind":"path-problem","name":"Prototype-polluting assignment","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-pollution","name":"js/prototype-pollution","shortDescription":{"text":"Prototype-polluting merge call"},"fullDescription":{"text":"Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Recursively merging a user-controlled object into another object\n can allow an attacker to modify the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-pollution","kind":"path-problem","name":"Prototype-polluting merge call","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/prototype-pollution-utility","name":"js/prototype-pollution-utility","shortDescription":{"text":"Prototype-polluting function"},"fullDescription":{"text":"Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Functions recursively assigning properties on objects may be\n the cause of accidental modification of a built-in prototype object.","id":"js/prototype-pollution-utility","kind":"path-problem","name":"Prototype-polluting function","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/clear-text-storage-of-sensitive-data","name":"js/clear-text-storage-of-sensitive-data","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n attacker.","id":"js/clear-text-storage-of-sensitive-data","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-logging","name":"js/clear-text-logging","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n expose it to an attacker.","id":"js/clear-text-logging","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/build-artifact-leak","name":"js/build-artifact-leak","shortDescription":{"text":"Storage of sensitive information in build artifact"},"fullDescription":{"text":"Including sensitive information in a build artifact can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Including sensitive information in a build artifact can\n expose it to an attacker.","id":"js/build-artifact-leak","kind":"path-problem","name":"Storage of sensitive information in build artifact","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/unvalidated-dynamic-method-call","name":"js/unvalidated-dynamic-method-call","shortDescription":{"text":"Unvalidated dynamic method call"},"fullDescription":{"text":"Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-754"],"description":"Calling a method with a user-controlled name may dispatch to\n an unexpected target, which could cause an exception.","id":"js/unvalidated-dynamic-method-call","kind":"path-problem","name":"Unvalidated dynamic method call","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/tainted-format-string","name":"js/tainted-format-string","shortDescription":{"text":"Use of externally-controlled format string"},"fullDescription":{"text":"Using external input in format strings can lead to garbled output."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Using external input in format strings can lead to garbled output.","id":"js/tainted-format-string","kind":"path-problem","name":"Use of externally-controlled format string","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/missing-token-validation","name":"js/missing-token-validation","shortDescription":{"text":"Missing CSRF middleware"},"fullDescription":{"text":"Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Using cookies without CSRF protection may allow malicious websites to\n submit requests on behalf of the user.","id":"js/missing-token-validation","kind":"problem","name":"Missing CSRF middleware","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/insecure-dependency","name":"js/insecure-dependency","shortDescription":{"text":"Dependency download using unencrypted communication channel"},"fullDescription":{"text":"Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-300","external/cwe/cwe-319","external/cwe/cwe-494","external/cwe/cwe-829"],"description":"Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.","id":"js/insecure-dependency","kind":"problem","name":"Dependency download using unencrypted communication channel","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/unsafe-deserialization","name":"js/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing user-controlled data may allow attackers to\n execute arbitrary code.","id":"js/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/regex-injection","name":"js/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.","id":"js/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/server-crash","name":"js/server-crash","shortDescription":{"text":"Server crash"},"fullDescription":{"text":"A server that can be forced to crash may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-248","external/cwe/cwe-730"],"description":"A server that can be forced to crash may be vulnerable to denial-of-service\n attacks.","id":"js/server-crash","kind":"path-problem","name":"Server crash","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/client-exposed-cookie","name":"js/client-exposed-cookie","shortDescription":{"text":"Sensitive server cookie exposed to the client"},"fullDescription":{"text":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1004"],"description":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.","id":"js/client-exposed-cookie","kind":"problem","name":"Sensitive server cookie exposed to the client","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/type-confusion-through-parameter-tampering","name":"js/type-confusion-through-parameter-tampering","shortDescription":{"text":"Type confusion through parameter tampering"},"fullDescription":{"text":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-843"],"description":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type.","id":"js/type-confusion-through-parameter-tampering","kind":"path-problem","name":"Type confusion through parameter tampering","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/xxe","name":"js/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.","id":"js/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/unnecessary-use-of-cat","name":"js/unnecessary-use-of-cat","shortDescription":{"text":"Unnecessary use of `cat` process"},"fullDescription":{"text":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","maintainability","external/cwe/cwe-078"],"description":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.","id":"js/unnecessary-use-of-cat","kind":"problem","name":"Unnecessary use of `cat` process","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/command-line-injection","name":"js/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"js/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/shell-command-constructed-from-input","name":"js/shell-command-constructed-from-input","shortDescription":{"text":"Unsafe shell command constructed from library input"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"js/shell-command-constructed-from-input","kind":"path-problem","name":"Unsafe shell command constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/second-order-command-line-injection","name":"js/second-order-command-line-injection","shortDescription":{"text":"Second order command injection"},"fullDescription":{"text":"Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using user-controlled data as arguments to some commands, such as git clone,\n can allow arbitrary commands to be executed.","id":"js/second-order-command-line-injection","kind":"path-problem","name":"Second order command injection","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/shell-command-injection-from-environment","name":"js/shell-command-injection-from-environment","shortDescription":{"text":"Shell command built from environment values"},"fullDescription":{"text":"Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Building a shell command string with values from the enclosing\n environment may cause subtle bugs or vulnerabilities.","id":"js/shell-command-injection-from-environment","kind":"path-problem","name":"Shell command built from environment values","precision":"high","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/enabling-electron-insecure-content","name":"js/enabling-electron-insecure-content","shortDescription":{"text":"Enabling Electron allowRunningInsecureContent"},"fullDescription":{"text":"Enabling allowRunningInsecureContent can allow remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-494"],"description":"Enabling allowRunningInsecureContent can allow remote code execution.","id":"js/enabling-electron-insecure-content","kind":"problem","name":"Enabling Electron allowRunningInsecureContent","precision":"very-high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/disabling-electron-websecurity","name":"js/disabling-electron-websecurity","shortDescription":{"text":"Disabling Electron webSecurity"},"fullDescription":{"text":"Disabling webSecurity can cause critical security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-079"],"description":"Disabling webSecurity can cause critical security vulnerabilities.","id":"js/disabling-electron-websecurity","kind":"problem","name":"Disabling Electron webSecurity","precision":"very-high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/summary/lines-of-code","name":"js/summary/lines-of-code","shortDescription":{"text":"Total lines of JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.","id":"js/summary/lines-of-code","kind":"metric","name":"Total lines of JavaScript and TypeScript code in the database"}},{"id":"js/summary/lines-of-user-code","name":"js/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.","id":"js/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written JavaScript and TypeScript code in the database"}}]},"extensions":[{"name":"codeql/javascript-queries","semanticVersion":"2.2.0+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.15+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/javascript-all/2.6.15/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/javascript-all/2.6.15/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.35+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/threat-models/1.0.35/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/threat-models/1.0.35/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Mac OS X (aarch64; 26.1) platform.","markdown":"On the Mac OS X (aarch64; 26.1) platform."},"level":"none","timeUtc":"2025-11-28T18:48:23.028040Z","descriptor":{"id":"cli/platform","index":3},"properties":{"attributes":{"arch":"aarch64","name":"Mac OS X","version":"26.1"},"visibility":{"statusPage":false,"telemetry":true}}},{"message":{"text":""},"level":"note","timeUtc":"2025-11-28T18:48:23.055697Z","descriptor":{"id":"cli/sip-enablement","index":4},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}],"results":[{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28357,"startColumn":15,"endColumn":28}}}],"partialFingerprints":{"primaryLocationLineHash":"d783b49e064e724b:1","primaryLocationStartColumnFingerprint":"8"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33840,"startColumn":42,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"5795dfd5075d3091:1","primaryLocationStartColumnFingerprint":"37"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33889,"startColumn":48,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"3c4ca60d3a732b28:1","primaryLocationStartColumnFingerprint":"43"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33984,"startColumn":46,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"49735ba19183e7df:1","primaryLocationStartColumnFingerprint":"41"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":35327,"startColumn":14,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"2c4a74ba84ab2cf8:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This replaces only the first occurrence of \"\\\\\"."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43703,"startColumn":11,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"c3e6ee013706602f:1","primaryLocationStartColumnFingerprint":"0"}}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"js/summary/lines-of-code","index":84},"ruleId":"js/summary/lines-of-code","ruleIndex":84,"value":80806},{"rule":{"id":"js/summary/lines-of-user-code","index":85},"ruleId":"js/summary/lines-of-user-code","ruleIndex":85,"value":907,"baseline":907}]}}]} \ No newline at end of file diff --git a/package.json b/package.json index 2159b6c..25d0152 100644 --- a/package.json +++ b/package.json @@ -15,13 +15,16 @@ ], "scripts": { "dev": "vite --host", - "build": "tsc && vite build", + "build": "tsc && vite build && node scripts/postbuild-secure-patch.mjs", "lint": "eslint . --ext ts,tsx --report-unused-disable-directives", "preview": "vite preview", "prepack": "npm run build", "test": "vitest run", "test:web-ui": "vitest --ui", - "test:watch": "vitest" + "test:watch": "vitest", + "codeql:scan": "rm -rf node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", + "codeql:scan:dist": "npm ci && npm run build && rm -rf node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0", + "postbuild:secure": "node scripts/postbuild-secure-patch.mjs" }, "devDependencies": { "@cognigy/socket-client": "5.0.0-beta.20", diff --git a/scripts/codeql-scan.sh b/scripts/codeql-scan.sh new file mode 100644 index 0000000..cfc213f --- /dev/null +++ b/scripts/codeql-scan.sh @@ -0,0 +1,218 @@ +#!/usr/bin/env bash +# +# Local CodeQL scan script for the Chat Components TypeScript + Vite library. +# +# This script: +# 1. Ensures dependencies are installed (npm ci) unless skipped. +# 2. Optionally prunes noisy folders inside node_modules to reduce DB size. +# 3. Creates (or re-creates) a CodeQL database using codeql-config.yml. +# 4. Analyzes the database with the standard JavaScript code scanning suite +# plus extended security & quality queries defined in the config file. +# 5. Produces a SARIF report you can open in VS Code (SARIF Viewer) or upload. +# +# Prerequisites: +# - CodeQL CLI installed and available in PATH (https://github.com/github/codeql-cli-binaries) +# - Node.js matching engines spec in package.json (>=22.1.0) +# +# Usage examples: +# ./scripts/codeql-scan.sh +# BUILD=false PRUNE=false ./scripts/codeql-scan.sh +# CODEQL=/opt/codeql/codeql DB_DIR=custom-db ./scripts/codeql-scan.sh +# +# Common environment variable overrides: +# CODEQL Path to CodeQL CLI (default: codeql) +# DB_DIR Database output directory (default: codeql-db) +# RESULTS SARIF output file (default: codeql-results.sarif) +# CONFIG_FILE CodeQL config file (default: codeql-config.yml) +# LANGUAGE Language for extraction (default: javascript) +# BUILD If "true", run npm run build for the create step (default: true) +# INSTALL_DEPS If "true", run npm ci first (default: true) +# PRUNE If "true", remove certain large/noisy folders from node_modules (default: true) +# CLEAN If "true", delete existing DB + SARIF before running (default: true) +# EXTRA_QUERIES Space-separated extra .ql or .qls files/packs to run (default: none) +# THREADS Threads for analysis (default: 0 -> use all cores) +# VERBOSE If "true", enable bash xtrace for debugging (default: false) +# +# Exit codes: +# 0 success +# 1 general error +# 2 missing prerequisite (CodeQL or Node) +# 3 failed database creation +# 4 failed analysis +# 5 config file missing +# + +set -euo pipefail + +# -- Configuration defaults ---------------------------------------------------- +CODEQL="${CODEQL:-codeql}" +DB_DIR="${DB_DIR:-codeql-db}" +RESULTS="${RESULTS:-codeql-results.sarif}" +CONFIG_FILE="${CONFIG_FILE:-codeql-config.yml}" +LANGUAGE="${LANGUAGE:-javascript}" +BUILD="${BUILD:-true}" +INSTALL_DEPS="${INSTALL_DEPS:-true}" +PRUNE="${PRUNE:-true}" +CLEAN="${CLEAN:-true}" +EXTRA_QUERIES="${EXTRA_QUERIES:-}" +THREADS="${THREADS:-0}" +VERBOSE="${VERBOSE:-false}" + +# ------------------------------------------------------------------------------ +usage() { + cat <<'EOF' +Local CodeQL scan for Chat Components. + +Options (environment variables): + CODEQL=/path/to/codeql Override CodeQL CLI path + DB_DIR=dir Database directory name + RESULTS=report.sarif SARIF output file + CONFIG_FILE=codeql-config.yml CodeQL config file + LANGUAGE=javascript Extraction language (JS covers TS) + BUILD=true|false Run npm run build before extraction + INSTALL_DEPS=true|false Run npm ci before build + PRUNE=true|false Remove large/noisy dirs in node_modules + CLEAN=true|false Remove existing DB & SARIF before run + EXTRA_QUERIES="file.ql pack.qls" Additional queries/packs to run + THREADS=0 Threads for analysis (0 = all) + VERBOSE=true|false Bash debug output + +Examples: + ./scripts/codeql-scan.sh + BUILD=false PRUNE=false ./scripts/codeql-scan.sh + EXTRA_QUERIES="codeql/javascript-queries:Suspicious" ./scripts/codeql-scan.sh + +EOF +} + +if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then + usage + exit 0 +fi + +if [[ "$VERBOSE" == "true" ]]; then + set -x +fi + +echo "[*] CodeQL scan starting..." + +# -- Prerequisite checks ------------------------------------------------------- +if ! command -v node >/dev/null 2>&1; then + echo "[!] Node.js not found in PATH." >&2 + exit 2 +fi + +if ! command -v "$CODEQL" >/dev/null 2>&1; then + echo "[!] CodeQL CLI '$CODEQL' not found in PATH." >&2 + echo " Install from: https://github.com/github/codeql-cli-binaries" >&2 + exit 2 +fi + +# Confirm config exists +if [[ ! -f "$CONFIG_FILE" ]]; then + echo "[!] Config file '$CONFIG_FILE' not found. Expected at project root." >&2 + exit 5 +fi + +# Show basic versions +NODE_VERSION=$(node --version || echo "unknown") +CODEQL_VERSION=$("$CODEQL" version || echo "unknown") +echo "[*] Node version: $NODE_VERSION" +echo "[*] CodeQL version: $CODEQL_VERSION" + +# -- Optional dependency install ----------------------------------------------- +if [[ "$INSTALL_DEPS" == "true" ]]; then + echo "[*] Installing dependencies (npm ci)..." + npm ci +else + echo "[*] Skipping dependency installation." +fi + +# -- Optional build step ------------------------------------------------------- +BUILD_CMD="true" +if [[ "$BUILD" == "true" ]]; then + echo "[*] Running build (npm run build)..." + npm run build + BUILD_CMD="npm run build" +else + echo "[*] Skipping build step (using 'true' as command)." +fi + +# -- Optional pruning inside node_modules -------------------------------------- +if [[ "$PRUNE" == "true" ]]; then + echo "[*] Pruning selected folders in node_modules to reduce DB size..." + # Only prune if directory exists + if [[ -d node_modules ]]; then + # Remove common large/noisy directories (leave -prune so traversal is cheaper) + find node_modules -type d \( \ + -name coverage -o -name dist -o -name build -o -name lib -o \ + -name examples -o -name example -o -name tests -o -name test -o \ + -name __tests__ -o -name fixtures -o -name benchmark -o -name bench \ + \) -prune -exec rm -rf {} + 2>/dev/null || true + else + echo "[!] node_modules not present; skipping prune." + fi +else + echo "[*] Skipping prune." +fi + +# -- Clean previous artifacts -------------------------------------------------- +if [[ "$CLEAN" == "true" ]]; then + echo "[*] Removing previous database ($DB_DIR) and SARIF ($RESULTS) if they exist..." + rm -rf "$DB_DIR" "$RESULTS" +else + echo "[*] CLEAN=false: preserving existing database/results if present." +fi + +# -- Database creation --------------------------------------------------------- +echo "[*] Creating CodeQL database..." +set +e +"$CODEQL" database create "$DB_DIR" \ + --language="$LANGUAGE" \ + --source-root="." \ + --codescanning-config="$CONFIG_FILE" \ + --command="$BUILD_CMD" +CREATE_EXIT=$? +set -e + +if [[ $CREATE_EXIT -ne 0 ]]; then + echo "[!] Database creation failed (exit code $CREATE_EXIT)." >&2 + exit 3 +fi +echo "[*] Database created at $DB_DIR" + +# -- Query suite construction -------------------------------------------------- +QUERY_SUITE="javascript-code-scanning.qls" +ANALYZE_ARGS=("$DB_DIR" "$QUERY_SUITE") + +# Always leverage config queries (security-extended & security-and-quality) +# EXTRA_QUERIES appended if provided. +if [[ -n "$EXTRA_QUERIES" ]]; then + echo "[*] Adding extra queries/packs: $EXTRA_QUERIES" + # Split on spaces + read -r -a EXTRA_ARRAY <<<"$EXTRA_QUERIES" + ANALYZE_ARGS+=("${EXTRA_ARRAY[@]}") +fi + +# -- Analysis ------------------------------------------------------------------ +echo "[*] Analyzing database (threads=$THREADS)..." +set +e +"$CODEQL" database analyze "${ANALYZE_ARGS[@]}" \ + --format=sarifv2.1.0 \ + --output="$RESULTS" \ + --threads="$THREADS" +ANALYZE_EXIT=$? +set -e + +if [[ $ANALYZE_EXIT -ne 0 ]]; then + echo "[!] Analysis failed (exit code $ANALYZE_EXIT)." >&2 + exit 4 +fi +echo "[*] Analysis complete. SARIF report: $RESULTS" + +# -- Metadata summary ---------------------------------------------------------- +echo "[*] Database metadata (source file counts):" +"$CODEQL" database print-metadata "$DB_DIR" | grep -E '"sourceFiles"|language' || true + +echo "[*] Done." +exit 0 diff --git a/scripts/postbuild-secure-patch.mjs b/scripts/postbuild-secure-patch.mjs new file mode 100644 index 0000000..cc14da7 --- /dev/null +++ b/scripts/postbuild-secure-patch.mjs @@ -0,0 +1,187 @@ +/** + * Post-build secure patch script. + * + * Goal: + * Apply targeted string replacements to the compiled bundle(s) in the `dist` directory + * to harden against CodeQL issues we selected. + * + * This script is intentionally conservative: it only performs textual rewrites that + * are: + * - Idempotent (safe to run multiple times) + * - Narrowly scoped to patterns indicated by the scan results + * - Logged, with a summary of applied changes + * + * Targeted patches applied: + * + * 1. js/incomplete-sanitization: + * - Promote single-occurrence < / > replacements to global form + * - Promote single-occurrence backslash replacements to global form + * - Ensure class selector utility additionally globally escapes backslashes + * + * 2. js/overly-large-range: + * - Replace suspicious character class `[!#$&-;=?-Z_a-z~]` with explicit enumeration `[!#$&'()*+,\\-./0-9:;=?@A-Z_a-z~]` + * + * 3. js/incomplete-hostname-regexp: + * - Escape literal dots in YouTube URL regex (`(?:www.)?youtube.com` => `(?:www\\.)?youtube\\.com`) + * + * NOTE: If future CodeQL results add more patterns, extend PATCH_RULES below. + */ + +import { promises as fs } from "fs"; +import path from "path"; +import process from "process"; + +const DIST_DIR = path.resolve(process.cwd(), "dist"); + +async function listDistFiles() { + let entries; + try { + entries = await fs.readdir(DIST_DIR, { withFileTypes: true }); + } catch (e) { + console.error(`[secure-patch] Unable to read dist directory: ${DIST_DIR}`, e); + process.exitCode = 1; + return []; + } + return entries + .filter(d => d.isFile() && /\.(m?js|cjs|jsbundle)$/.test(d.name)) + .map(d => path.join(DIST_DIR, d.name)); +} + +const PATCH_RULES = [ + { + id: "sanitize-angle-brackets", + description: "Promote single-occurrence < or > replacements to global form", + apply: content => ({ + updated: content + .replace(/\.replace\('<','<'\)/g, '.replace(/','>'\)/g, '.replace(/>/g,">")') + .replace(/\.replace\(">", ">"\)/g, '.replace(/>/g,">")'), + }), + }, + { + id: "sanitize-backslash-single", + description: "Promote single-occurrence backslash replacement to global form", + apply: content => ({ + updated: content.replace( + /\.replace\(['"]\\\\['"],\s*(['"])([^'"]+?)\1\)/g, + (_match, quote, inner) => `.replace(/\\\\/g,${quote}${inner}${quote})`, + ), + }), + }, + { + id: "classes-to-selector-backslash-escape", + description: "Ensure classes-to-selector escapes backslashes globally", + apply: content => { + const selectorPattern = + /\.trim\(\)\.replace\(\(\/\(\[\\.:!\+\/()\[\]\]\)\/g,'\\\$1'\)\.replace\(\/ \/g,'\.'\)/; + if ( + selectorPattern.test(content) && + !/\.replace\(\/\\\\\/g,'\\\\\\\\'\)/.test(content) + ) { + return { + updated: content.replace( + selectorPattern, + m => m + ".replace(/\\\\/g,'\\\\\\\\')", + ), + }; + } + return { updated: content }; + }, + }, + { + id: "micromark-overly-large-range", + description: "Replace overly large character class range with explicit enumeration", + apply: content => ({ + updated: content.replace(/\[!#\$&-;=\?-Z_a-z~\]/g, () => "[!#$&'()*+,\\-./0-9:;=?@A-Z_a-z~]"), + }), + }, + { + id: "youtube-host-regex", + description: "Escape dot before youtube.com inside URL regex patterns", + apply: content => ({ + updated: content.replace(/\(\?:www\.\)\?youtube\.com/g, "(?:www\\.)?youtube\\.com"), + }), + }, +]; + +async function applyPatchesToFile(filePath) { + let original; + try { + original = await fs.readFile(filePath, "utf8"); + } catch (e) { + console.error(`[secure-patch] Failed to read ${filePath}`, e); + return { filePath, changed: false, applied: [], error: e }; + } + let content = original; + const applied = []; + for (const rule of PATCH_RULES) { + const before = content; + const { updated } = rule.apply(content); + if (updated !== before) { + content = updated; + applied.push(rule.id); + } + } + if (applied.length) { + try { + await fs.writeFile(filePath, content, "utf8"); + } catch (e) { + console.error(`[secure-patch] Failed to write ${filePath}`, e); + return { filePath, changed: false, applied: [], error: e }; + } + return { filePath, changed: true, applied }; + } + return { filePath, changed: false, applied: [] }; +} + +async function main() { + console.log("[secure-patch] Starting post-build security patching..."); + const files = await listDistFiles(); + if (!files.length) { + console.warn("[secure-patch] No distributable JS files found; nothing to patch."); + return; + } + const results = []; + for (const f of files) { + const res = await applyPatchesToFile(f); + results.push(res); + } + + const summary = { + totalFiles: files.length, + changedFiles: results.filter(r => r.changed).length, + unchangedFiles: results.filter(r => !r.changed).length, + ruleUsage: {}, + }; + for (const r of results) { + for (const id of r.applied) { + summary.ruleUsage[id] = (summary.ruleUsage[id] || 0) + 1; + } + } + + console.log("[secure-patch] Patch summary:"); + console.log(JSON.stringify(summary, null, 2)); + + for (const r of results) { + if (r.changed) { + console.log(` [+] ${r.filePath} => applied: ${r.applied.join(", ")}`); + } else { + console.log(` [=] ${r.filePath} (no changes)`); + } + } + + // Non-zero exit code only on IO errors. + if (results.some(r => r.error)) { + process.exitCode = 1; + } +} + +if (import.meta.url === `file://${process.argv[1]}`) { + main().catch(err => { + console.error("[secure-patch] Uncaught error:", err); + process.exitCode = 1; + }); +} + +export {}; // Ensure this remains an ES module. From 7680cf66d0998e0530d8609f1de5a5feb6fc5724 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Tue, 2 Dec 2025 06:47:41 +0100 Subject: [PATCH 03/13] fix eslint warnings --- scripts/postbuild-secure-patch.mjs | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/scripts/postbuild-secure-patch.mjs b/scripts/postbuild-secure-patch.mjs index cc14da7..c29e1cf 100644 --- a/scripts/postbuild-secure-patch.mjs +++ b/scripts/postbuild-secure-patch.mjs @@ -1,3 +1,4 @@ +/* eslint-env node */ /** * Post-build secure patch script. * @@ -27,9 +28,10 @@ * NOTE: If future CodeQL results add more patterns, extend PATCH_RULES below. */ -import { promises as fs } from "fs"; -import path from "path"; -import process from "process"; +import { promises as fs } from "node:fs"; +import path from "node:path"; +import process from "node:process"; +import console from "node:console"; const DIST_DIR = path.resolve(process.cwd(), "dist"); @@ -93,7 +95,10 @@ const PATCH_RULES = [ id: "micromark-overly-large-range", description: "Replace overly large character class range with explicit enumeration", apply: content => ({ - updated: content.replace(/\[!#\$&-;=\?-Z_a-z~\]/g, () => "[!#$&'()*+,\\-./0-9:;=?@A-Z_a-z~]"), + updated: content.replace( + /\[!#\$&-;=\?-Z_a-z~\]/g, + () => "[!#$&'()*+,\\-./0-9:;=?@A-Z_a-z~]", + ), }), }, { From 1d47fa37720da03c129f61d91dee53ae1724b459 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Tue, 2 Dec 2025 06:48:46 +0100 Subject: [PATCH 04/13] remove unused script --- scripts/codeql-scan.sh | 218 ----------------------------------------- 1 file changed, 218 deletions(-) delete mode 100644 scripts/codeql-scan.sh diff --git a/scripts/codeql-scan.sh b/scripts/codeql-scan.sh deleted file mode 100644 index cfc213f..0000000 --- a/scripts/codeql-scan.sh +++ /dev/null @@ -1,218 +0,0 @@ -#!/usr/bin/env bash -# -# Local CodeQL scan script for the Chat Components TypeScript + Vite library. -# -# This script: -# 1. Ensures dependencies are installed (npm ci) unless skipped. -# 2. Optionally prunes noisy folders inside node_modules to reduce DB size. -# 3. Creates (or re-creates) a CodeQL database using codeql-config.yml. -# 4. Analyzes the database with the standard JavaScript code scanning suite -# plus extended security & quality queries defined in the config file. -# 5. Produces a SARIF report you can open in VS Code (SARIF Viewer) or upload. -# -# Prerequisites: -# - CodeQL CLI installed and available in PATH (https://github.com/github/codeql-cli-binaries) -# - Node.js matching engines spec in package.json (>=22.1.0) -# -# Usage examples: -# ./scripts/codeql-scan.sh -# BUILD=false PRUNE=false ./scripts/codeql-scan.sh -# CODEQL=/opt/codeql/codeql DB_DIR=custom-db ./scripts/codeql-scan.sh -# -# Common environment variable overrides: -# CODEQL Path to CodeQL CLI (default: codeql) -# DB_DIR Database output directory (default: codeql-db) -# RESULTS SARIF output file (default: codeql-results.sarif) -# CONFIG_FILE CodeQL config file (default: codeql-config.yml) -# LANGUAGE Language for extraction (default: javascript) -# BUILD If "true", run npm run build for the create step (default: true) -# INSTALL_DEPS If "true", run npm ci first (default: true) -# PRUNE If "true", remove certain large/noisy folders from node_modules (default: true) -# CLEAN If "true", delete existing DB + SARIF before running (default: true) -# EXTRA_QUERIES Space-separated extra .ql or .qls files/packs to run (default: none) -# THREADS Threads for analysis (default: 0 -> use all cores) -# VERBOSE If "true", enable bash xtrace for debugging (default: false) -# -# Exit codes: -# 0 success -# 1 general error -# 2 missing prerequisite (CodeQL or Node) -# 3 failed database creation -# 4 failed analysis -# 5 config file missing -# - -set -euo pipefail - -# -- Configuration defaults ---------------------------------------------------- -CODEQL="${CODEQL:-codeql}" -DB_DIR="${DB_DIR:-codeql-db}" -RESULTS="${RESULTS:-codeql-results.sarif}" -CONFIG_FILE="${CONFIG_FILE:-codeql-config.yml}" -LANGUAGE="${LANGUAGE:-javascript}" -BUILD="${BUILD:-true}" -INSTALL_DEPS="${INSTALL_DEPS:-true}" -PRUNE="${PRUNE:-true}" -CLEAN="${CLEAN:-true}" -EXTRA_QUERIES="${EXTRA_QUERIES:-}" -THREADS="${THREADS:-0}" -VERBOSE="${VERBOSE:-false}" - -# ------------------------------------------------------------------------------ -usage() { - cat <<'EOF' -Local CodeQL scan for Chat Components. - -Options (environment variables): - CODEQL=/path/to/codeql Override CodeQL CLI path - DB_DIR=dir Database directory name - RESULTS=report.sarif SARIF output file - CONFIG_FILE=codeql-config.yml CodeQL config file - LANGUAGE=javascript Extraction language (JS covers TS) - BUILD=true|false Run npm run build before extraction - INSTALL_DEPS=true|false Run npm ci before build - PRUNE=true|false Remove large/noisy dirs in node_modules - CLEAN=true|false Remove existing DB & SARIF before run - EXTRA_QUERIES="file.ql pack.qls" Additional queries/packs to run - THREADS=0 Threads for analysis (0 = all) - VERBOSE=true|false Bash debug output - -Examples: - ./scripts/codeql-scan.sh - BUILD=false PRUNE=false ./scripts/codeql-scan.sh - EXTRA_QUERIES="codeql/javascript-queries:Suspicious" ./scripts/codeql-scan.sh - -EOF -} - -if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then - usage - exit 0 -fi - -if [[ "$VERBOSE" == "true" ]]; then - set -x -fi - -echo "[*] CodeQL scan starting..." - -# -- Prerequisite checks ------------------------------------------------------- -if ! command -v node >/dev/null 2>&1; then - echo "[!] Node.js not found in PATH." >&2 - exit 2 -fi - -if ! command -v "$CODEQL" >/dev/null 2>&1; then - echo "[!] CodeQL CLI '$CODEQL' not found in PATH." >&2 - echo " Install from: https://github.com/github/codeql-cli-binaries" >&2 - exit 2 -fi - -# Confirm config exists -if [[ ! -f "$CONFIG_FILE" ]]; then - echo "[!] Config file '$CONFIG_FILE' not found. Expected at project root." >&2 - exit 5 -fi - -# Show basic versions -NODE_VERSION=$(node --version || echo "unknown") -CODEQL_VERSION=$("$CODEQL" version || echo "unknown") -echo "[*] Node version: $NODE_VERSION" -echo "[*] CodeQL version: $CODEQL_VERSION" - -# -- Optional dependency install ----------------------------------------------- -if [[ "$INSTALL_DEPS" == "true" ]]; then - echo "[*] Installing dependencies (npm ci)..." - npm ci -else - echo "[*] Skipping dependency installation." -fi - -# -- Optional build step ------------------------------------------------------- -BUILD_CMD="true" -if [[ "$BUILD" == "true" ]]; then - echo "[*] Running build (npm run build)..." - npm run build - BUILD_CMD="npm run build" -else - echo "[*] Skipping build step (using 'true' as command)." -fi - -# -- Optional pruning inside node_modules -------------------------------------- -if [[ "$PRUNE" == "true" ]]; then - echo "[*] Pruning selected folders in node_modules to reduce DB size..." - # Only prune if directory exists - if [[ -d node_modules ]]; then - # Remove common large/noisy directories (leave -prune so traversal is cheaper) - find node_modules -type d \( \ - -name coverage -o -name dist -o -name build -o -name lib -o \ - -name examples -o -name example -o -name tests -o -name test -o \ - -name __tests__ -o -name fixtures -o -name benchmark -o -name bench \ - \) -prune -exec rm -rf {} + 2>/dev/null || true - else - echo "[!] node_modules not present; skipping prune." - fi -else - echo "[*] Skipping prune." -fi - -# -- Clean previous artifacts -------------------------------------------------- -if [[ "$CLEAN" == "true" ]]; then - echo "[*] Removing previous database ($DB_DIR) and SARIF ($RESULTS) if they exist..." - rm -rf "$DB_DIR" "$RESULTS" -else - echo "[*] CLEAN=false: preserving existing database/results if present." -fi - -# -- Database creation --------------------------------------------------------- -echo "[*] Creating CodeQL database..." -set +e -"$CODEQL" database create "$DB_DIR" \ - --language="$LANGUAGE" \ - --source-root="." \ - --codescanning-config="$CONFIG_FILE" \ - --command="$BUILD_CMD" -CREATE_EXIT=$? -set -e - -if [[ $CREATE_EXIT -ne 0 ]]; then - echo "[!] Database creation failed (exit code $CREATE_EXIT)." >&2 - exit 3 -fi -echo "[*] Database created at $DB_DIR" - -# -- Query suite construction -------------------------------------------------- -QUERY_SUITE="javascript-code-scanning.qls" -ANALYZE_ARGS=("$DB_DIR" "$QUERY_SUITE") - -# Always leverage config queries (security-extended & security-and-quality) -# EXTRA_QUERIES appended if provided. -if [[ -n "$EXTRA_QUERIES" ]]; then - echo "[*] Adding extra queries/packs: $EXTRA_QUERIES" - # Split on spaces - read -r -a EXTRA_ARRAY <<<"$EXTRA_QUERIES" - ANALYZE_ARGS+=("${EXTRA_ARRAY[@]}") -fi - -# -- Analysis ------------------------------------------------------------------ -echo "[*] Analyzing database (threads=$THREADS)..." -set +e -"$CODEQL" database analyze "${ANALYZE_ARGS[@]}" \ - --format=sarifv2.1.0 \ - --output="$RESULTS" \ - --threads="$THREADS" -ANALYZE_EXIT=$? -set -e - -if [[ $ANALYZE_EXIT -ne 0 ]]; then - echo "[!] Analysis failed (exit code $ANALYZE_EXIT)." >&2 - exit 4 -fi -echo "[*] Analysis complete. SARIF report: $RESULTS" - -# -- Metadata summary ---------------------------------------------------------- -echo "[*] Database metadata (source file counts):" -"$CODEQL" database print-metadata "$DB_DIR" | grep -E '"sourceFiles"|language' || true - -echo "[*] Done." -exit 0 From 47a9c95dbd38313bad1dffd454c3f892739a926c Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Tue, 2 Dec 2025 06:50:06 +0100 Subject: [PATCH 05/13] delete unwanted file --- codeql-results-dist.sarif | 1 - 1 file changed, 1 deletion(-) delete mode 100644 codeql-results-dist.sarif diff --git a/codeql-results-dist.sarif b/codeql-results-dist.sarif deleted file mode 100644 index d136ac3..0000000 --- a/codeql-results-dist.sarif +++ /dev/null @@ -1 +0,0 @@ -{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.23.6","notifications":[{"id":"js/diagnostics/extraction-errors","name":"js/diagnostics/extraction-errors","shortDescription":{"text":"Extraction errors"},"fullDescription":{"text":"List all extraction errors for files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction errors for files in the source code directory.","id":"js/diagnostics/extraction-errors","kind":"diagnostic","name":"Extraction errors"}},{"id":"js/diagnostics/successfully-extracted-files","name":"js/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted files"},"fullDescription":{"text":"Lists all files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all files in the source code directory that were extracted.","id":"js/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted files"}},{"id":"js/baseline/expected-extracted-files","name":"js/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/platform","name":"cli/platform","shortDescription":{"text":"Platform"},"fullDescription":{"text":"Platform"},"defaultConfiguration":{"enabled":true}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"js/angular/disabling-sce","name":"js/angular/disabling-sce","shortDescription":{"text":"Disabling SCE"},"fullDescription":{"text":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","maintainability","frameworks/angularjs","external/cwe/cwe-116"],"description":"Disabling strict contextual escaping (SCE) can cause security vulnerabilities.","id":"js/angular/disabling-sce","kind":"problem","name":"Disabling SCE","precision":"very-high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/angular/double-compilation","name":"js/angular/double-compilation","shortDescription":{"text":"Double compilation"},"fullDescription":{"text":"Recompiling an already compiled part of the DOM can lead to unexpected behavior of directives, performance problems, and memory leaks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["reliability","frameworks/angularjs","security","external/cwe/cwe-1176"],"description":"Recompiling an already compiled part of the DOM can lead to\n unexpected behavior of directives, performance problems, and memory leaks.","id":"js/angular/double-compilation","kind":"problem","name":"Double compilation","precision":"very-high","problem.severity":"warning","security-severity":"8.8"}},{"id":"js/angular/insecure-url-whitelist","name":"js/angular/insecure-url-whitelist","shortDescription":{"text":"Insecure URL whitelist"},"fullDescription":{"text":"URL whitelists that are too permissive can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","frameworks/angularjs","external/cwe/cwe-183","external/cwe/cwe-625"],"description":"URL whitelists that are too permissive can cause security vulnerabilities.","id":"js/angular/insecure-url-whitelist","kind":"problem","name":"Insecure URL whitelist","precision":"very-high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/identity-replacement","name":"js/identity-replacement","shortDescription":{"text":"Replacement of a substring with itself"},"fullDescription":{"text":"Replacing a substring with itself has no effect and may indicate a mistake."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116"],"description":"Replacing a substring with itself has no effect and may indicate a mistake.","id":"js/identity-replacement","kind":"problem","name":"Replacement of a substring with itself","precision":"very-high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/cross-window-information-leak","name":"js/cross-window-information-leak","shortDescription":{"text":"Cross-window communication with unrestricted target origin"},"fullDescription":{"text":"When sending sensitive information to another window using `postMessage`, the origin of the target window should be restricted to avoid unintentional information leaks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-201","external/cwe/cwe-359"],"description":"When sending sensitive information to another window using `postMessage`,\n the origin of the target window should be restricted to avoid unintentional\n information leaks.","id":"js/cross-window-information-leak","kind":"path-problem","name":"Cross-window communication with unrestricted target origin","precision":"high","problem.severity":"error","security-severity":"4.3"}},{"id":"js/functionality-from-untrusted-source","name":"js/functionality-from-untrusted-source","shortDescription":{"text":"Inclusion of functionality from an untrusted source"},"fullDescription":{"text":"Including functionality from an untrusted source may allow an attacker to control the functionality and execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Including functionality from an untrusted source may allow\n an attacker to control the functionality and execute arbitrary code.","id":"js/functionality-from-untrusted-source","kind":"problem","name":"Inclusion of functionality from an untrusted source","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/functionality-from-untrusted-domain","name":"js/functionality-from-untrusted-domain","shortDescription":{"text":"Untrusted domain used in script or other content"},"fullDescription":{"text":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-830"],"description":"Using a resource from an untrusted or compromised domain makes your code vulnerable to receiving malicious code.","id":"js/functionality-from-untrusted-domain","kind":"problem","name":"Untrusted domain used in script or other content","precision":"high","problem.severity":"error","security-severity":"7.2"}},{"id":"js/code-injection","name":"js/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user arbitrary\n code execution.","id":"js/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/unsafe-dynamic-method-access","name":"js/unsafe-dynamic-method-access","shortDescription":{"text":"Unsafe dynamic method access"},"fullDescription":{"text":"Invoking user-controlled methods on certain objects can lead to remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094"],"description":"Invoking user-controlled methods on certain objects can lead to remote code execution.","id":"js/unsafe-dynamic-method-access","kind":"path-problem","name":"Unsafe dynamic method access","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/bad-code-sanitization","name":"js/bad-code-sanitization","shortDescription":{"text":"Improper code sanitization"},"fullDescription":{"text":"Escaping code as HTML does not provide protection against code injection."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Escaping code as HTML does not provide protection against code injection.","id":"js/bad-code-sanitization","kind":"path-problem","name":"Improper code sanitization","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stack-trace-exposure","name":"js/stack-trace-exposure","shortDescription":{"text":"Information exposure through a stack trace"},"fullDescription":{"text":"Propagating stack trace information to an external user can unintentionally reveal implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Propagating stack trace information to an external user can\n unintentionally reveal implementation details that are useful\n to an attacker for developing a subsequent exploit.","id":"js/stack-trace-exposure","kind":"path-problem","name":"Information exposure through a stack trace","precision":"very-high","problem.severity":"warning","security-severity":"5.4"}},{"id":"js/exposure-of-private-files","name":"js/exposure-of-private-files","shortDescription":{"text":"Exposure of private files"},"fullDescription":{"text":"Exposing a node_modules folder, or the project folder to the public, can cause exposure of private information."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-200","external/cwe/cwe-219","external/cwe/cwe-548"],"description":"Exposing a node_modules folder, or the project folder to the public, can cause exposure\n of private information.","id":"js/exposure-of-private-files","kind":"problem","name":"Exposure of private files","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/client-side-unvalidated-url-redirection","name":"js/client-side-unvalidated-url-redirection","shortDescription":{"text":"Client-side URL redirect"},"fullDescription":{"text":"Client-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-601"],"description":"Client-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"js/client-side-unvalidated-url-redirection","kind":"path-problem","name":"Client-side URL redirect","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/server-side-unvalidated-url-redirection","name":"js/server-side-unvalidated-url-redirection","shortDescription":{"text":"Server-side URL redirect"},"fullDescription":{"text":"Server-side URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"Server-side URL redirection based on unvalidated user input\n may cause redirection to malicious web sites.","id":"js/server-side-unvalidated-url-redirection","kind":"path-problem","name":"Server-side URL redirect","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/insufficient-key-size","name":"js/insufficient-key-size","shortDescription":{"text":"Use of a weak cryptographic key"},"fullDescription":{"text":"Using a weak cryptographic key can allow an attacker to compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Using a weak cryptographic key can allow an attacker to compromise security.","id":"js/insufficient-key-size","kind":"problem","name":"Use of a weak cryptographic key","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/case-sensitive-middleware-path","name":"js/case-sensitive-middleware-path","shortDescription":{"text":"Case-sensitive middleware path"},"fullDescription":{"text":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-178"],"description":"Middleware with case-sensitive paths do not protect endpoints with case-insensitive paths.","id":"js/case-sensitive-middleware-path","kind":"problem","name":"Case-sensitive middleware path","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/weak-cryptographic-algorithm","name":"js/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"js/weak-cryptographic-algorithm","kind":"path-problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/biased-cryptographic-random","name":"js/biased-cryptographic-random","shortDescription":{"text":"Creating biased random numbers from a cryptographically secure source"},"fullDescription":{"text":"Some mathematical operations on random numbers can cause bias in the results and compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Some mathematical operations on random numbers can cause bias in\n the results and compromise security.","id":"js/biased-cryptographic-random","kind":"problem","name":"Creating biased random numbers from a cryptographically secure source","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/insufficient-password-hash","name":"js/insufficient-password-hash","shortDescription":{"text":"Use of password hash with insufficient computational effort"},"fullDescription":{"text":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-916"],"description":"Creating a hash of a password with low computational effort makes the hash vulnerable to password cracking attacks.","id":"js/insufficient-password-hash","kind":"path-problem","name":"Use of password hash with insufficient computational effort","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/request-forgery","name":"js/request-forgery","shortDescription":{"text":"Server-side request forgery"},"fullDescription":{"text":"Making a network request with user-controlled data in the URL allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request with user-controlled data in the URL allows for request forgery attacks.","id":"js/request-forgery","kind":"path-problem","name":"Server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/cors-permissive-configuration","name":"js/cors-permissive-configuration","shortDescription":{"text":"Permissive CORS configuration"},"fullDescription":{"text":"Cross-origin resource sharing (CORS) policy allows overly broad access."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-942"],"description":"Cross-origin resource sharing (CORS) policy allows overly broad access.","id":"js/cors-permissive-configuration","kind":"path-problem","name":"Permissive CORS configuration","precision":"high","problem.severity":"warning","security-severity":"6.0"}},{"id":"js/sensitive-get-query","name":"js/sensitive-get-query","shortDescription":{"text":"Sensitive data read from GET request"},"fullDescription":{"text":"Placing sensitive data in a GET request increases the risk of the data being exposed to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-598"],"description":"Placing sensitive data in a GET request increases the risk of\n the data being exposed to an attacker.","id":"js/sensitive-get-query","kind":"problem","name":"Sensitive data read from GET request","precision":"high","problem.severity":"warning","security-severity":"6.5"}},{"id":"js/clear-text-cookie","name":"js/clear-text-cookie","shortDescription":{"text":"Clear text transmission of sensitive cookie"},"fullDescription":{"text":"Sending sensitive information in a cookie without requring SSL encryption can expose the cookie to an attacker."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-311","external/cwe/cwe-312","external/cwe/cwe-319"],"description":"Sending sensitive information in a cookie without requring SSL encryption\n can expose the cookie to an attacker.","id":"js/clear-text-cookie","kind":"problem","name":"Clear text transmission of sensitive cookie","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/sql-injection","name":"js/sql-injection","shortDescription":{"text":"Database query built from user-controlled sources"},"fullDescription":{"text":"Building a database query from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089","external/cwe/cwe-090","external/cwe/cwe-943"],"description":"Building a database query from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/sql-injection","kind":"path-problem","name":"Database query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/template-object-injection","name":"js/template-object-injection","shortDescription":{"text":"Template Object Injection"},"fullDescription":{"text":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-073","external/cwe/cwe-094"],"description":"Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.","id":"js/template-object-injection","kind":"path-problem","name":"Template Object Injection","precision":"high","problem.severity":"error","security-severity":"9.3"}},{"id":"js/incomplete-url-scheme-check","name":"js/incomplete-url-scheme-check","shortDescription":{"text":"Incomplete URL scheme check"},"fullDescription":{"text":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\" and \"data:\" suggests a logic error or even a security vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","correctness","external/cwe/cwe-020","external/cwe/cwe-184"],"description":"Checking for the \"javascript:\" URL scheme without also checking for \"vbscript:\"\n and \"data:\" suggests a logic error or even a security vulnerability.","id":"js/incomplete-url-scheme-check","kind":"problem","name":"Incomplete URL scheme check","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/useless-regexp-character-escape","name":"js/useless-regexp-character-escape","shortDescription":{"text":"Useless regular-expression character escape"},"fullDescription":{"text":"Prepending a backslash to an ordinary character in a string does not have any effect, and may make regular expressions constructed from this string behave unexpectedly."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Prepending a backslash to an ordinary character in a string\n does not have any effect, and may make regular expressions constructed from this string\n behave unexpectedly.","id":"js/useless-regexp-character-escape","kind":"problem","name":"Useless regular-expression character escape","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-hostname-regexp","name":"js/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"js/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incorrect-suffix-check","name":"js/incorrect-suffix-check","shortDescription":{"text":"Incorrect suffix check"},"fullDescription":{"text":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","correctness","external/cwe/cwe-020"],"description":"Using indexOf to implement endsWith functionality is error-prone if the -1 case is not explicitly handled.","id":"js/incorrect-suffix-check","kind":"problem","name":"Incorrect suffix check","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/incomplete-url-substring-sanitization","name":"js/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"js/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/overly-large-range","name":"js/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n This may allow an attacker to bypass a filter or sanitizer.","id":"js/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"4.0"}},{"id":"js/host-header-forgery-in-email-generation","name":"js/host-header-forgery-in-email-generation","shortDescription":{"text":"Host header poisoning in email generation"},"fullDescription":{"text":"Using the HTTP Host header to construct a link in an email can facilitate phishing attacks and leak password reset tokens."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-640"],"description":"Using the HTTP Host header to construct a link in an email can facilitate phishing\n attacks and leak password reset tokens.","id":"js/host-header-forgery-in-email-generation","kind":"path-problem","name":"Host header poisoning in email generation","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/resource-exhaustion-from-deep-object-traversal","name":"js/resource-exhaustion-from-deep-object-traversal","shortDescription":{"text":"Resources exhaustion from deep object traversal"},"fullDescription":{"text":"Processing user-controlled object hierarchies inefficiently can lead to denial of service."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-400"],"description":"Processing user-controlled object hierarchies inefficiently can lead to denial of service.","id":"js/resource-exhaustion-from-deep-object-traversal","kind":"path-problem","name":"Resources exhaustion from deep object traversal","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/loop-bound-injection","name":"js/loop-bound-injection","shortDescription":{"text":"Loop bound injection"},"fullDescription":{"text":"Iterating over an object with a user-controlled .length property can cause indefinite looping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-834","external/cwe/cwe-730"],"description":"Iterating over an object with a user-controlled .length\n property can cause indefinite looping.","id":"js/loop-bound-injection","kind":"path-problem","name":"Loop bound injection","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/disabling-certificate-validation","name":"js/disabling-certificate-validation","shortDescription":{"text":"Disabling certificate validation"},"fullDescription":{"text":"Disabling cryptographic certificate validation can cause security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-295","external/cwe/cwe-297"],"description":"Disabling cryptographic certificate validation can cause security vulnerabilities.","id":"js/disabling-certificate-validation","kind":"problem","name":"Disabling certificate validation","precision":"very-high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/insecure-helmet-configuration","name":"js/insecure-helmet-configuration","shortDescription":{"text":"Insecure configuration of Helmet security middleware"},"fullDescription":{"text":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-693","external/cwe/cwe-1021"],"description":"The Helmet middleware is used to set security-related HTTP headers in Express applications. This query finds instances where the middleware is configured with important security features disabled.","id":"js/insecure-helmet-configuration","kind":"problem","name":"Insecure configuration of Helmet security middleware","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/jwt-missing-verification","name":"js/jwt-missing-verification","shortDescription":{"text":"JWT missing secret or public key verification"},"fullDescription":{"text":"The application does not verify the JWT payload with a cryptographic secret or public key."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-347"],"description":"The application does not verify the JWT payload with a cryptographic secret or public key.","id":"js/jwt-missing-verification","kind":"problem","name":"JWT missing secret or public key verification","precision":"high","problem.severity":"warning","security-severity":"7.0"}},{"id":"js/resource-exhaustion","name":"js/resource-exhaustion","shortDescription":{"text":"Resource exhaustion"},"fullDescription":{"text":"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-400","external/cwe/cwe-770"],"description":"Allocating objects or timers with user-controlled\n sizes or durations can cause resource exhaustion.","id":"js/resource-exhaustion","kind":"path-problem","name":"Resource exhaustion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/missing-rate-limiting","name":"js/missing-rate-limiting","shortDescription":{"text":"Missing rate limiting"},"fullDescription":{"text":"An HTTP request handler that performs expensive operations without restricting the rate at which operations can be carried out is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-770","external/cwe/cwe-307","external/cwe/cwe-400"],"description":"An HTTP request handler that performs expensive operations without\n restricting the rate at which operations can be carried out is vulnerable\n to denial-of-service attacks.","id":"js/missing-rate-limiting","kind":"problem","name":"Missing rate limiting","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/cors-misconfiguration-for-credentials","name":"js/cors-misconfiguration-for-credentials","shortDescription":{"text":"CORS misconfiguration for credentials transfer"},"fullDescription":{"text":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-346","external/cwe/cwe-639","external/cwe/cwe-942"],"description":"Misconfiguration of CORS HTTP headers allows for leaks of secret credentials.","id":"js/cors-misconfiguration-for-credentials","kind":"path-problem","name":"CORS misconfiguration for credentials transfer","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/incomplete-sanitization","name":"js/incomplete-sanitization","shortDescription":{"text":"Incomplete string escaping or encoding"},"fullDescription":{"text":"A string transformer that does not replace or escape all occurrences of a meta-character may be ineffective."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A string transformer that does not replace or escape all occurrences of a\n meta-character may be ineffective.","id":"js/incomplete-sanitization","kind":"problem","name":"Incomplete string escaping or encoding","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/bad-tag-filter","name":"js/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116","external/cwe/cwe-184","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"js/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-html-expansion","name":"js/unsafe-html-expansion","shortDescription":{"text":"Unsafe expansion of self-closing HTML tag"},"fullDescription":{"text":"Using regular expressions to expand self-closing HTML tags may lead to cross-site scripting vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using regular expressions to expand self-closing HTML\n tags may lead to cross-site scripting vulnerabilities.","id":"js/unsafe-html-expansion","kind":"problem","name":"Unsafe expansion of self-closing HTML tag","precision":"very-high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/incomplete-multi-character-sanitization","name":"js/incomplete-multi-character-sanitization","shortDescription":{"text":"Incomplete multi-character sanitization"},"fullDescription":{"text":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020","external/cwe/cwe-080","external/cwe/cwe-116"],"description":"A sanitizer that removes a sequence of characters may reintroduce the dangerous sequence.","id":"js/incomplete-multi-character-sanitization","kind":"problem","name":"Incomplete multi-character sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/double-escaping","name":"js/double-escaping","shortDescription":{"text":"Double escaping or unescaping"},"fullDescription":{"text":"When escaping special characters using a meta-character like backslash or ampersand, the meta-character has to be escaped first to avoid double-escaping, and conversely it has to be unescaped last to avoid double-unescaping."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"When escaping special characters using a meta-character like backslash or\n ampersand, the meta-character has to be escaped first to avoid double-escaping,\n and conversely it has to be unescaped last to avoid double-unescaping.","id":"js/double-escaping","kind":"problem","name":"Double escaping or unescaping","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/incomplete-html-attribute-sanitization","name":"js/incomplete-html-attribute-sanitization","shortDescription":{"text":"Incomplete HTML attribute sanitization"},"fullDescription":{"text":"Writing incompletely sanitized values to HTML attribute strings can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","external/cwe/cwe-020"],"description":"Writing incompletely sanitized values to HTML\n attribute strings can lead to a cross-site\n scripting vulnerability.","id":"js/incomplete-html-attribute-sanitization","kind":"path-problem","name":"Incomplete HTML attribute sanitization","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-polluting-assignment","name":"js/prototype-polluting-assignment","shortDescription":{"text":"Prototype-polluting assignment"},"fullDescription":{"text":"Modifying an object obtained via a user-controlled property name may lead to accidental mutation of the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Modifying an object obtained via a user-controlled property name may\n lead to accidental mutation of the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-polluting-assignment","kind":"path-problem","name":"Prototype-polluting assignment","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/prototype-pollution","name":"js/prototype-pollution","shortDescription":{"text":"Prototype-polluting merge call"},"fullDescription":{"text":"Recursively merging a user-controlled object into another object can allow an attacker to modify the built-in Object prototype, and possibly escalate to remote code execution or cross-site scripting."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Recursively merging a user-controlled object into another object\n can allow an attacker to modify the built-in Object prototype,\n and possibly escalate to remote code execution or cross-site scripting.","id":"js/prototype-pollution","kind":"path-problem","name":"Prototype-polluting merge call","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/prototype-pollution-utility","name":"js/prototype-pollution-utility","shortDescription":{"text":"Prototype-polluting function"},"fullDescription":{"text":"Functions recursively assigning properties on objects may be the cause of accidental modification of a built-in prototype object."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-078","external/cwe/cwe-079","external/cwe/cwe-094","external/cwe/cwe-400","external/cwe/cwe-471","external/cwe/cwe-915"],"description":"Functions recursively assigning properties on objects may be\n the cause of accidental modification of a built-in prototype object.","id":"js/prototype-pollution-utility","kind":"path-problem","name":"Prototype-polluting function","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xml-bomb","name":"js/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n entity expansion is vulnerable to denial-of-service attacks.","id":"js/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/clear-text-storage-of-sensitive-data","name":"js/clear-text-storage-of-sensitive-data","shortDescription":{"text":"Clear text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n attacker.","id":"js/clear-text-storage-of-sensitive-data","kind":"path-problem","name":"Clear text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/clear-text-logging","name":"js/clear-text-logging","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n expose it to an attacker.","id":"js/clear-text-logging","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/build-artifact-leak","name":"js/build-artifact-leak","shortDescription":{"text":"Storage of sensitive information in build artifact"},"fullDescription":{"text":"Including sensitive information in a build artifact can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Including sensitive information in a build artifact can\n expose it to an attacker.","id":"js/build-artifact-leak","kind":"path-problem","name":"Storage of sensitive information in build artifact","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/unvalidated-dynamic-method-call","name":"js/unvalidated-dynamic-method-call","shortDescription":{"text":"Unvalidated dynamic method call"},"fullDescription":{"text":"Calling a method with a user-controlled name may dispatch to an unexpected target, which could cause an exception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-754"],"description":"Calling a method with a user-controlled name may dispatch to\n an unexpected target, which could cause an exception.","id":"js/unvalidated-dynamic-method-call","kind":"path-problem","name":"Unvalidated dynamic method call","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/tainted-format-string","name":"js/tainted-format-string","shortDescription":{"text":"Use of externally-controlled format string"},"fullDescription":{"text":"Using external input in format strings can lead to garbled output."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-134"],"description":"Using external input in format strings can lead to garbled output.","id":"js/tainted-format-string","kind":"path-problem","name":"Use of externally-controlled format string","precision":"high","problem.severity":"warning","security-severity":"7.3"}},{"id":"js/missing-token-validation","name":"js/missing-token-validation","shortDescription":{"text":"Missing CSRF middleware"},"fullDescription":{"text":"Using cookies without CSRF protection may allow malicious websites to submit requests on behalf of the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Using cookies without CSRF protection may allow malicious websites to\n submit requests on behalf of the user.","id":"js/missing-token-validation","kind":"problem","name":"Missing CSRF middleware","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/insecure-randomness","name":"js/insecure-randomness","shortDescription":{"text":"Insecure randomness"},"fullDescription":{"text":"Using a cryptographically weak pseudo-random number generator to generate a security-sensitive value may allow an attacker to predict what value will be generated."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-338"],"description":"Using a cryptographically weak pseudo-random number generator to generate a\n security-sensitive value may allow an attacker to predict what value will\n be generated.","id":"js/insecure-randomness","kind":"path-problem","name":"Insecure randomness","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/insecure-dependency","name":"js/insecure-dependency","shortDescription":{"text":"Dependency download using unencrypted communication channel"},"fullDescription":{"text":"Using unencrypted protocols to fetch dependencies can leave an application open to man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-300","external/cwe/cwe-319","external/cwe/cwe-494","external/cwe/cwe-829"],"description":"Using unencrypted protocols to fetch dependencies can leave an application\n open to man-in-the-middle attacks.","id":"js/insecure-dependency","kind":"problem","name":"Dependency download using unencrypted communication channel","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"js/unsafe-deserialization","name":"js/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-502"],"description":"Deserializing user-controlled data may allow attackers to\n execute arbitrary code.","id":"js/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"warning","security-severity":"9.8"}},{"id":"js/regex-injection","name":"js/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n otherwise a malicious user may be able to inject an expression that could require\n exponential time on certain inputs.","id":"js/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/server-crash","name":"js/server-crash","shortDescription":{"text":"Server crash"},"fullDescription":{"text":"A server that can be forced to crash may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-248","external/cwe/cwe-730"],"description":"A server that can be forced to crash may be vulnerable to denial-of-service\n attacks.","id":"js/server-crash","kind":"path-problem","name":"Server crash","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/client-exposed-cookie","name":"js/client-exposed-cookie","shortDescription":{"text":"Sensitive server cookie exposed to the client"},"fullDescription":{"text":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1004"],"description":"Sensitive cookies set by a server can be read by the client if the `httpOnly` flag is not set.","id":"js/client-exposed-cookie","kind":"problem","name":"Sensitive server cookie exposed to the client","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"js/zipslip","name":"js/zipslip","shortDescription":{"text":"Arbitrary file access during archive extraction (\"Zip Slip\")"},"fullDescription":{"text":"Extracting files from a malicious ZIP file, or similar type of archive, without validating that the destination file path is within the destination directory can allow an attacker to unexpectedly gain access to resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022"],"description":"Extracting files from a malicious ZIP file, or similar type of archive, without\n validating that the destination file path is within the destination directory\n can allow an attacker to unexpectedly gain access to resources.","id":"js/zipslip","kind":"path-problem","name":"Arbitrary file access during archive extraction (\"Zip Slip\")","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/path-injection","name":"js/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access\n unexpected resources.","id":"js/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/type-confusion-through-parameter-tampering","name":"js/type-confusion-through-parameter-tampering","shortDescription":{"text":"Type confusion through parameter tampering"},"fullDescription":{"text":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-843"],"description":"Sanitizing an HTTP request parameter may be ineffective if the user controls its type.","id":"js/type-confusion-through-parameter-tampering","kind":"path-problem","name":"Type confusion through parameter tampering","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/xxe","name":"js/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n entity expansion is vulnerable to XXE attacks.","id":"js/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"js/unnecessary-use-of-cat","name":"js/unnecessary-use-of-cat","shortDescription":{"text":"Unnecessary use of `cat` process"},"fullDescription":{"text":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","maintainability","external/cwe/cwe-078"],"description":"Using the `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.","id":"js/unnecessary-use-of-cat","kind":"problem","name":"Unnecessary use of `cat` process","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/command-line-injection","name":"js/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"js/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/shell-command-constructed-from-input","name":"js/shell-command-constructed-from-input","shortDescription":{"text":"Unsafe shell command constructed from library input"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n user to change the meaning of the command.","id":"js/shell-command-constructed-from-input","kind":"path-problem","name":"Unsafe shell command constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.3"}},{"id":"js/second-order-command-line-injection","name":"js/second-order-command-line-injection","shortDescription":{"text":"Second order command injection"},"fullDescription":{"text":"Using user-controlled data as arguments to some commands, such as git clone, can allow arbitrary commands to be executed."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using user-controlled data as arguments to some commands, such as git clone,\n can allow arbitrary commands to be executed.","id":"js/second-order-command-line-injection","kind":"path-problem","name":"Second order command injection","precision":"high","problem.severity":"error","security-severity":"7.0"}},{"id":"js/shell-command-injection-from-environment","name":"js/shell-command-injection-from-environment","shortDescription":{"text":"Shell command built from environment values"},"fullDescription":{"text":"Building a shell command string with values from the enclosing environment may cause subtle bugs or vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Building a shell command string with values from the enclosing\n environment may cause subtle bugs or vulnerabilities.","id":"js/shell-command-injection-from-environment","kind":"path-problem","name":"Shell command built from environment values","precision":"high","problem.severity":"warning","security-severity":"6.3"}},{"id":"js/xpath-injection","name":"js/xpath-injection","shortDescription":{"text":"XPath injection"},"fullDescription":{"text":"Building an XPath expression from user-controlled sources is vulnerable to insertion of malicious code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building an XPath expression from user-controlled sources is vulnerable to insertion of\n malicious code by the user.","id":"js/xpath-injection","kind":"path-problem","name":"XPath injection","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"js/insecure-download","name":"js/insecure-download","shortDescription":{"text":"Download of sensitive file through insecure connection"},"fullDescription":{"text":"Downloading executables and other sensitive files over an insecure connection opens up for potential man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-829"],"description":"Downloading executables and other sensitive files over an insecure connection\n opens up for potential man-in-the-middle attacks.","id":"js/insecure-download","kind":"path-problem","name":"Download of sensitive file through insecure connection","precision":"high","problem.severity":"error","security-severity":"8.1"}},{"id":"js/reflected-xss","name":"js/reflected-xss","shortDescription":{"text":"Reflected cross-site scripting"},"fullDescription":{"text":"Writing user input directly to an HTTP response allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to an HTTP response allows for\n a cross-site scripting vulnerability.","id":"js/reflected-xss","kind":"path-problem","name":"Reflected cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-dom","name":"js/xss-through-dom","shortDescription":{"text":"DOM text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from the DOM as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from the DOM as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-dom","kind":"path-problem","name":"DOM text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"js/unsafe-jquery-plugin","name":"js/unsafe-jquery-plugin","shortDescription":{"text":"Unsafe jQuery plugin"},"fullDescription":{"text":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116","frameworks/jquery"],"description":"A jQuery plugin that unintentionally constructs HTML from some of its options may be unsafe to use for clients.","id":"js/unsafe-jquery-plugin","kind":"path-problem","name":"Unsafe jQuery plugin","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/xss","name":"js/xss","shortDescription":{"text":"Client-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to the DOM allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to the DOM allows for\n a cross-site scripting vulnerability.","id":"js/xss","kind":"path-problem","name":"Client-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/xss-through-exception","name":"js/xss-through-exception","shortDescription":{"text":"Exception text reinterpreted as HTML"},"fullDescription":{"text":"Reinterpreting text from an exception as HTML can lead to a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Reinterpreting text from an exception as HTML\n can lead to a cross-site scripting vulnerability.","id":"js/xss-through-exception","kind":"path-problem","name":"Exception text reinterpreted as HTML","precision":"high","problem.severity":"warning","security-severity":"6.1"}},{"id":"js/html-constructed-from-input","name":"js/html-constructed-from-input","shortDescription":{"text":"Unsafe HTML constructed from library input"},"fullDescription":{"text":"Using externally controlled strings to construct HTML might allow a malicious user to perform a cross-site scripting attack."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using externally controlled strings to construct HTML might allow a malicious\n user to perform a cross-site scripting attack.","id":"js/html-constructed-from-input","kind":"path-problem","name":"Unsafe HTML constructed from library input","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/stored-xss","name":"js/stored-xss","shortDescription":{"text":"Stored cross-site scripting"},"fullDescription":{"text":"Using uncontrolled stored values in HTML allows for a stored cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Using uncontrolled stored values in HTML allows for\n a stored cross-site scripting vulnerability.","id":"js/stored-xss","kind":"path-problem","name":"Stored cross-site scripting","precision":"high","problem.severity":"error","security-severity":"7.8"}},{"id":"js/redos","name":"js/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n can be a performance bottleneck, and may be vulnerable to denial-of-service\n attacks.","id":"js/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"js/polynomial-redos","name":"js/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n to match may be vulnerable to denial-of-service attacks.","id":"js/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"js/enabling-electron-insecure-content","name":"js/enabling-electron-insecure-content","shortDescription":{"text":"Enabling Electron allowRunningInsecureContent"},"fullDescription":{"text":"Enabling allowRunningInsecureContent can allow remote code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-494"],"description":"Enabling allowRunningInsecureContent can allow remote code execution.","id":"js/enabling-electron-insecure-content","kind":"problem","name":"Enabling Electron allowRunningInsecureContent","precision":"very-high","problem.severity":"error","security-severity":"8.8"}},{"id":"js/disabling-electron-websecurity","name":"js/disabling-electron-websecurity","shortDescription":{"text":"Disabling Electron webSecurity"},"fullDescription":{"text":"Disabling webSecurity can cause critical security vulnerabilities."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","frameworks/electron","external/cwe/cwe-079"],"description":"Disabling webSecurity can cause critical security vulnerabilities.","id":"js/disabling-electron-websecurity","kind":"problem","name":"Disabling Electron webSecurity","precision":"very-high","problem.severity":"error","security-severity":"6.1"}},{"id":"js/summary/lines-of-code","name":"js/summary/lines-of-code","shortDescription":{"text":"Total lines of JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of JavaScript or TypeScript code across all files checked into the repository, except in `node_modules`. This is a useful metric of the size of a database. For all files that were seen during extraction, this query counts the lines of code, excluding whitespace or comments.","id":"js/summary/lines-of-code","kind":"metric","name":"Total lines of JavaScript and TypeScript code in the database"}},{"id":"js/summary/lines-of-user-code","name":"js/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written JavaScript and TypeScript code in the database"},"fullDescription":{"text":"The total number of lines of JavaScript and TypeScript code from the source code directory, excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of JavaScript and TypeScript code from the source code directory,\n excluding auto-generated files and files in `node_modules`. This query counts the lines of code, excluding\n whitespace or comments.","id":"js/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written JavaScript and TypeScript code in the database"}}]},"extensions":[{"name":"codeql/javascript-queries","semanticVersion":"2.2.0+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/javascript-all","semanticVersion":"2.6.15+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/javascript-all/2.6.15/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/javascript-all/2.6.15/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/threat-models","semanticVersion":"1.0.35+117168d25bc05f8a5a313748687c56335ddf03e4","locations":[{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/threat-models/1.0.35/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/dmitrii/.codeql/packages/codeql/javascript-queries/2.2.0/.codeql/libraries/codeql/threat-models/1.0.35/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/diagnostics/successfully-extracted-files","index":1},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}}}],"message":{"text":""},"level":"none","descriptor":{"id":"js/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":"On the Mac OS X (aarch64; 26.1) platform.","markdown":"On the Mac OS X (aarch64; 26.1) platform."},"level":"none","timeUtc":"2025-11-28T18:48:23.028040Z","descriptor":{"id":"cli/platform","index":3},"properties":{"attributes":{"arch":"aarch64","name":"Mac OS X","version":"26.1"},"visibility":{"statusPage":false,"telemetry":true}}},{"message":{"text":""},"level":"note","timeUtc":"2025-11-28T18:48:23.055697Z","descriptor":{"id":"cli/sip-enablement","index":4},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":"assets/svg/index.d.ts","uriBaseId":"%SRCROOT%","index":1}},{"location":{"uri":"common/ActionButtons/ActionButton.d.ts","uriBaseId":"%SRCROOT%","index":2}},{"location":{"uri":"common/ActionButtons/ActionButtons.d.ts","uriBaseId":"%SRCROOT%","index":3}},{"location":{"uri":"common/ActionButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":4}},{"location":{"uri":"common/Avatar.d.ts","uriBaseId":"%SRCROOT%","index":5}},{"location":{"uri":"common/Buttons/Button.d.ts","uriBaseId":"%SRCROOT%","index":6}},{"location":{"uri":"common/Buttons/PrimaryButton.d.ts","uriBaseId":"%SRCROOT%","index":7}},{"location":{"uri":"common/Buttons/SecondaryButton.d.ts","uriBaseId":"%SRCROOT%","index":8}},{"location":{"uri":"common/Buttons/index.d.ts","uriBaseId":"%SRCROOT%","index":9}},{"location":{"uri":"common/ChatBubble.d.ts","uriBaseId":"%SRCROOT%","index":10}},{"location":{"uri":"common/ChatEvent.d.ts","uriBaseId":"%SRCROOT%","index":11}},{"location":{"uri":"common/MessageHeader.d.ts","uriBaseId":"%SRCROOT%","index":12}},{"location":{"uri":"common/TypingIndicator/TypingIndicator.d.ts","uriBaseId":"%SRCROOT%","index":13}},{"location":{"uri":"common/TypingIndicator/index.d.ts","uriBaseId":"%SRCROOT%","index":14}},{"location":{"uri":"common/Typography/Typography.d.ts","uriBaseId":"%SRCROOT%","index":15}},{"location":{"uri":"common/Typography/index.d.ts","uriBaseId":"%SRCROOT%","index":16}},{"location":{"uri":"index.d.ts","uriBaseId":"%SRCROOT%","index":17}},{"location":{"uri":"matcher.d.ts","uriBaseId":"%SRCROOT%","index":18}},{"location":{"uri":"messages/AdaptiveCards/components/Adaptivecard.d.ts","uriBaseId":"%SRCROOT%","index":19}},{"location":{"uri":"messages/AdaptiveCards/index.d.ts","uriBaseId":"%SRCROOT%","index":20}},{"location":{"uri":"messages/Audio/Audio.d.ts","uriBaseId":"%SRCROOT%","index":21}},{"location":{"uri":"messages/Audio/Controls.d.ts","uriBaseId":"%SRCROOT%","index":22}},{"location":{"uri":"messages/Audio/index.d.ts","uriBaseId":"%SRCROOT%","index":23}},{"location":{"uri":"messages/DatePicker/DatePicker.d.ts","uriBaseId":"%SRCROOT%","index":24}},{"location":{"uri":"messages/DatePicker/flatpickr-plugins/customElements.d.ts","uriBaseId":"%SRCROOT%","index":25}},{"location":{"uri":"messages/DatePicker/helpers.d.ts","uriBaseId":"%SRCROOT%","index":26}},{"location":{"uri":"messages/DatePicker/index.d.ts","uriBaseId":"%SRCROOT%","index":27}},{"location":{"uri":"messages/File/File.d.ts","uriBaseId":"%SRCROOT%","index":28}},{"location":{"uri":"messages/File/helper.d.ts","uriBaseId":"%SRCROOT%","index":29}},{"location":{"uri":"messages/File/index.d.ts","uriBaseId":"%SRCROOT%","index":30}},{"location":{"uri":"messages/Gallery/Gallery.d.ts","uriBaseId":"%SRCROOT%","index":31}},{"location":{"uri":"messages/Gallery/GalleryItem.d.ts","uriBaseId":"%SRCROOT%","index":32}},{"location":{"uri":"messages/Gallery/helper.d.ts","uriBaseId":"%SRCROOT%","index":33}},{"location":{"uri":"messages/Gallery/index.d.ts","uriBaseId":"%SRCROOT%","index":34}},{"location":{"uri":"messages/Image/Image.d.ts","uriBaseId":"%SRCROOT%","index":35}},{"location":{"uri":"messages/Image/ImageThumb.d.ts","uriBaseId":"%SRCROOT%","index":36}},{"location":{"uri":"messages/Image/context.d.ts","uriBaseId":"%SRCROOT%","index":37}},{"location":{"uri":"messages/Image/hooks.d.ts","uriBaseId":"%SRCROOT%","index":38}},{"location":{"uri":"messages/Image/index.d.ts","uriBaseId":"%SRCROOT%","index":39}},{"location":{"uri":"messages/Image/lightbox/Lightbox.d.ts","uriBaseId":"%SRCROOT%","index":40}},{"location":{"uri":"messages/Image/lightbox/LightboxHeader.d.ts","uriBaseId":"%SRCROOT%","index":41}},{"location":{"uri":"messages/List/List.d.ts","uriBaseId":"%SRCROOT%","index":42}},{"location":{"uri":"messages/List/ListItem.d.ts","uriBaseId":"%SRCROOT%","index":43}},{"location":{"uri":"messages/List/index.d.ts","uriBaseId":"%SRCROOT%","index":44}},{"location":{"uri":"messages/Message.d.ts","uriBaseId":"%SRCROOT%","index":45}},{"location":{"uri":"messages/Text/StreamingTextAnimation.d.ts","uriBaseId":"%SRCROOT%","index":46}},{"location":{"uri":"messages/Text/Text.d.ts","uriBaseId":"%SRCROOT%","index":47}},{"location":{"uri":"messages/Text/index.d.ts","uriBaseId":"%SRCROOT%","index":48}},{"location":{"uri":"messages/TextWithButtons/TextWithButtons.d.ts","uriBaseId":"%SRCROOT%","index":49}},{"location":{"uri":"messages/TextWithButtons/helper.d.ts","uriBaseId":"%SRCROOT%","index":50}},{"location":{"uri":"messages/TextWithButtons/index.d.ts","uriBaseId":"%SRCROOT%","index":51}},{"location":{"uri":"messages/Video/Video.d.ts","uriBaseId":"%SRCROOT%","index":52}},{"location":{"uri":"messages/Video/index.d.ts","uriBaseId":"%SRCROOT%","index":53}},{"location":{"uri":"messages/Webchat3Event.d.ts","uriBaseId":"%SRCROOT%","index":54}},{"location":{"uri":"messages/collation.d.ts","uriBaseId":"%SRCROOT%","index":55}},{"location":{"uri":"messages/context.d.ts","uriBaseId":"%SRCROOT%","index":56}},{"location":{"uri":"messages/hooks.d.ts","uriBaseId":"%SRCROOT%","index":57}},{"location":{"uri":"messages/index.d.ts","uriBaseId":"%SRCROOT%","index":58}},{"location":{"uri":"messages/live-region-helper.d.ts","uriBaseId":"%SRCROOT%","index":59}},{"location":{"uri":"messages/types.d.ts","uriBaseId":"%SRCROOT%","index":60}},{"location":{"uri":"messages/xApp/XAppSubmitMessage.d.ts","uriBaseId":"%SRCROOT%","index":61}},{"location":{"uri":"messages/xApp/index.d.ts","uriBaseId":"%SRCROOT%","index":62}},{"location":{"uri":"sanitize.d.ts","uriBaseId":"%SRCROOT%","index":63}},{"location":{"uri":"utils.d.ts","uriBaseId":"%SRCROOT%","index":64}}],"results":[{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":28357,"startColumn":15,"endColumn":28}}}],"partialFingerprints":{"primaryLocationLineHash":"d783b49e064e724b:1","primaryLocationStartColumnFingerprint":"8"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33840,"startColumn":42,"endColumn":51}}}],"partialFingerprints":{"primaryLocationLineHash":"5795dfd5075d3091:1","primaryLocationStartColumnFingerprint":"37"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33889,"startColumn":48,"endColumn":57}}}],"partialFingerprints":{"primaryLocationLineHash":"3c4ca60d3a732b28:1","primaryLocationStartColumnFingerprint":"43"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":33984,"startColumn":46,"endColumn":55}}}],"partialFingerprints":{"primaryLocationLineHash":"49735ba19183e7df:1","primaryLocationStartColumnFingerprint":"41"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This does not escape backslash characters in the input."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":35327,"startColumn":14,"endColumn":37}}}],"partialFingerprints":{"primaryLocationLineHash":"2c4a74ba84ab2cf8:1","primaryLocationStartColumnFingerprint":"11"}},{"ruleId":"js/incomplete-sanitization","ruleIndex":40,"rule":{"id":"js/incomplete-sanitization","index":40},"message":{"text":"This replaces only the first occurrence of \"\\\\\"."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"chat-components.js","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":43703,"startColumn":11,"endColumn":21}}}],"partialFingerprints":{"primaryLocationLineHash":"c3e6ee013706602f:1","primaryLocationStartColumnFingerprint":"0"}}],"newlineSequences":["\r\n","\n","
","
"],"columnKind":"utf16CodeUnits","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"js/summary/lines-of-code","index":84},"ruleId":"js/summary/lines-of-code","ruleIndex":84,"value":80806},{"rule":{"id":"js/summary/lines-of-user-code","index":85},"ruleId":"js/summary/lines-of-user-code","ruleIndex":85,"value":907,"baseline":907}]}}]} \ No newline at end of file From 72b16ccbfdabc5595ca2cc0bda800ed2582717d0 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Tue, 2 Dec 2025 06:50:21 +0100 Subject: [PATCH 06/13] improve gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index bc058d6..f824768 100644 --- a/.gitignore +++ b/.gitignore @@ -32,3 +32,4 @@ dist-ssr codeql-results.sarif codeql-db +codeql-results-dist.sarif From a9ec092f2509f22dab4cebef4f27c048e52e3060 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich Date: Tue, 2 Dec 2025 07:03:31 +0100 Subject: [PATCH 07/13] improve escaping --- src/utils.ts | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/src/utils.ts b/src/utils.ts index 5baf340..db93513 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -132,12 +132,30 @@ export const isEventMessage = (message: IMessage) => { export const getBackgroundImage = (url: string) => { if (!url) return undefined; - const escapedUrl = url - .replace(/\n/g, "") - .replace(/\r/g, "") - .replace(/"\\/g, char => `\`${char}`); + // Remove control characters that could break CSS parsing + let sanitized = url.replace(/[\r\n\f]/g, ""); + + // If the string looks like an absolute URL (has a scheme), validate allowed protocols (http/https). + try { + const parsed = new URL(sanitized, window.location.href); + if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(sanitized)) { + if (!/^https?:$/i.test(parsed.protocol)) { + return undefined; + } + // Normalize absolute URLs + sanitized = parsed.href; + } + } catch { + // URL constructor failed (possibly an invalid or relative path). Keep original unless you want to reject. + } + + // Escape characters that could terminate or escape the quoted url("...") context. + sanitized = sanitized + .replace(/\\/g, "\\\\") // Escape backslashes first + .replace(/"/g, '\\"') // Escape double quotes + .replace(/\)/g, "\\)"); // Escape closing parenthesis - return `url("${escapedUrl}")`; + return `url("${sanitized}")`; }; export const getRandomId = (prefix = "") => { From 34880ee386f8c8ecf8fed9f960246f8566fb005d Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich <90881+kwinto@users.noreply.github.com> Date: Tue, 2 Dec 2025 14:36:59 +0100 Subject: [PATCH 08/13] Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/package.json b/package.json index 25d0152..65c30b5 100644 --- a/package.json +++ b/package.json @@ -23,8 +23,7 @@ "test:web-ui": "vitest --ui", "test:watch": "vitest", "codeql:scan": "rm -rf node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", - "codeql:scan:dist": "npm ci && npm run build && rm -rf node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0", - "postbuild:secure": "node scripts/postbuild-secure-patch.mjs" + "codeql:scan:dist": "npm ci && npm run build && rm -rf node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0" }, "devDependencies": { "@cognigy/socket-client": "5.0.0-beta.20", From ce9e87ab67480ceb178f7fcc668f0fb715fbb358 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich <90881+kwinto@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:10:21 +0100 Subject: [PATCH 09/13] Update src/utils.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/utils.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/utils.ts b/src/utils.ts index db93513..d558934 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -138,7 +138,7 @@ export const getBackgroundImage = (url: string) => { // If the string looks like an absolute URL (has a scheme), validate allowed protocols (http/https). try { const parsed = new URL(sanitized, window.location.href); - if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(sanitized)) { + if (parsed.protocol) { if (!/^https?:$/i.test(parsed.protocol)) { return undefined; } From 5be3baabfa0eb334880e52e07f0efa7bcea18c84 Mon Sep 17 00:00:00 2001 From: Dmitrii Ostasevich <90881+kwinto@users.noreply.github.com> Date: Tue, 2 Dec 2025 16:10:47 +0100 Subject: [PATCH 10/13] Update src/utils.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- src/utils.ts | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/utils.ts b/src/utils.ts index d558934..09f76c6 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -136,17 +136,18 @@ export const getBackgroundImage = (url: string) => { let sanitized = url.replace(/[\r\n\f]/g, ""); // If the string looks like an absolute URL (has a scheme), validate allowed protocols (http/https). - try { - const parsed = new URL(sanitized, window.location.href); - if (parsed.protocol) { + if (/^[a-zA-Z][a-zA-Z0-9+.-]*:/.test(sanitized)) { + try { + const parsed = new URL(sanitized); if (!/^https?:$/i.test(parsed.protocol)) { return undefined; } // Normalize absolute URLs sanitized = parsed.href; + } catch { + // URL constructor failed (invalid absolute URL). Reject. + return undefined; } - } catch { - // URL constructor failed (possibly an invalid or relative path). Keep original unless you want to reject. } // Escape characters that could terminate or escape the quoted url("...") context. From f604f0c27dc7fddeffe26125d7c8791de4434f76 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 15:11:38 +0000 Subject: [PATCH 11/13] Initial plan From a34a6aac3fd57a2654ee6d49c11265c972303d2f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 15:14:52 +0000 Subject: [PATCH 12/13] Replace rm -rf with cross-platform Node.js script Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com> --- package.json | 4 ++-- scripts/clean.mjs | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 scripts/clean.mjs diff --git a/package.json b/package.json index 65c30b5..418389c 100644 --- a/package.json +++ b/package.json @@ -22,8 +22,8 @@ "test": "vitest run", "test:web-ui": "vitest --ui", "test:watch": "vitest", - "codeql:scan": "rm -rf node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", - "codeql:scan:dist": "npm ci && npm run build && rm -rf node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0" + "codeql:scan": "node scripts/clean.mjs node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", + "codeql:scan:dist": "npm ci && npm run build && node scripts/clean.mjs node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0" }, "devDependencies": { "@cognigy/socket-client": "5.0.0-beta.20", diff --git a/scripts/clean.mjs b/scripts/clean.mjs new file mode 100644 index 0000000..b019a6e --- /dev/null +++ b/scripts/clean.mjs @@ -0,0 +1,21 @@ +#!/usr/bin/env node +import { rm } from 'node:fs/promises'; +import { resolve } from 'node:path'; + +const paths = process.argv.slice(2); + +if (paths.length === 0) { + console.error('Usage: node clean.mjs [path2] ...'); + process.exit(1); +} + +for (const path of paths) { + const resolvedPath = resolve(path); + try { + await rm(resolvedPath, { recursive: true, force: true }); + console.log(`Removed: ${resolvedPath}`); + } catch (error) { + console.error(`Failed to remove ${resolvedPath}:`, error.message); + process.exit(1); + } +} From 89a08afd564866af3d5c57f34b7d8cc4279acdd0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 2 Dec 2025 15:24:33 +0000 Subject: [PATCH 13/13] Replace custom clean script with rimraf package Co-authored-by: kwinto <90881+kwinto@users.noreply.github.com> --- package-lock.json | 82 +++++++++++++++++++++++++++++++++++++++++++++++ package.json | 5 +-- scripts/clean.mjs | 21 ------------ 3 files changed, 85 insertions(+), 23 deletions(-) delete mode 100644 scripts/clean.mjs diff --git a/package-lock.json b/package-lock.json index 23f16f0..85a0ca0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -43,6 +43,7 @@ "prettier": "3.6.2", "react": "^18.3.1", "react-dom": "^18.3.1", + "rimraf": "^6.1.2", "typescript": "^5.9.3", "vite": "^7.1.11", "vite-plugin-css-injected-by-js": "^3.3.0", @@ -10534,6 +10535,87 @@ "dev": true, "license": "MIT" }, + "node_modules/rimraf": { + "version": "6.1.2", + "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-6.1.2.tgz", + "integrity": "sha512-cFCkPslJv7BAXJsYlK1dZsbP8/ZNLkCAQ0bi1hf5EKX2QHegmDFEFA6QhuYJlk7UDdc+02JjO80YSOrWPpw06g==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "glob": "^13.0.0", + "package-json-from-dist": "^1.0.1" + }, + "bin": { + "rimraf": "dist/esm/bin.mjs" + }, + "engines": { + "node": "20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/rimraf/node_modules/glob": { + "version": "13.0.0", + "resolved": "https://registry.npmjs.org/glob/-/glob-13.0.0.tgz", + "integrity": "sha512-tvZgpqk6fz4BaNZ66ZsRaZnbHvP/jG3uKJvAZOwEVUL4RTA5nJeeLYfyN9/VA8NX/V3IBG+hkeuGpKjvELkVhA==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "minimatch": "^10.1.1", + "minipass": "^7.1.2", + "path-scurry": "^2.0.0" + }, + "engines": { + "node": "20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/rimraf/node_modules/lru-cache": { + "version": "11.2.4", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.2.4.tgz", + "integrity": "sha512-B5Y16Jr9LB9dHVkh6ZevG+vAbOsNOYCX+sXvFWFu7B3Iz5mijW3zdbMyhsh8ANd2mSWBYdJgnqi+mL7/LrOPYg==", + "dev": true, + "license": "BlueOak-1.0.0", + "engines": { + "node": "20 || >=22" + } + }, + "node_modules/rimraf/node_modules/minimatch": { + "version": "10.1.1", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.1.1.tgz", + "integrity": "sha512-enIvLvRAFZYXJzkCYG5RKmPfrFArdLv+R+lbQ53BmIMLIry74bjKzX6iHAm8WYamJkhSSEabrWN5D97XnKObjQ==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "@isaacs/brace-expansion": "^5.0.0" + }, + "engines": { + "node": "20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, + "node_modules/rimraf/node_modules/path-scurry": { + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/path-scurry/-/path-scurry-2.0.1.tgz", + "integrity": "sha512-oWyT4gICAu+kaA7QWk/jvCHWarMKNs6pXOGWKDTr7cw4IGcUbW+PeTfbaQiLGheFRpjo6O9J0PmyMfQPjH71oA==", + "dev": true, + "license": "BlueOak-1.0.0", + "dependencies": { + "lru-cache": "^11.0.0", + "minipass": "^7.1.2" + }, + "engines": { + "node": "20 || >=22" + }, + "funding": { + "url": "https://github.com/sponsors/isaacs" + } + }, "node_modules/rollup": { "version": "4.52.5", "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.52.5.tgz", diff --git a/package.json b/package.json index 418389c..68977a1 100644 --- a/package.json +++ b/package.json @@ -22,8 +22,8 @@ "test": "vitest run", "test:web-ui": "vitest --ui", "test:watch": "vitest", - "codeql:scan": "node scripts/clean.mjs node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", - "codeql:scan:dist": "npm ci && npm run build && node scripts/clean.mjs node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0" + "codeql:scan": "rimraf node_modules && npm ci --omit=dev && codeql database create --overwrite codeql-db --language=typescript-javascript --source-root=. --codescanning-config=codeql-config.yml && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results.sarif --threads=0", + "codeql:scan:dist": "npm ci && npm run build && rimraf node_modules && codeql database create --overwrite codeql-db --language=javascript --source-root=dist && codeql database analyze codeql-db codeql/javascript-queries --format=sarifv2.1.0 --output=codeql-results-dist.sarif --threads=0" }, "devDependencies": { "@cognigy/socket-client": "5.0.0-beta.20", @@ -44,6 +44,7 @@ "prettier": "3.6.2", "react": "^18.3.1", "react-dom": "^18.3.1", + "rimraf": "^6.1.2", "typescript": "^5.9.3", "vite": "^7.1.11", "vite-plugin-css-injected-by-js": "^3.3.0", diff --git a/scripts/clean.mjs b/scripts/clean.mjs deleted file mode 100644 index b019a6e..0000000 --- a/scripts/clean.mjs +++ /dev/null @@ -1,21 +0,0 @@ -#!/usr/bin/env node -import { rm } from 'node:fs/promises'; -import { resolve } from 'node:path'; - -const paths = process.argv.slice(2); - -if (paths.length === 0) { - console.error('Usage: node clean.mjs [path2] ...'); - process.exit(1); -} - -for (const path of paths) { - const resolvedPath = resolve(path); - try { - await rm(resolvedPath, { recursive: true, force: true }); - console.log(`Removed: ${resolvedPath}`); - } catch (error) { - console.error(`Failed to remove ${resolvedPath}:`, error.message); - process.exit(1); - } -}