Pull from main to Move-InsightsAndSettingsLogic-to-component #377

Tr01ler · 2024-12-17T21:18:25Z

No description provided.

…signment

Autoformat the entire codebase

Bumps [next](https://github.com/vercel/next.js) from 15.0.3 to 15.1.0. - [Release notes](https://github.com/vercel/next.js/releases) - [Changelog](https://github.com/vercel/next.js/blob/canary/release.js) - [Commits](vercel/next.js@v15.0.3...v15.1.0) --- updated-dependencies: - dependency-name: next dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

…/next-15.1.0 [npm]: Bump next from 15.0.3 to 15.1.0

Fix ESLint warnings

…implement bulk user and pit report retrieval in ClientApi

…arity

…seRouter for routing

…ation and remove useRouter

Bumps [react-icons](https://github.com/react-icons/react-icons) from 5.3.0 to 5.4.0. - [Release notes](https://github.com/react-icons/react-icons/releases) - [Commits](react-icons/react-icons@v5.3.0...v5.4.0) --- updated-dependencies: - dependency-name: react-icons dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [daisyui](https://github.com/saadeghi/daisyui) from 4.12.14 to 4.12.22. - [Release notes](https://github.com/saadeghi/daisyui/releases) - [Changelog](https://github.com/saadeghi/daisyui/blob/master/CHANGELOG.md) - [Commits](saadeghi/daisyui@v4.12.14...v4.12.22) --- updated-dependencies: - dependency-name: daisyui dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

…/daisyui-4.12.22 [npm]: Bump daisyui from 4.12.14 to 4.12.22

Bumps [@eslint/js](https://github.com/eslint/eslint/tree/HEAD/packages/js) from 9.16.0 to 9.17.0. - [Release notes](https://github.com/eslint/eslint/releases) - [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md) - [Commits](https://github.com/eslint/eslint/commits/v9.17.0/packages/js) --- updated-dependencies: - dependency-name: "@eslint/js" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

…/react-icons-5.4.0 [npm]: Bump react-icons from 5.3.0 to 5.4.0

Bumps [@slack/web-api](https://github.com/slackapi/node-slack-sdk) from 7.7.0 to 7.8.0. - [Release notes](https://github.com/slackapi/node-slack-sdk/releases) - [Commits](https://github.com/slackapi/node-slack-sdk/compare/@slack/[email protected]...@slack/[email protected]) --- updated-dependencies: - dependency-name: "@slack/web-api" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

…/eslint/js-9.17.0 [npm]: Bump @eslint/js from 9.16.0 to 9.17.0

Bumps [@yudiel/react-qr-scanner](https://github.com/yudielcurbelo/react-qr-scanner) from 2.0.8 to 2.1.0. - [Release notes](https://github.com/yudielcurbelo/react-qr-scanner/releases) - [Commits](yudielcurbelo/react-qr-scanner@v2.0.8...v2.1.0) --- updated-dependencies: - dependency-name: "@yudiel/react-qr-scanner" dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

…/slack/web-api-7.8.0 [npm]: Bump @slack/web-api from 7.7.0 to 7.8.0

…ner-2.1.0

…/yudiel/react-qr-scanner-2.1.0 [npm]: Bump @yudiel/react-qr-scanner from 2.0.8 to 2.1.0

pages/[teamSlug]/[seasonSlug]/[competitonSlug]/[reportId]/subjective.tsx

+			.finally(() => {
+				if (location.href.includes("offline"))
+					location.href = `/offline/${props.compId}`;
+				else location.href = `/${teamSlug}/${seasonSlug}/${competitonSlug}`;


To fix the problem, we need to ensure that the URL redirection only uses trusted and validated values. One way to achieve this is by maintaining a list of authorized redirects and choosing from that list based on the user input provided. This approach ensures that only predefined and safe URLs are used for redirection.

We will create a list of authorized redirects and use a function to validate the teamSlug, seasonSlug, and competitonSlug values against this list before performing the redirection. If the values are not valid, we can redirect to a default safe URL or show an error message.

pages/api/img/get.ts

-      highWaterMark: 256 * 1024,
-    });
+		res.writeHead(200, { "content-type": "image/*" });
+		var s = fs.createReadStream(process.env.IMAGE_UPLOAD_DIR + `/${filename}`, {


To fix the problem, we need to ensure that the constructed file path is contained within a safe root directory. This can be achieved by normalizing the path using path.resolve and then checking that the normalized path starts with the root directory. If the path is not within the root directory, we should return an error response.

Import the path module.

Normalize the constructed file path using path.resolve.

Check if the normalized path starts with the root directory (process.env.IMAGE_UPLOAD_DIR).

If the path is valid, proceed with reading the file. Otherwise, return a 403 error response.

pages/api/img/upload.ts

-  } else {
-    return res.send({ status: 400, message: "Invalid Request" });
-  }
+			var tempFile = fs.readFileSync(file.filepath, { encoding: "base64" });


To fix the problem, we need to ensure that the file path derived from user input is validated and sanitized before being used. We can achieve this by normalizing the path and ensuring it is contained within a designated safe directory. This involves using path.resolve to normalize the path and then checking that the resulting path starts with the intended root directory.

pages/api/img/upload.ts

-    return res.send({ status: 400, message: "Invalid Request" });
-  }
+			var tempFile = fs.readFileSync(file.filepath, { encoding: "base64" });
+			fs.writeFile(process.env.IMAGE_UPLOAD_DIR + filename, tempFile, (err) => {


To fix the problem, we need to ensure that the constructed file path is contained within a safe root folder. We can achieve this by normalizing the path using path.resolve and then checking that the normalized path starts with the root folder. This will prevent directory traversal attacks by ensuring that the file path does not escape the intended directory.

Import the path module.

Normalize the constructed file path using path.resolve.

Check that the normalized path starts with the root folder (process.env.IMAGE_UPLOAD_DIR).

If the check fails, return an error response.

If the check passes, proceed with the file system operation.

renatodellosso and others added 30 commits December 5, 2024 17:35

Add .prettierignore to exclude package-lock.json and node_modules

a8b1b3a

Autoformat all files

d1af03b

Merge branch 'main' into autoformatter

2de640a

Autoformatted ClientApi.ts

f0ea1a8

Refactor countdown component styles to use object syntax for value as…

0dcf30d

…signment

Add TypeScript ESLint plugin to configuration

571c469

Remove TypeScript ESLint plugin from configuration

b30d199

Merge branch 'main' into autoformatter

d1bc2fe

Merge branch 'main' into autoformatter

1935663

Fix formatting

67f0737

Merge branch 'main' into autoformatter

e11e7e0

Merge pull request #357 from Decatur-Robotics/autoformatter

ba465f3

Autoformat the entire codebase

Merge pull request #367 from Decatur-Robotics/dependabot/npm_and_yarn…

ff4ddd1

…/next-15.1.0 [npm]: Bump next from 15.0.3 to 15.1.0

Add alt tags to images

08ff53c

Add eslintignore

010672d

Add ignores for node_modules and coverage in ESLint configuration

b331f88

Remove .eslintignore

d15211e

Fix remaining linter warnings

4d60355

Configured lint command to ignore coverage directory

6553d0b

Merge branch 'main' into fix-eslint-warnings

e4efb3e

Fixed formatting issues

422513f

Merge pull request #369 from Decatur-Robotics/fix-eslint-warnings

7c09846

Fix ESLint warnings

Require lint for cd

b4352e1

Move the lint action into ci

c1f26ab

Pause CD action

e490b80

Remove Slack and SW from index

599d77f

Refactor PitScoutingCard link generation, enhance ESLint config, and …

28ebf11

…implement bulk user and pit report retrieval in ClientApi

Refactor pit report variable naming and update test parameters for cl…

b202c3d

…arity

Refactor PitScoutingCard to use Button for navigation and implement u…

7a8b11d

…seRouter for routing

renatodellosso and others added 15 commits December 14, 2024 11:53

Refactor PitScoutingCard to replace Button with anchor tags for navig…

145218a

…ation and remove useRouter

Merge pull request #376 from Decatur-Robotics/dependabot/npm_and_yarn…

bd255d3

…/daisyui-4.12.22 [npm]: Bump daisyui from 4.12.14 to 4.12.22

Merge branch 'main' into dependabot/npm_and_yarn/react-icons-5.4.0

4ccfb75

Merge pull request #375 from Decatur-Robotics/dependabot/npm_and_yarn…

2b2d9e7

…/react-icons-5.4.0 [npm]: Bump react-icons from 5.3.0 to 5.4.0

Merge branch 'main' into dependabot/npm_and_yarn/eslint/js-9.17.0

a0ebef9

Merge pull request #374 from Decatur-Robotics/dependabot/npm_and_yarn…

858a113

…/eslint/js-9.17.0 [npm]: Bump @eslint/js from 9.16.0 to 9.17.0

Merge branch 'main' into dependabot/npm_and_yarn/slack/web-api-7.8.0

96b5a7f

Merge pull request #373 from Decatur-Robotics/dependabot/npm_and_yarn…

6d2296a

…/slack/web-api-7.8.0 [npm]: Bump @slack/web-api from 7.7.0 to 7.8.0

Merge branch 'main' into dependabot/npm_and_yarn/yudiel/react-qr-scan…

4c69c10

…ner-2.1.0

Merge pull request #372 from Decatur-Robotics/dependabot/npm_and_yarn…

5b2ec2e

…/yudiel/react-qr-scanner-2.1.0 [npm]: Bump @yudiel/react-qr-scanner from 2.0.8 to 2.1.0

github-advanced-security bot found potential problems Dec 17, 2024

View reviewed changes

Tr01ler requested a review from renatodellosso December 17, 2024 21:18

Tr01ler merged commit 570523b into Move-InsightsAndSettings-Logic-to-component Dec 17, 2024
9 of 10 checks passed

@@ -117,5 +117,17 @@
             			.finally(() => {
-            				if (location.href.includes("offline"))
+            				if (location.href.includes("offline")) {
             					location.href = `/offline/${props.compId}`;
-            				else location.href = `/${teamSlug}/${seasonSlug}/${competitonSlug}`;
+            				} else {
+            					const authorizedRedirects = [
+            						`/${teamSlug}/${seasonSlug}/${competitonSlug}`,
+            						// Add other authorized redirects here
+            					];
+            					const redirectUrl = `/${teamSlug}/${seasonSlug}/${competitonSlug}`;
+            					if (authorizedRedirects.includes(redirectUrl)) {
+            						location.href = redirectUrl;
+            					} else {
+            						// Redirect to a default safe URL or show an error message
+            						location.href = '/default-safe-url';
+            					}
+            				}
             			});

@@ -2,2 +2,3 @@
             import * as fs from "fs";
+            import * as path from "path";
@@ -17,4 +18,11 @@
+            		const rootDir = process.env.IMAGE_UPLOAD_DIR;
+            		const filePath = path.resolve(rootDir, filename);
+            		if (!filePath.startsWith(rootDir)) {
+            			return res.status(403).send({ status: 403, message: "Forbidden" });
+            		}
             		res.writeHead(200, { "content-type": "image/*" });
-            		var s = fs.createReadStream(process.env.IMAGE_UPLOAD_DIR + `/${filename}`, {
+            		var s = fs.createReadStream(filePath, {
             			highWaterMark: 256 * 1024,

@@ -3,3 +3,3 @@
             import * as fs from "fs";
+            import * as path from "path";
             export const config = {
@@ -26,9 +26,16 @@
+            			const ROOT = process.env.IMAGE_UPLOAD_DIR;
             			var filetype = file.mimetype.split("image/")[1];
             			var filename = `/${file.newFilename}.${filetype}`;
-            			console.log(process.env.IMAGE_UPLOAD_DIR + filename);
-            			console.log(process.env.IMAGE_UPLOAD_DIR);
+            			var filePath = path.resolve(ROOT, filename);
+            			if (!filePath.startsWith(ROOT)) {
+            				throw new Error("Invalid file path");
+            			}
+            			console.log(filePath);
+            			console.log(ROOT);
             			var tempFile = fs.readFileSync(file.filepath, { encoding: "base64" });
-            			fs.writeFile(process.env.IMAGE_UPLOAD_DIR + filename, tempFile, (err) => {
+            			fs.writeFile(filePath, tempFile, (err) => {
             				res.send({ status: 200, filename: filename });

@@ -3,2 +3,3 @@
             import * as fs from "fs";
+            import * as path from "path";
@@ -27,8 +28,15 @@
             			var filetype = file.mimetype.split("image/")[1];
-            			var filename = `/${file.newFilename}.${filetype}`;
-            			console.log(process.env.IMAGE_UPLOAD_DIR + filename);
-            			console.log(process.env.IMAGE_UPLOAD_DIR);
+            			var filename = `${file.newFilename}.${filetype}`;
+            			var uploadDir = process.env.IMAGE_UPLOAD_DIR;
+            			var filePath = path.resolve(uploadDir, filename);
+            			if (!filePath.startsWith(uploadDir)) {
+            				return res.send({ status: 403, message: "Forbidden" });
+            			}
             			var tempFile = fs.readFileSync(file.filepath, { encoding: "base64" });
-            			fs.writeFile(process.env.IMAGE_UPLOAD_DIR + filename, tempFile, (err) => {
+            			fs.writeFile(filePath, tempFile, (err) => {
+            				if (err) {
+            					return res.send({ status: 500, message: err.message });
+            				}
             				res.send({ status: 200, filename: filename });

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Pull from main to Move-InsightsAndSettingsLogic-to-component #377

Pull from main to Move-InsightsAndSettingsLogic-to-component #377

Tr01ler commented Dec 17, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Pull from main to Move-InsightsAndSettingsLogic-to-component #377

Pull from main to Move-InsightsAndSettingsLogic-to-component #377

Conversation

Tr01ler commented Dec 17, 2024