Skip to content

Feat/general upgrade #222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
aacerox wants to merge 10 commits into
base: master
Choose a base branch
from
Draft

Feat/general upgrade #222

aacerox wants to merge 10 commits into from

Conversation

@aacerox
Copy link
Owner

@aacerox aacerox commented Oct 9, 2023

No description provided.

@aacerox aacerox force-pushed the feat/general-upgrade branch 9 times, most recently from 8bfbb54 to 1ada2da Compare October 9, 2023 13:58
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 9, 2023
View reviewed changes
test/test-proxy.mjs
*/
function deny(response, msg) {
response.writeHead(401);
response.write(msg);

Check warning

Code scanning / CodeQL

Reflected cross-site scripting

Cross-site scripting vulnerability due to a [user-provided value](1).

Copilot Autofix

AI about 1 year ago

To fix the reflected cross-site scripting vulnerability, we need to sanitize the user-provided request.url before incorporating it into the msg string and writing it to the HTTP response. The best way to achieve this is by using a well-known library for escaping HTML, such as escape-html.

  • General Fix: Use contextual output encoding/escaping before writing user input to the response.
  • Detailed Fix: Import the escape-html library and use it to sanitize request.url before constructing the msg string.
  • Specific Changes: Modify the deny function to escape the msg parameter before writing it to the response.
  • Required Changes: Import the escape-html library, update the deny function, and sanitize the msg string.
Suggested changeset 2
test/test-proxy.mjs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/test-proxy.mjs b/test/test-proxy.mjs
--- a/test/test-proxy.mjs
+++ b/test/test-proxy.mjs
@@ -2,2 +2,3 @@
 import fs from 'fs';
+import escapeHtml from 'escape-html';
 
@@ -93,3 +94,3 @@
   response.writeHead(401);
-  response.write(msg);
+  response.write(escapeHtml(msg));
   response.end();
EOF
@@ -2,2 +2,3 @@
import fs from 'fs';
import escapeHtml from 'escape-html';

@@ -93,3 +94,3 @@
response.writeHead(401);
response.write(msg);
response.write(escapeHtml(msg));
response.end();
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -21,3 +21,4 @@
     "follow-redirects": ">=1.14.8",
-    "xml2js": ">=0.4.23"
+    "xml2js": ">=0.4.23",
+    "escape-html": "^1.0.3"
   },
EOF
@@ -21,3 +21,4 @@
"follow-redirects": ">=1.14.8",
"xml2js": ">=0.4.23"
"xml2js": ">=0.4.23",
"escape-html": "^1.0.3"
},
This fix introduces these dependencies
Package Version Security advisories
escape-html (npm) 1.0.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
@aacerox aacerox force-pushed the feat/general-upgrade branch 11 times, most recently from d960179 to f4c3e94 Compare October 9, 2023 20:24
@aacerox aacerox added this to the nrc-general-upgrade milestone Oct 9, 2023
@changeset-bot
Copy link

changeset-bot bot commented Oct 10, 2023
edited
Loading

🦋 Changeset detected

Latest commit: cb8862f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
node-rest-client Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@aacerox aacerox force-pushed the feat/general-upgrade branch 7 times, most recently from d741550 to 04a60c9 Compare October 10, 2023 19:41
@aacerox aacerox force-pushed the feat/general-upgrade branch 9 times, most recently from 4ad873d to 7eeaa92 Compare October 10, 2023 20:50
@aacerox aacerox force-pushed the feat/general-upgrade branch 4 times, most recently from fe90dca to 13f7102 Compare October 19, 2023 16:32
@aacerox
refactor: global nrc refactor to modern JS
0f1e8e3 
- chore: add code comments
- refactor:  backup refactor
- refactor: pass all tests
- refactor: finished client refactor
- feat: add promise execution
- refactor: add debug function
- test: refactor test and new post promised tests
- refactor: rename main modules
- refactor: configure build for module and cjs
- refactor: delete mistaken files
- refactor: ignore files
- refactor: deleted un-required files
- refactor: add cjs y module test projects
- chore: ignore files
- refactor: align test to module build
- refactor: improve code
@aacerox aacerox force-pushed the feat/general-upgrade branch from 13f7102 to ca3ba9d Compare October 19, 2023 16:33
@aacerox
ci: add github workflow, changeset and docker dev container
20f5ae5 
- refactor: add release workflow
- refactor: use freed package-lock.json
- refactor: correct github folder
- ci: add github actions
- chore: dockerize nrc
- chore: add changeset
@aacerox
refactor: add family args (PR #204)
e34c3d8
@aacerox
refactor: bump follow-redirects (PR #215 )
aacdc7e
@aacerox
refactor: Reset the protocol of the proxy server (PR #210)
3abb555
@aacerox aacerox force-pushed the feat/general-upgrade branch from b2ab4ed to 3abb555 Compare October 19, 2023 16:36
@aacerox aacerox force-pushed the feat/general-upgrade branch from 8a7f722 to cfa5561 Compare October 19, 2023 21:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

nrc-general-upgrade

Development

Successfully merging this pull request may close these issues.

2 participants

@aacerox