Release 0.5.0 alpha2 to master branch #14
Conversation
…enhance documentation
…e documentations
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| - name: Set up AWS CLI | ||
| uses: aws-actions/configure-aws-credentials@v1 | ||
| uses: aws-actions/configure-aws-credentials@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| - name: Set up AWS CLI | ||
| uses: aws-actions/configure-aws-credentials@v1 | ||
| uses: aws-actions/configure-aws-credentials@v4 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| # Use Dependabot to update dependencies | ||
| - name: Enable Dependabot | ||
| uses: dependabot/fetch-metadata@v1.6.0 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| # Alternative: Use Renovate for more control | ||
| - name: Update dependencies with Renovate | ||
| uses: renovatebot/github-action@v39.0.5 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| runs-on: ubuntu-latest | ||
| timeout-minutes: 30 | ||
|
|
||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '18' | ||
| cache: 'npm' | ||
|
|
||
| - name: Install Dependencies | ||
| run: npm ci | ||
|
|
||
| - name: Install Playwright | ||
| run: npx playwright install --with-deps | ||
|
|
||
| - name: Build Application | ||
| run: npm run build | ||
|
|
||
| - name: Start Application | ||
| run: | | ||
| npm run start:server & | ||
| npm run start:client & | ||
| npx wait-on http://localhost:3000 http://localhost:5000/api/health | ||
|
|
||
| - name: Run Playwright Tests | ||
| run: npx playwright test | ||
|
|
||
| - name: Store Playwright Report | ||
| uses: actions/upload-artifact@v4 | ||
| if: always() | ||
| with: | ||
| name: playwright-report | ||
| path: playwright-report/ | ||
| retention-days: 14 | ||
|
|
||
| - name: Store Playwright Screenshots | ||
| uses: actions/upload-artifact@v4 | ||
| if: failure() | ||
| with: | ||
| name: playwright-screenshots | ||
| path: test-results/ | ||
| retention-days: 14 | ||
|
|
||
| - name: Publish Test Results | ||
| uses: EnricoMi/publish-unit-test-result-action@v2 | ||
| if: always() | ||
| with: | ||
| files: | | ||
| playwright-report/*.xml No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
|
|
||
| # Run Trivy vulnerability scanner | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| # Secret scanning | ||
| - name: Secret Scanning with GitLeaks | ||
| uses: gitleaks/gitleaks-action@v2 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| # Check package.json for issues | ||
| - name: Package.json security audit | ||
| uses: lirantal/lockfile-lint-action@master |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| # OWASP ZAP Baseline Scan | ||
| - name: ZAP Baseline Scan | ||
| uses: zaproxy/action-baseline@v0.7.0 | ||
| uses: zaproxy/action-baseline@v0.9.0 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| # License compliance scanning | ||
| - name: License Scanning | ||
| uses: fossas/fossa-action@main |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| // Extract token from request | ||
| const token = jwtAuth.extractTokenFromRequest(req); | ||
|
|
||
| if (!token) { |
Check failure
Code scanning / CodeQL
User-controlled bypass of security check High
| // Extract token from request | ||
| const token = jwtAuth.extractTokenFromRequest(req); | ||
|
|
||
| if (!token) { |
Check failure
Code scanning / CodeQL
User-controlled bypass of security check High
|
|
||
| // Send welcome email | ||
| emailService.sendWelcomeEmail(user) | ||
| .catch(error => logger.error('Error sending welcome email', { error, userId: user.id })); |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the problem, we should avoid logging sensitive user information. Instead of logging the entire userId, we can log a generic message or a hashed version of the userId to maintain some level of traceability without exposing the actual identifier. This way, we can still have useful logs for debugging without compromising user privacy.
- Replace the logging statements that include
{ error, userId: user.id }with a more generic message or a hashed version of theuserId. - Update the relevant lines in
server/routes/auth.js.
| @@ -126,3 +126,3 @@ | ||
| emailService.sendWelcomeEmail(user) | ||
| .catch(error => logger.error('Error sending welcome email', { error, userId: user.id })); | ||
| .catch(error => logger.error('Error sending welcome email', { error: error.message })); | ||
|
|
||
| @@ -130,3 +130,3 @@ | ||
| emailService.sendVerificationEmail(user) | ||
| .catch(error => logger.error('Error sending verification email', { error, userId: user.id })); | ||
| .catch(error => logger.error('Error sending verification email', { error: error.message })); | ||
|
|
|
|
||
| // Send email verification | ||
| emailService.sendVerificationEmail(user) | ||
| .catch(error => logger.error('Error sending verification email', { error, userId: user.id })); |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the problem, we should avoid logging sensitive information such as user identifiers. Instead, we can log a generic error message without including sensitive details. This ensures that sensitive data is not exposed in the logs while still providing useful information for debugging purposes.
- Replace the logging statements that include sensitive information with more generic messages.
- Specifically, update the logging statements in the
catchblocks to exclude theuserIdfield. - No additional methods, imports, or definitions are needed to implement these changes.
| @@ -126,3 +126,3 @@ | ||
| emailService.sendWelcomeEmail(user) | ||
| .catch(error => logger.error('Error sending welcome email', { error, userId: user.id })); | ||
| .catch(error => logger.error('Error sending welcome email', { error })); | ||
|
|
||
| @@ -130,3 +130,3 @@ | ||
| emailService.sendVerificationEmail(user) | ||
| .catch(error => logger.error('Error sending verification email', { error, userId: user.id })); | ||
| .catch(error => logger.error('Error sending verification email', { error })); | ||
|
|
| if (sendInvite) { | ||
| // Send welcome email | ||
| emailService.sendWelcomeEmail(user) | ||
| .catch(error => logger.error('Error sending welcome email', { error, userId: user.id })); |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
| html | ||
| }); | ||
| } catch (error) { | ||
| logger.error('Error sending password reset email', { error, email }); |
Check failure
Code scanning / CodeQL
Clear-text logging of sensitive information High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the problem, we should avoid logging sensitive information such as email addresses directly. Instead, we can log a generic message or use a placeholder to indicate the presence of sensitive data without exposing it. This can be achieved by removing the email parameter from the logger.error call and replacing it with a generic message.
- Update the
logger.errorcall in thesendPasswordResetEmailfunction to remove theemailparameter. - Ensure that the log message still provides enough context to understand the error without exposing sensitive information.
| @@ -329,3 +329,3 @@ | ||
| } catch (error) { | ||
| logger.error('Error sending password reset email', { error, email }); | ||
| logger.error('Error sending password reset email', { error }); | ||
| return false; |
| } else { | ||
| // Otherwise create a new secret | ||
| const secretId = await vaultService.storeSecret(secretType, serviceName, token); | ||
| this.secretIdMapping[serviceName] = secretId; |
Check failure
Code scanning / CodeQL
Remote property injection High
|
|
||
| return true; | ||
| } catch (error) { | ||
| logger.error(`Failed to store token for ${serviceName}`, { error }); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the log injection issue, we need to sanitize the serviceName before logging it. Specifically, we should remove any newline characters from the serviceName to prevent log injection. This can be done using String.prototype.replace to ensure no line endings are present in the user input.
| @@ -173,3 +173,4 @@ | ||
| } catch (error) { | ||
| logger.error(`Failed to store token for ${serviceName}`, { error }); | ||
| const sanitizedServiceName = serviceName.replace(/\n|\r/g, ""); | ||
| logger.error(`Failed to store token for ${sanitizedServiceName}`, { error }); | ||
| throw error; |
|
|
||
| return true; | ||
| } catch (error) { | ||
| logger.error(`Failed to rotate token for ${serviceName}`, { error }); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 10 months ago
To fix the log injection issue, we need to sanitize the serviceName before logging it. Specifically, we should remove any newline characters from the serviceName to prevent log injection. This can be done using String.prototype.replace to ensure no line endings are present in the user input.
| @@ -196,3 +196,4 @@ | ||
| } catch (error) { | ||
| logger.error(`Failed to rotate token for ${serviceName}`, { error }); | ||
| const sanitizedServiceName = serviceName.replace(/\n|\r/g, ""); | ||
| logger.error(`Failed to rotate token for ${sanitizedServiceName}`, { error }); | ||
| throw error; |
| @@ -65,3 +65,4 @@ | ||
| } catch (error) { | ||
| logger.error('Error rotating token', { error, serviceName: req.body.serviceName }); | ||
| const sanitizedServiceName = req.body.serviceName.replace(/\n|\r/g, ""); | ||
| logger.error('Error rotating token', { error, serviceName: sanitizedServiceName }); | ||
| res.status(500).json({ |
| try { | ||
| await fs.access(this.vaultPath); | ||
| // Load existing vault | ||
| const encryptedVault = await fs.readFile(this.vaultPath, 'utf8'); |
Check failure
Code scanning / CodeQL
Potential file system race condition High
](https://github.com/PaperStrange/TourGuideAI/actions/workflows/ci-cd.yml){kind=link}
Changes 🏗️
Patch release focused on frontend stability, error handling, and resilience improvements
Major Improvements
####Technical Enhancements
Testing Improvements
Documentation Updates
Known Issues
Checklist 📋
For code changes:
Details
Refer to src\tests, Results refer to docs\test-execution-results.mdFor configuration changes:
.env.exampleis updated or already compatible with my changespackage.json,package-lock.jsonis updated or already compatible with my changesDetails
Refer to .cursor\.milestones, .cursor\.project, .cursor\.todos