Skip to content

feat: introduced an interaction system with NPCs which allows you to rob them #896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bitpredator merged 2 commits into from
Nov 20, 2024
Merged

feat: introduced an interaction system with NPCs which allows you to rob them #896

bitpredator merged 2 commits into from
Nov 20, 2024

Conversation

@bitpredator
Copy link
Owner

@bitpredator bitpredator commented Nov 19, 2024

Fixes #[issue_no]

All Submissions:

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Does your submission pass tests?

Please describe the changes this PR makes and why it should be merged:

  • Introduced an interaction system with NPCs which allows you to rob them
  • Feat: [Christmas]\changer_square

Discord username (if different from GitHub):

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 19, 2024
View reviewed changes
server-data/resources/[esx_addons]/ps-dispatch/ui/app.js

DispatchItem += `</div></div>`;

$('.dispatch-holder').prepend(DispatchItem);

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that any user-provided data is properly sanitized or escaped before being inserted into the HTML content. This can be achieved by using a library like DOMPurify to sanitize the input or by manually escaping the data to prevent XSS attacks.

The best way to fix the problem without changing existing functionality is to use DOMPurify to sanitize the user-provided data before it is used to construct the DispatchItem HTML string. This approach ensures that any potentially harmful content is removed, while still allowing safe content to be displayed.

Suggested changeset 2
server-data/resources/[esx_addons]/ps-dispatch/ui/app.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server-data/resources/[esx_addons]/ps-dispatch/ui/app.js b/server-data/resources/[esx_addons]/ps-dispatch/ui/app.js
--- a/server-data/resources/[esx_addons]/ps-dispatch/ui/app.js
+++ b/server-data/resources/[esx_addons]/ps-dispatch/ui/app.js
@@ -1 +1,3 @@
+import DOMPurify from 'dompurify';
+
 $(document).ready(() => {
@@ -84,6 +86,14 @@
 	let DispatchItem;
+	const sanitizedCallID = DOMPurify.sanitize(callID);
+	const sanitizedDispatchCode = DOMPurify.sanitize(info.dispatchCode);
+	const sanitizedDispatchMessage = DOMPurify.sanitize(info.dispatchMessage);
+	const sanitizedTime = info['time'] ? DOMPurify.sanitize(info['time']) : null;
+	const sanitizedName = info['name'] ? DOMPurify.sanitize(info['name']) : null;
+	const sanitizedNumber = info['number'] ? DOMPurify.sanitize(info['number']) : null;
+	const sanitizedInformation = info['information'] ? DOMPurify.sanitize(info['information']) : null;
+
 	if (info['isDead']) {
-		DispatchItem = `<div class="dispatch-item ${callID} dispatch-item-${info['isDead']} animate__animated"><div class="top-info-holder"><div class="call-id">#${callID}</div><div class="call-code priority-${prio}">${info.dispatchCode}</div><div class="call-name">${info.dispatchMessage}</div></div><div class="bottom-info-holder">`;
+		DispatchItem = `<div class="dispatch-item ${sanitizedCallID} dispatch-item-${info['isDead']} animate__animated"><div class="top-info-holder"><div class="call-id">#${sanitizedCallID}</div><div class="call-code priority-${prio}">${sanitizedDispatchCode}</div><div class="call-name">${sanitizedDispatchMessage}</div></div><div class="bottom-info-holder">`;
 	} else {
-		DispatchItem = `<div class="dispatch-item ${callID} dispatch-item-${isPolice} animate__animated"><div class="top-info-holder"><div class="call-id">#${callID}</div><div class="call-code priority-${prio}">${info.dispatchCode}</div><div class="call-name">${info.dispatchMessage}</div></div><div class="bottom-info-holder">`;
+		DispatchItem = `<div class="dispatch-item ${sanitizedCallID} dispatch-item-${isPolice} animate__animated"><div class="top-info-holder"><div class="call-id">#${sanitizedCallID}</div><div class="call-code priority-${prio}">${sanitizedDispatchCode}</div><div class="call-name">${sanitizedDispatchMessage}</div></div><div class="bottom-info-holder">`;
 	}
@@ -92,5 +102,5 @@
 
-	if (info['time']) {
+	if (sanitizedTime) {
 		DispatchItem += `<div class="call-bottom-info"><span class="fas fa-clock"></span>${timeAgo(
-			info['time']
+			sanitizedTime
 		)}</div>`;
@@ -141,12 +151,12 @@
 
-	if (info['name'] && info['number']) {
-		DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${info['name']}<span class="fas fa-mobile-alt" style="margin-left: 2vh;"></span>${info['number']}</div>`;
-	} else if (info['number']) {
-		DispatchItem += `<div class="call-bottom-info"><span class="fas fa-mobile-alt"></span>${info['number']}</div>`;
-	} else if (info['name']) {
-		DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${info['name']}</div>`;
+	if (sanitizedName && sanitizedNumber) {
+		DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${sanitizedName}<span class="fas fa-mobile-alt" style="margin-left: 2vh;"></span>${sanitizedNumber}</div>`;
+	} else if (sanitizedNumber) {
+		DispatchItem += `<div class="call-bottom-info"><span class="fas fa-mobile-alt"></span>${sanitizedNumber}</div>`;
+	} else if (sanitizedName) {
+		DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${sanitizedName}</div>`;
 	}
 
-	if (info['information']) {
-		DispatchItem += `<div class="line"></div><div class="call-bottom-info call-bottom-information"><span class="far fa-question-circle"></span>${info['information']}</div>`;
+	if (sanitizedInformation) {
+		DispatchItem += `<div class="line"></div><div class="call-bottom-info call-bottom-information"><span class="far fa-question-circle"></span>${sanitizedInformation}</div>`;
 	}
EOF
@@ -1 +1,3 @@
import DOMPurify from 'dompurify';

$(document).ready(() => {
@@ -84,6 +86,14 @@
let DispatchItem;
const sanitizedCallID = DOMPurify.sanitize(callID);
const sanitizedDispatchCode = DOMPurify.sanitize(info.dispatchCode);
const sanitizedDispatchMessage = DOMPurify.sanitize(info.dispatchMessage);
const sanitizedTime = info['time'] ? DOMPurify.sanitize(info['time']) : null;
const sanitizedName = info['name'] ? DOMPurify.sanitize(info['name']) : null;
const sanitizedNumber = info['number'] ? DOMPurify.sanitize(info['number']) : null;
const sanitizedInformation = info['information'] ? DOMPurify.sanitize(info['information']) : null;

if (info['isDead']) {
DispatchItem = `<div class="dispatch-item ${callID} dispatch-item-${info['isDead']} animate__animated"><div class="top-info-holder"><div class="call-id">#${callID}</div><div class="call-code priority-${prio}">${info.dispatchCode}</div><div class="call-name">${info.dispatchMessage}</div></div><div class="bottom-info-holder">`;
DispatchItem = `<div class="dispatch-item ${sanitizedCallID} dispatch-item-${info['isDead']} animate__animated"><div class="top-info-holder"><div class="call-id">#${sanitizedCallID}</div><div class="call-code priority-${prio}">${sanitizedDispatchCode}</div><div class="call-name">${sanitizedDispatchMessage}</div></div><div class="bottom-info-holder">`;
} else {
DispatchItem = `<div class="dispatch-item ${callID} dispatch-item-${isPolice} animate__animated"><div class="top-info-holder"><div class="call-id">#${callID}</div><div class="call-code priority-${prio}">${info.dispatchCode}</div><div class="call-name">${info.dispatchMessage}</div></div><div class="bottom-info-holder">`;
DispatchItem = `<div class="dispatch-item ${sanitizedCallID} dispatch-item-${isPolice} animate__animated"><div class="top-info-holder"><div class="call-id">#${sanitizedCallID}</div><div class="call-code priority-${prio}">${sanitizedDispatchCode}</div><div class="call-name">${sanitizedDispatchMessage}</div></div><div class="bottom-info-holder">`;
}
@@ -92,5 +102,5 @@

if (info['time']) {
if (sanitizedTime) {
DispatchItem += `<div class="call-bottom-info"><span class="fas fa-clock"></span>${timeAgo(
info['time']
sanitizedTime
)}</div>`;
@@ -141,12 +151,12 @@

if (info['name'] && info['number']) {
DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${info['name']}<span class="fas fa-mobile-alt" style="margin-left: 2vh;"></span>${info['number']}</div>`;
} else if (info['number']) {
DispatchItem += `<div class="call-bottom-info"><span class="fas fa-mobile-alt"></span>${info['number']}</div>`;
} else if (info['name']) {
DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${info['name']}</div>`;
if (sanitizedName && sanitizedNumber) {
DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${sanitizedName}<span class="fas fa-mobile-alt" style="margin-left: 2vh;"></span>${sanitizedNumber}</div>`;
} else if (sanitizedNumber) {
DispatchItem += `<div class="call-bottom-info"><span class="fas fa-mobile-alt"></span>${sanitizedNumber}</div>`;
} else if (sanitizedName) {
DispatchItem += `<div class="call-bottom-info"><span class="far fa-id-badge"></span>${sanitizedName}</div>`;
}

if (info['information']) {
DispatchItem += `<div class="line"></div><div class="call-bottom-info call-bottom-information"><span class="far fa-question-circle"></span>${info['information']}</div>`;
if (sanitizedInformation) {
DispatchItem += `<div class="line"></div><div class="call-bottom-info call-bottom-information"><span class="far fa-question-circle"></span>${sanitizedInformation}</div>`;
}
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -3,2 +3,5 @@
     "eslint": "^9.15.0"
+  },
+  "dependencies": {
+    "dompurify": "^3.2.0"
   }
EOF
@@ -3,2 +3,5 @@
"eslint": "^9.15.0"
},
"dependencies": {
"dompurify": "^3.2.0"
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
server-data/resources/[esx_addons]/ps-dispatch/ui/index.html
<title>QB Dispatch</title>
<link rel="stylesheet" href="style.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script src="https://code.jquery.com/ui/1.12.1/jquery-ui.js"></script>

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source Medium

Script loaded from content delivery network with no integrity check.
server-data/resources/[ox]/ox_target/web/js/createOptions.js
data.iconColor ? `style = color:${data.iconColor} !important` : null
}"></i>`;

option.innerHTML = `${iconElement}<p class="option-label">${data.label}</p>`;

Check failure

Code scanning / CodeQL

Client-side cross-site scripting High

Cross-site scripting vulnerability due to
user-provided value
Loading
.

Copilot Autofix

AI about 1 year ago

To fix the problem, we need to ensure that any user-provided data is properly sanitized or encoded before being inserted into the DOM. The best way to fix this issue without changing existing functionality is to use a library like DOMPurify to sanitize the data.label value before inserting it into the HTML.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the createOptions.js file.
  3. Use DOMPurify to sanitize the data.label value before setting the innerHTML.
Suggested changeset 2
server-data/resources/[ox]/ox_target/web/js/createOptions.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/server-data/resources/[ox]/ox_target/web/js/createOptions.js b/server-data/resources/[ox]/ox_target/web/js/createOptions.js
--- a/server-data/resources/[ox]/ox_target/web/js/createOptions.js
+++ b/server-data/resources/[ox]/ox_target/web/js/createOptions.js
@@ -1,2 +1,3 @@
 import { fetchNui } from "./fetchNui.js";
+import DOMPurify from 'dompurify';
 
@@ -21,3 +22,3 @@
 
-  option.innerHTML = `${iconElement}<p class="option-label">${data.label}</p>`;
+  option.innerHTML = `${iconElement}<p class="option-label">${DOMPurify.sanitize(data.label)}</p>`;
   option.className = "option-container";
EOF
@@ -1,2 +1,3 @@
import { fetchNui } from "./fetchNui.js";
import DOMPurify from 'dompurify';

@@ -21,3 +22,3 @@

option.innerHTML = `${iconElement}<p class="option-label">${data.label}</p>`;
option.innerHTML = `${iconElement}<p class="option-label">${DOMPurify.sanitize(data.label)}</p>`;
option.className = "option-container";
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -3,2 +3,5 @@
     "eslint": "^9.15.0"
+  },
+  "dependencies": {
+    "dompurify": "^3.2.0"
   }
EOF
@@ -3,2 +3,5 @@
"eslint": "^9.15.0"
},
"dependencies": {
"dompurify": "^3.2.0"
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@bitpredator bitpredator merged commit 307d1c5 into main Nov 20, 2024
4 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bitpredator