Bump the npm_and_yarn at /research-hub-web security update group in /research-hub-web with 1 update#430
Conversation
Expandable page part
Add capabilities navbar link
Change activities label to research stage
Bugfix/update csp
Fix failed start up due to Contentful type changes
…search-stage-url RSM-3036: stage: replace search with url
…rsion Update linting.yml
Feature/rsm 3250 search logic
Bumps the npm_and_yarn at /research-hub-web security update group in /research-hub-web with 1 update: [cypress](https://github.com/cypress-io/cypress). - [Release notes](https://github.com/cypress-io/cypress/releases) - [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md) - [Commits](cypress-io/cypress@v7.7.0...v13.5.0) --- updated-dependencies: - dependency-name: cypress dependency-type: direct:development ... Signed-off-by: dependabot[bot] <[email protected]>
|
Dependabot tried to add |
lugn621
force-pushed
the
dependabot/npm_and_yarn/research-hub-web/cypress-13.5.0
branch
from
eecbe7e to
5d996bb
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Run linters | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
|
|
||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v1 | ||
| with: | ||
| node-version: 18 | ||
|
|
||
| - name: Install Node.js dependencies | ||
| working-directory: ./research-hub-web | ||
| run: npm ci --force | ||
|
|
||
| - name: Install Angular CLI | ||
| run: npm install -g @angular/cli | ||
|
|
||
| - name: ng lint | ||
| working-directory: ./research-hub-web | ||
| run: ng lint |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, the fix is to explicitly set a least-privilege permissions block so that the GITHUB_TOKEN has only the minimal rights needed. For this workflow, all steps are local (checkout, install dependencies, run lint), so read access to repository contents is sufficient.
The best fix without changing functionality is to add permissions: contents: read at the workflow root, above jobs:. This will apply to all jobs that don’t define their own permissions. No steps in run-linters need write access to contents, issues, or pull requests, so contents: read is adequate. The only change is to .github/workflows/linting.yml, inserting a permissions block after the on: section and before jobs:; no imports or additional definitions are needed.
| @@ -10,6 +10,9 @@ | ||
| branches: | ||
| - master | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| run-linters: | ||
| name: Run linters |
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Check out Git repository | ||
| uses: actions/checkout@v2 | ||
| - name: Get Branch | ||
| id: var | ||
| run: echo ::set-output name=branch::${GITHUB_REF#refs/*/} | ||
| - name: Output Branch | ||
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] | ||
| env: | ||
| SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }} | ||
| SENTRY_ORG: university-of-auckland-7o | ||
| SENTRY_PROJECT: research-hub | ||
| with: | ||
| environment: ${{ steps.var.outputs.branch }} No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, you fix this by adding a permissions: block that grants only the minimal scopes required for the workflow, either at the root (affecting all jobs) or at the specific job level. For a typical Sentry release workflow that only checks out code and calls an external action using SENTRY_AUTH_TOKEN, no GitHub write permissions are needed; contents: read is usually sufficient (and is equivalent to a read-only default).
For this specific workflow in .github/workflows/sentry.yml, the least invasive change is to add permissions: contents: read to the sentry-release job. That constrains the GITHUB_TOKEN for this job only, without altering behavior: actions/checkout still works with contents: read, and getsentry/action-release uses the Sentry auth token from secrets, not GITHUB_TOKEN. Concretely, modify the sentry-release job definition (around line 13–16) to insert:
permissions:
contents: readdirectly under runs-on: ubuntu-latest (or directly under the job name; placement within the job block is flexible as long as indentation is correct).
| @@ -13,6 +13,8 @@ | ||
| sentry-release: | ||
| name: Create Sentry Release | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Check out Git repository |
| run: echo ${{ steps.var.outputs.branch }} | ||
| - name: Notify Sentry | ||
| # https://github.com/getsentry/action-release | ||
| uses: getsentry/[email protected] |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); |
Check warning
Code scanning / CodeQL
Log injection Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 days ago
In general, to fix log injection when logging user-controlled values, sanitize or normalize those values before logging. For plain-text logs, a common and simple mitigation is to remove carriage-return and newline characters from user input and to clearly delimit or quote user-controlled fields in log messages.
For this specific code, the best fix with minimal functional impact is:
- Before logging
event.body, derive a sanitized version that strips\rand\ncharacters. - Log the sanitized body instead of the raw
event.body. - Optionally, clearly label the value as user input in the log message (which is already effectively done by "Received query: ...").
Concretely, in hub-search-proxy/handler.js around line 53 inside module.exports.search, introduce a new variable (e.g., sanitizedBody) that uses String.prototype.replace with a regular expression to remove \r and \n from event.body, and then log that sanitized value. No new imports are needed; replace is part of standard JavaScript. The rest of the function should continue to use the original event.body for parsing so that existing behavior is unchanged.
| @@ -50,7 +50,8 @@ | ||
|
|
||
| module.exports.search = async (event, context) => { | ||
| try { | ||
| console.log(`Received query: ${event.body}`); | ||
| const sanitizedBody = String(event.body).replace(/\r|\n/g, ''); | ||
| console.log(`Received query: ${sanitizedBody}`); | ||
| const requestBody = JSON.parse(event.body); | ||
| let queryString = ''; | ||
| let size = 10; |
7 participants
Bumps the npm_and_yarn at /research-hub-web security update group in /research-hub-web with 1 update: cypress.
Release notes
Sourced from cypress's releases.
... (truncated)
Commits
a23dba1chore: release 13.5.0 (#28278)7392f61test: updating path separator for mochaEvents (#28265)79da763chore: release@cypress/webpack-dev-server-v3.7.0176280dchore: release 13.5.0 - update changelog (#28262)d70ffeafix: runIfWaitingForDebugger when targets are reloaded after crashing (#28254)e8fc268feat: add support for angular 17 (#28152)9f19f9atest: update mochaEvent snapshots to be auto-generated (#28224)934f215chore: add after:browser:launch node event (#28180)eab1730fix: handle download from element missing download attribute (#28222)db8609efix: Pass flag to chrome to disable translation prompt when running tests (#2...Maintainer changes
This version was pushed to npm by cypress-npm-publisher, a new releaser for cypress since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.