Fix: resolve security vulnerabilities identified by Semgrep SAST analysis

[ell13-c]

Description

This PR addresses 13 security vulnerabilities identified through static application security testing using Semgrep. The vulnerabilities were found and fixed as part of a computer security assignment. All fixes have been validated and no longer trigger Semgrep findings.

Vulnerabilities Fixed:

1. Missing subresource integrity (SRI) on CDN resources - Added integrity checks to Font Awesome CDN link
2. Docker container security hardening - Added 'read_only' and 'no-new-privileges' to cypress service
3. Remote property injection - Added validation for user-controlled object property access
4. Unsafe format strings in logging (3 instances) - Parameterized console.log statements using util.format
5. Path traversal vulnerability - Sanitized and validated file paths before resolution
6. XSS false positives (2 instances) - Documented validated database responses with nosemgrep annotations

Author: Eleanor Colvin (ell13-c)
(Note: This PR does not fix a specific existing issue but addresses security vulnerabilities discovered through SAST analysis)

Type of change

• Note merging this changes the database configuration.
• This change requires a documentation update

Checklist

• I have followed the OED pull request ideas
• I have removed text in ( ) from the issue request
• You acknowledge that every person contributing to this work has signed the OED Contributing License Agreement and each author is listed in the Description section.

Limitations

None. All identified vulnerabilities have been addressed an verified with Semgrep scanning.

[huss]

@ell13-c Thank you very much for the contribution to OED. First, the box for having filled out the CLA is checked in the description but I cannot find a record of your submission of the CLA. Could you please either fill it out or let me know that our records are off. Second, there is a team of students who are working on security aspects in OED. I think it would be good for the team to look this over. I'm not sure how soon that will happen as it is the end of the semester. Please let me know if this will cause you any inconvenience/issues.

I did look this over and, overall, it seems good. A final review is still needed and waiting on the items above.

[ell13-c]

Hi! Thank you so much for reviewing my PR. I apologize - I just submitted the CLA form. Please let me know if you need anything else from me.

I'm happy to wait for the security team's review. This was part of a semester project and grading isn't dependent on review, so there's no rush on my end. I'm available to make any changes or answer questions if needed.

[huss]

Great. I may try to look at this between semesters. I talked to the security team this morning. They are not likely to start looking at this until mid-January when their next semester starts. Please let me know if you have any thoughts or if you need something sooner.