Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating staging #1041

Merged
merged 17 commits into from
Dec 7, 2023
Merged

Updating staging #1041

merged 17 commits into from
Dec 7, 2023

Conversation

HarikaMunipalle
Copy link
Contributor

No description provided.

HarikaMunipalle and others added 17 commits December 7, 2023 16:08
@HarikaMunipalle
Merge pull request #1034 from GSA/staging
410229f 
Staging
@istankevychgsa
Merge pull request #1035 from GSA/feature/prod-fix-payment
53afdc6 
prod fix
@HarikaMunipalle
prod fix
3e20c52
@istankevychgsa
Merge pull request #1036 from GSA/feature/prod-fix-payment
0efabea 
Added the js
@HarikaMunipalle
Added the js
f9dd4d3
@HarikaMunipalle
payment accuracy prod fix
db48ceb
@HarikaMunipalle
Added favicon
d427c1e
@HarikaMunipalle
Added favicon
8ca6d00
@istankevychgsa
Merge pull request #1037 from GSA/feature/prod-fix-payment
7628b0b 
payment accuracy prod fix
@HarikaMunipalle
Added in payment
5f8aef4
@HarikaMunipalle
fixed the images
bd2a11e
@istankevychgsa
Merge pull request #1038 from GSA/feature/prod-fix-payment
4f98571 
fix header for career planning tool
@HarikaMunipalle
fix header for career planning tool
07e8e28
@istankevychgsa
Merge pull request #1039 from GSA/feature/prod-fix-payment
fb7c4db 
carrer planning header
@HarikaMunipalle
carrer planning header
8403c8d
@HarikaMunipalle
jfmip hide block chain
ab5c24d
@HarikaMunipalle
Merge pull request #1040 from GSA/feature/prod-fix-payment
4e09840 
jfmip hide block chain
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 7, 2023
View reviewed changes
_pages/payment-accuracy/assets/js/search.js
.then(function (posts) {
totalResults = posts.web.total;
document.getElementById("search-params").innerHTML =
urlParams.get("query");

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to ensure that any user input written to the webpage is properly sanitized or encoded to prevent XSS attacks. The best way to fix this issue is to use a library that provides functions for safely encoding user input before inserting it into the DOM. One such library is DOMPurify, which can sanitize HTML and prevent XSS attacks.

We will:

  1. Import the DOMPurify library.
  2. Use DOMPurify to sanitize the user input before writing it to the DOM.
Suggested changeset 2
_pages/payment-accuracy/assets/js/search.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/_pages/payment-accuracy/assets/js/search.js b/_pages/payment-accuracy/assets/js/search.js
--- a/_pages/payment-accuracy/assets/js/search.js
+++ b/_pages/payment-accuracy/assets/js/search.js
@@ -1 +1,3 @@
+import DOMPurify from 'dompurify';
+
 document.addEventListener("DOMContentLoaded", function () {
@@ -46,5 +48,5 @@
                 document.getElementById("search-params").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("search-keyword").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("results-count").innerHTML = totalResults;
EOF
@@ -1 +1,3 @@
import DOMPurify from 'dompurify';

document.addEventListener("DOMContentLoaded", function () {
@@ -46,5 +48,5 @@
document.getElementById("search-params").innerHTML =
urlParams.get("query");
DOMPurify.sanitize(urlParams.get("query"));
document.getElementById("search-keyword").innerHTML =
urlParams.get("query");
DOMPurify.sanitize(urlParams.get("query"));
document.getElementById("results-count").innerHTML = totalResults;
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -14,3 +14,4 @@
     "react-redux": "^7.2.9",
-    "striptags": "^3.2.0"
+    "striptags": "^3.2.0",
+    "dompurify": "^3.2.3"
   },
@@ -24,3 +25,3 @@
     "cross-spawn": "^6.0.6",
-    "trim":">=0.0.3",
+    "trim": ">=0.0.3",
     "tough-cookie": ">=4.1.4",
EOF
@@ -14,3 +14,4 @@
"react-redux": "^7.2.9",
"striptags": "^3.2.0"
"striptags": "^3.2.0",
"dompurify": "^3.2.3"
},
@@ -24,3 +25,3 @@
"cross-spawn": "^6.0.6",
"trim":">=0.0.3",
"trim": ">=0.0.3",
"tough-cookie": ">=4.1.4",
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
_pages/payment-accuracy/assets/js/search.js
document.getElementById("search-params").innerHTML =
urlParams.get("query");
document.getElementById("search-keyword").innerHTML =
urlParams.get("query");

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to ensure that any user-provided data is properly sanitized or encoded before being inserted into the DOM. The best way to fix this issue is to use a library like DOMPurify to sanitize the user input. This will remove any potentially malicious content from the input before it is inserted into the DOM.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the relevant JavaScript file.
  3. Use DOMPurify.sanitize to sanitize the user input before assigning it to the innerHTML property.
Suggested changeset 2
_pages/payment-accuracy/assets/js/search.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/_pages/payment-accuracy/assets/js/search.js b/_pages/payment-accuracy/assets/js/search.js
--- a/_pages/payment-accuracy/assets/js/search.js
+++ b/_pages/payment-accuracy/assets/js/search.js
@@ -1 +1,3 @@
+import DOMPurify from 'dompurify';
+
 document.addEventListener("DOMContentLoaded", function () {
@@ -46,5 +48,5 @@
                 document.getElementById("search-params").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("search-keyword").innerHTML =
-                    urlParams.get("query");
+                    DOMPurify.sanitize(urlParams.get("query"));
                 document.getElementById("results-count").innerHTML = totalResults;
EOF
@@ -1 +1,3 @@
import DOMPurify from 'dompurify';

document.addEventListener("DOMContentLoaded", function () {
@@ -46,5 +48,5 @@
document.getElementById("search-params").innerHTML =
urlParams.get("query");
DOMPurify.sanitize(urlParams.get("query"));
document.getElementById("search-keyword").innerHTML =
urlParams.get("query");
DOMPurify.sanitize(urlParams.get("query"));
document.getElementById("results-count").innerHTML = totalResults;
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -14,3 +14,4 @@
     "react-redux": "^7.2.9",
-    "striptags": "^3.2.0"
+    "striptags": "^3.2.0",
+    "dompurify": "^3.2.3"
   },
@@ -24,3 +25,3 @@
     "cross-spawn": "^6.0.6",
-    "trim":">=0.0.3",
+    "trim": ">=0.0.3",
     "tough-cookie": ">=4.1.4",
EOF
@@ -14,3 +14,4 @@
"react-redux": "^7.2.9",
"striptags": "^3.2.0"
"striptags": "^3.2.0",
"dompurify": "^3.2.3"
},
@@ -24,3 +25,3 @@
"cross-spawn": "^6.0.6",
"trim":">=0.0.3",
"trim": ">=0.0.3",
"tough-cookie": ">=4.1.4",
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
_pages/payment-accuracy/assets/js/search.js
if (totalResults > (page * resultsPerPage)) {
pagerLinks += '<a href="' + getLinkToPage(parseInt(page) + 1) + '" aria-label="Next page">Next >></a>';
}
pager.innerHTML = pagerLinks;

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix AI about 2 months ago

To fix the problem, we need to ensure that any user-provided input is properly sanitized or escaped before being used in HTML content. In this case, we should escape the page parameter before inserting it into the DOM.

The best way to fix this issue is to use a library like DOMPurify to sanitize the user input. This library is well-known and widely used for preventing XSS attacks.

We will need to:

  1. Import the DOMPurify library.
  2. Use DOMPurify to sanitize the page parameter before using it in the HTML content.
Suggested changeset 2
_pages/payment-accuracy/assets/js/search.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/_pages/payment-accuracy/assets/js/search.js b/_pages/payment-accuracy/assets/js/search.js
--- a/_pages/payment-accuracy/assets/js/search.js
+++ b/_pages/payment-accuracy/assets/js/search.js
@@ -1 +1,3 @@
+import DOMPurify from 'dompurify';
+
 document.addEventListener("DOMContentLoaded", function () {
@@ -107,3 +109,3 @@
             '<span class="margin-2">Page ' +
-            page +
+            DOMPurify.sanitize(page) +
             " of " +
EOF
@@ -1 +1,3 @@
import DOMPurify from 'dompurify';

document.addEventListener("DOMContentLoaded", function () {
@@ -107,3 +109,3 @@
'<span class="margin-2">Page ' +
page +
DOMPurify.sanitize(page) +
" of " +
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -14,3 +14,4 @@
     "react-redux": "^7.2.9",
-    "striptags": "^3.2.0"
+    "striptags": "^3.2.0",
+    "dompurify": "^3.2.3"
   },
@@ -24,3 +25,3 @@
     "cross-spawn": "^6.0.6",
-    "trim":">=0.0.3",
+    "trim": ">=0.0.3",
     "tough-cookie": ">=4.1.4",
EOF
@@ -14,3 +14,4 @@
"react-redux": "^7.2.9",
"striptags": "^3.2.0"
"striptags": "^3.2.0",
"dompurify": "^3.2.3"
},
@@ -24,3 +25,3 @@
"cross-spawn": "^6.0.6",
"trim":">=0.0.3",
"trim": ">=0.0.3",
"tough-cookie": ">=4.1.4",
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@HarikaMunipalle HarikaMunipalle merged commit 67e080f into staging Dec 7, 2023
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@istankevychgsa istankevychgsa istankevychgsa approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HarikaMunipalle @istankevychgsa