Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PR to fix ansible-ai-connect-service: Cross-site Scripting (XSS) in serialize-javascript #1353

Merged
merged 13 commits into from
Nov 28, 2024
Merged

PR to fix ansible-ai-connect-service: Cross-site Scripting (XSS) in serialize-javascript #1353

merged 13 commits into from
Nov 28, 2024

Conversation

justjais
Copy link
Contributor

@justjais justjais commented Oct 17, 2024
edited
Loading

Jira Issue: https://issues.redhat.com/browse/AAP-31381

Description

PR to fix ansible-ai-connect-service: Cross-site Scripting (XSS) in serialize-javascript

Testing

Steps to test

  1. Pull down the PR
  2. Run npm install and node packages should install as expected w/o failures
  3. Run npm audit fix to verify if there's any vulnerabilities, currently there's 0.

Scenarios tested

NA

Production deployment

  • This code change is ready for production on its own
  • This code change requires the following considerations before going to production:

@justjais justjais requested a review from jameswnl October 17, 2024 14:32
@jameswnl
Copy link
Contributor

we probably have to fix it in the package.json?

@justjais
Copy link
Contributor Author

@jameswnl there's no direct dependency over serialize-javascript, its being used by other direct dependent libraries. Also, I've verified that due to some reason the failure we see in CI serialize-javascript/-/serialize-javascript-6.0.2.tgz ** seems to be corrupted. Trying again is faced when we user [email protected] which is currently being used in repos CI.

It's working as expected with [email protected], and specifically 21.7.3 node release with which things were working as expected in my machine.

I'll raise the PR to upgrade [email protected] version

This was referenced Oct 23, 2024
Closed
Closed
Closed
Closed
Merged
@manstis
Copy link
Contributor

manstis commented Oct 29, 2024

Upgrade to PF5 isn't easy.

You'll need to bump the version of Ansible UI framework too (to one using PF5) and fix the fallout too.

@justjais
Copy link
Contributor Author

@manstis yea, this isn't a 1 story point and straight CVE fix, for fixing this patternfly needs to be updated to ^5.1 coz npm update updates ansible-ui-framework package which is in turn dependent over patternfly ^5.1, and the fallout needs to be resolved as you mentioned.

I'll bring this up during today's scrum and how to move forward with the issue.

@justjais justjais force-pushed the aap_31381 branch 2 times, most recently from 66e3ac1 to 52ad423 Compare November 11, 2024 18:34
@github-actions GitHub Actions
Copy link 

# npm audit report

happy-dom  <15.10.2
Severity: critical
happy-dom allows for server side code to be executed by a <script> tag - https://github.com/advisories/GHSA-96g7-g7g9-jxw8
fix available via `npm audit fix`
node_modules/happy-dom

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

@github-actions GitHub Actions
Copy link 

# npm audit report

happy-dom  <15.10.2
Severity: critical
happy-dom allows for server side code to be executed by a <script> tag - https://github.com/advisories/GHSA-96g7-g7g9-jxw8
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/happy-dom

1 critical severity vulnerability

To address all issues (including breaking changes), run:
  npm audit fix --force

@github-actions GitHub Actions
Copy link 

# npm audit report

happy-dom  <15.10.2
Severity: critical
happy-dom allows for server side code to be executed by a <script> tag - https://github.com/advisories/GHSA-96g7-g7g9-jxw8
fix available via `npm audit fix`
node_modules/happy-dom

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

2 similar comments
@github-actions GitHub Actions
Copy link 

# npm audit report

happy-dom  <15.10.2
Severity: critical
happy-dom allows for server side code to be executed by a <script> tag - https://github.com/advisories/GHSA-96g7-g7g9-jxw8
fix available via `npm audit fix`
node_modules/happy-dom

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

@github-actions GitHub Actions
Copy link 

# npm audit report

happy-dom  <15.10.2
Severity: critical
happy-dom allows for server side code to be executed by a <script> tag - https://github.com/advisories/GHSA-96g7-g7g9-jxw8
fix available via `npm audit fix`
node_modules/happy-dom

1 critical severity vulnerability

To address all issues, run:
  npm audit fix

@github-actions GitHub Actions
Copy link 

# npm audit report

cross-spawn  <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm-run-all/node_modules/cross-spawn
  npm-run-all  >=2.1.1
  Depends on vulnerable versions of cross-spawn
  node_modules/npm-run-all

2 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

@justjais justjais requested review from manstis and romartin November 22, 2024 12:07
manstis
manstis requested changes Nov 22, 2024
View reviewed changes
Copy link
Contributor

@manstis manstis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The styling is now, unfortunately, wrong:

AAP-31381
AAP-31381

Original
original

Furthermore the "kebab" menu (top left corner) does not work properly.

It should collapse the left-hand-side navigation menu.

ansible_ai_connect_admin_portal/src/SingleInlineEdit.tsx
@@ -24,7 +24,8 @@ export const SingleInlineEdit = (props: InlineTextInputProps) => {
<InputGroup>
<TextInput
type={isPassword && passwordHidden ? "password" : "text"}
onChange={(value, event) => props.onChange?.(value)}
onChange={(_event, value: string) => onChange(value)}
// onChange={(value, event) => props.onChange?.(value)}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this comment?

ansible_ai_connect_admin_portal/src/__tests__/AppHeader.test.tsx
expect(accountMenu).toBeInTheDocument();
expect(accountMenu).toHaveTextContent("Batman");

// Check "Logout" option is not present
expect(screen.queryByText("Logout")).toBeNull();

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You seem to have remove the test for logging out?

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

manstis
manstis approved these changes Nov 28, 2024
View reviewed changes
Copy link
Contributor

@manstis manstis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The icon/text alignment in the left-hand-side menu still is not correct; but the kebab menu works now 😸

image

Approving; but I suggest a follow-up JIRA to fix the alignment be made.

@justjais
Copy link
Contributor Author

@manstis thanks for the review, and giving green light to the PR. Also, I've opened a bug jira: https://issues.redhat.com/browse/AAP-36777, to address the alignment issue.

@justjais justjais merged commit e129407 into main Nov 28, 2024
10 checks passed
@justjais justjais deleted the aap_31381 branch November 28, 2024 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manstis manstis manstis approved these changes

@jameswnl jameswnl Awaiting requested review from jameswnl

@romartin romartin Awaiting requested review from romartin

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@justjais @jameswnl @manstis