-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: add [email protected] to transport-interop #8
base: master
Are you sure you want to change the base?
Conversation
res.writeHead(500, { | ||
'Access-Control-Allow-Origin': '*' | ||
}) | ||
res.end(err.toString()) |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Exception text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that any error messages sent back in the HTTP response are properly sanitized to prevent XSS attacks. The best way to achieve this is by escaping any special HTML characters in the error message before including it in the response.
- We will use a well-known library, such as
he
, to escape the error message. - We will import the
he
library and use itsescape
function to sanitize the error message before sending it in the HTTP response. - The changes will be made in the
transport-interop/impl/js/v1.9/.aegir.js
file, specifically in thecatch
block where the error message is written to the response.
-
Copy modified line R5 -
Copy modified line R84
@@ -4,2 +4,3 @@ | ||
import { createClient } from 'redis' | ||
import { escape } from 'he'; | ||
|
||
@@ -82,3 +83,3 @@ | ||
}) | ||
res.end(err.toString()) | ||
res.end(escape(err.toString())) | ||
} |
-
Copy modified lines R33-R35
@@ -32,2 +32,5 @@ | ||
"@libp2p/tcp": false | ||
}, | ||
"dependencies": { | ||
"he": "^1.2.0" | ||
} |
Package | Version | Security advisories |
he (npm) | 1.2.0 | None |
} | ||
break | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' |
Check failure
Code scanning / CodeQL
Disabling certificate validation High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that the NODE_TLS_REJECT_UNAUTHORIZED
environment variable is not set to '0', which disables TLS certificate validation. Instead, we should either remove this line or set it to '1' to enforce certificate validation. If disabling certificate validation is necessary for specific test scenarios, it should be done in a controlled and well-documented manner.
-
Copy modified line R77
@@ -76,3 +76,3 @@ | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
// process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
options.transports = [webSockets()] |
res.writeHead(500, { | ||
'Access-Control-Allow-Origin': '*' | ||
}) | ||
res.end(err.toString()) |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Exception text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that any error messages sent back in the HTTP response are properly sanitized to prevent XSS attacks. The best way to do this is to escape any special HTML characters in the error message before including it in the response. We can use a library like he
(HTML entities) to handle the escaping.
- Install the
he
library to handle HTML escaping. - Import the
he
library in the file. - Use the
he.escape
function to sanitize the error message before sending it in the response.
-
Copy modified line R5 -
Copy modified line R84
@@ -4,2 +4,3 @@ | ||
import { createClient } from 'redis' | ||
import he from 'he' | ||
|
||
@@ -82,3 +83,3 @@ | ||
}) | ||
res.end(err.toString()) | ||
res.end(he.escape(err.toString())) | ||
} |
-
Copy modified lines R33-R35
@@ -32,2 +32,5 @@ | ||
"@libp2p/tcp": false | ||
}, | ||
"dependencies": { | ||
"he": "^1.2.0" | ||
} |
Package | Version | Security advisories |
he (npm) | 1.2.0 | None |
} | ||
break | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' |
Check failure
Code scanning / CodeQL
Disabling certificate validation High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we should ensure that certificate validation is not disabled in production environments. One way to achieve this is by conditionally setting process.env.NODE_TLS_REJECT_UNAUTHORIZED
based on an environment variable that explicitly indicates a non-production environment. This way, we can maintain security in production while allowing flexibility in development or testing environments.
- Check for an environment variable (e.g.,
NODE_ENV
) to determine if the code is running in a production environment. - Only set
process.env.NODE_TLS_REJECT_UNAUTHORIZED
to '0' if the environment is not production.
-
Copy modified lines R77-R79
@@ -76,3 +76,5 @@ | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
if (process.env.NODE_ENV !== 'production') { | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
} | ||
options.transports = [webSockets()] |
res.writeHead(500, { | ||
'Access-Control-Allow-Origin': '*' | ||
}) | ||
res.end(err.toString()) |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML Medium
Exception text
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we need to ensure that any error messages sent back in the HTTP response are properly sanitized to prevent XSS attacks. The best way to do this is to use a library that provides HTML escaping functionality. One such library is he
, which can be used to escape HTML entities.
- Import the
he
library for HTML escaping. - Replace the direct usage of
err.toString()
withhe.escape(err.toString())
to ensure that any HTML special characters in the error message are properly escaped.
-
Copy modified line R5 -
Copy modified line R84
@@ -4,2 +4,3 @@ | ||
import { createClient } from 'redis' | ||
import he from 'he' | ||
|
||
@@ -82,3 +83,3 @@ | ||
}) | ||
res.end(err.toString()) | ||
res.end(he.escape(err.toString())) | ||
} |
-
Copy modified lines R33-R35
@@ -32,2 +32,5 @@ | ||
"@libp2p/tcp": false | ||
}, | ||
"dependencies": { | ||
"he": "^1.2.0" | ||
} |
Package | Version | Security advisories |
he (npm) | 1.2.0 | None |
} | ||
break | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' |
Check failure
Code scanning / CodeQL
Disabling certificate validation High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 22 days ago
To fix the problem, we should ensure that certificate validation is not disabled in production environments. One way to achieve this is to conditionally set process.env.NODE_TLS_REJECT_UNAUTHORIZED
based on the environment. We can use an environment variable to distinguish between production and non-production environments. This way, we can disable certificate validation only in non-production environments, such as during testing.
- Modify the code to check for an environment variable (e.g.,
NODE_ENV
) before settingprocess.env.NODE_TLS_REJECT_UNAUTHORIZED
. - Ensure that
process.env.NODE_TLS_REJECT_UNAUTHORIZED
is only set to '0' in non-production environments.
-
Copy modified lines R77-R79
@@ -76,3 +76,5 @@ | ||
case 'wss': | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
if (process.env.NODE_ENV !== 'production') { | ||
process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0' | ||
} | ||
options.transports = [webSockets()] |
This PR adds [email protected] to transport-interop