Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Release] Stage to Main #74

Merged
merged 2 commits into from
Oct 23, 2024
Merged

[Release] Stage to Main #74

merged 2 commits into from
Oct 23, 2024

Conversation

JasonHowellSlavin
Copy link
Contributor

@aem-code-sync AEM Code Sync
Copy link

aem-code-sync bot commented Oct 21, 2024

Hello, I'm the AEM Code Sync Bot and I will run some actions to deploy your branch and validate page speed.
In case there are problems, just click a checkbox below to rerun the respective action.

  • Re-run PSI checks
  • Re-sync branch
Commits

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 21, 2024
View reviewed changes
head.html
const miloUtils = document.createElement('link');

miloStyles.setAttribute('as', 'style');
miloStyles.setAttribute('href', `${libs}/styles/styles.css`);

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the branch value is validated against a predefined list of authorized branches. This will prevent untrusted URL redirection by ensuring that only safe, known URLs are used.

  1. Create a list of authorized branches.
  2. Validate the branch value against this list.
  3. If the branch value is not in the list, use a default safe value.
Suggested changeset 1
head.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/head.html b/head.html
--- a/head.html
+++ b/head.html
@@ -7,4 +7,6 @@
     const branch = new URLSearchParams(search).get('milolibs') || 'main';
-    if (branch === 'local') return 'http://localhost:6456/libs';
-    return branch.includes('--') ? `https://${branch}.hlx.live/libs` : `https://${branch}--milo--adobecom.hlx.live/libs`;
+    const authorizedBranches = ['main', 'local', 'branch1', 'branch2']; // Add all authorized branches here
+    if (!authorizedBranches.includes(branch)) return '/libs'; // Default to a safe value if branch is not authorized
+   if (branch === 'local') return 'http://localhost:6456/libs';
+   return branch.includes('--') ? `https://${branch}.hlx.live/libs` : `https://${branch}--milo--adobecom.hlx.live/libs`;
   })();
EOF
@@ -7,4 +7,6 @@
const branch = new URLSearchParams(search).get('milolibs') || 'main';
if (branch === 'local') return 'http://localhost:6456/libs';
return branch.includes('--') ? `https://${branch}.hlx.live/libs` : `https://${branch}--milo--adobecom.hlx.live/libs`;
const authorizedBranches = ['main', 'local', 'branch1', 'branch2']; // Add all authorized branches here
if (!authorizedBranches.includes(branch)) return '/libs'; // Default to a safe value if branch is not authorized
if (branch === 'local') return 'http://localhost:6456/libs';
return branch.includes('--') ? `https://${branch}.hlx.live/libs` : `https://${branch}--milo--adobecom.hlx.live/libs`;
})();
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
head.html
miloStyles.setAttribute('href', `${libs}/styles/styles.css`);
miloUtils.setAttribute('as', 'script');
miloUtils.setAttribute('crossorigin', 'true');
miloUtils.setAttribute('href', `${libs}/utils/utils.js`);

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the problem, we need to ensure that the URL constructed from the search parameter is validated against a list of authorized URLs. This can be achieved by maintaining a list of allowed branches and only constructing URLs from this list.

  1. Create a list of authorized branches.
  2. Validate the branch value against this list.
  3. If the branch is not in the list, use a default safe value.
Suggested changeset 1
head.html

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/head.html b/head.html
--- a/head.html
+++ b/head.html
@@ -7,2 +7,4 @@
     const branch = new URLSearchParams(search).get('milolibs') || 'main';
+    const authorizedBranches = ['main', 'local', 'branch1', 'branch2']; // Add all authorized branches here
+    if (!authorizedBranches.includes(branch)) return '/libs'; // Default to a safe value if branch is not authorized
     if (branch === 'local') return 'http://localhost:6456/libs';
EOF
@@ -7,2 +7,4 @@
const branch = new URLSearchParams(search).get('milolibs') || 'main';
const authorizedBranches = ['main', 'local', 'branch1', 'branch2']; // Add all authorized branches here
if (!authorizedBranches.includes(branch)) return '/libs'; // Default to a safe value if branch is not authorized
if (branch === 'local') return 'http://localhost:6456/libs';
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@JackySun9 JackySun9 assigned JackySun9 and unassigned JackySun9 Oct 22, 2024
@JackySun9 JackySun9 added the verified It's been E2E tested label Oct 22, 2024
@JasonHowellSlavin JasonHowellSlavin merged commit 32b3143 into main Oct 23, 2024
8 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JackySun9 JackySun9 JackySun9 approved these changes

@meganthecoder meganthecoder meganthecoder approved these changes

@Brandon32 Brandon32 Awaiting requested review from Brandon32

Assignees

@JackySun9 JackySun9

Labels
verified It's been E2E tested
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JasonHowellSlavin @meganthecoder @JackySun9