moulongzhang · moulongzhang · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml
@@ -32,8 +32,10 @@ jobs:
 
       - name: Install ESLint
         run: |
-          npm install eslint@8.10.0
+          npm install eslint@9.18.0
           npm install @microsoft/[email protected]
+          npm install @eslint/[email protected]
+          npm install [email protected]
 
       - name: Run ESLint
         env:
@@ -43,8 +45,7 @@ jobs:
          echo "Environment variables:"
          echo "ESLINT_USE_FLAT_CONFIG: $ESLINT_USE_FLAT_CONFIG"
          npx eslint . \
-           --config eslint.config.mjs \
-           --ext .js,.jsx,.ts,.tsx \
+           --config ./eslint.config.mjs \
            --format @microsoft/eslint-formatter-sarif \
            --output-file eslint-results.sarif
         continue-on-error: true

diff --git a/eslint.config.mjs b/eslint.config.mjs
@@ -0,0 +1,22 @@
+import globals from "globals";
+import pluginJs from "@eslint/js";
+
+/** @type {import('eslint').Linter.Config[]} */
+export default [
+  {
+    languageOptions: { 
+      globals: globals.browser,
+      parserOptions: {
+        ecmaVersion: 'latest',
+      }
+    },
+    rules: {
+      'semi': ['error', 'always'],
+      'no-unused-vars': 'warn',
+      'eqeqeq': 'error',
+      'space-before-function-paren': ['error', 'always'],
+      'space-infix-ops': 'error'
+    }
+  },
+  pluginJs.configs.recommended,
+];
diff --git a/index.html b/index.html
@@ -4,38 +4,24 @@
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>Dependabot, CodeQL, and Secret Scanning Demo </title>
-
-    <!-- 外部ライブラリの参照 -->
-    <script src="https://code.jquery.com/jquery-3.5.0.min.js"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.15/lodash.min.js"></script>
-    <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.24.0/moment.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/moment.js/2.29.4/moment.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/lodash.js/4.17.21/lodash.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/axios/1.6.2/axios.min.js"></script>
 </head>
 <body>
-    <h1>Dependabot, CodeQL, and Secret Scanning Demo</h1>
+    <h1>GitHub Advanced Security Demo</h1>
     <p id="demo"></p>
     <input type="text" id="userInput" placeholder="Enter your name">
-    <button onclick="greetUser()">Greet</button>
+    <button id="greetButton">Greeting</button>
     <div id="greeting"></div>
+    <div>
+        <input type="text" id="usernameInput" placeholder="Enter your username">
+        <input type="password" id="passwordInput" placeholder="Enter your password">
+        <button id="savePasswordButton">Save Password</button>
+    </div>
 
-    <script>
-        $(document).ready(function() {
-            var now = moment().format('MMMM Do YYYY, h:mm:ss a');
-            $('#demo').text('Current time: ' + now);
-        });
-
-        // XSS脆弱性 - ユーザー入力を直接DOMに挿入
-        function greetUser() {
-            var name = document.getElementById('userInput').value;
-            document.getElementById('greeting').innerHTML = 'Hello, ' + name + '!';
-        }
-
-        // パスワードを平文で保存
-        function savePassword(username, password) {
-            localStorage.setItem(username, password);
-        }
+    <script src="logic.js" type="module"></script>
 
-        // デモ用のシークレット一覧
-        const PLACEHOLDER_GITHUB_TOKEN = "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";
-    </script>
 </body>
 </html>
diff --git a/logic.js b/logic.js
@@ -0,0 +1,85 @@
+const moment = window.moment;
+const _ = window._;
+const $ = window.jQuery;
+const axios = window.axios;
+
+$(document).ready(function () {
+    var now = moment().format('MMMM Do YYYY, h:mm:ss a');
+    $('#demo').text('Current time: ' + now);
+    $('#greetButton').on('click', greetUser);
+    $('#savePasswordButton').on('click', function() {
+        var username = $('#usernameInput').val();
+        var password = $('#passwordInput').val();
+        savePassword(username, password);
+    });
+});
+
+export function greetUser () {
@@ -21,3 +21,3 @@
    }
-    document.getElementById('greeting').innerHTML = 'Hello, ' + name + '!';
+    document.getElementById('greeting').textContent = 'Hello, ' + name + '!';
 }
@@ -21,3 +21,3 @@
    }
-    document.getElementById('greeting').innerHTML = 'Hello, ' + name + '!';
+    document.getElementById('greeting').textContent = 'Hello, ' + name + '!';
 }
+    var name = document.getElementById('userInput').value;
+    if (name == "") {
@@ -18,3 +18,3 @@
    var name = document.getElementById('userInput').value;
-    if (name == "") {
+    if (name === "") {
        name = "guest";
@@ -18,3 +18,3 @@
    var name = document.getElementById('userInput').value;
-    if (name == "") {
+    if (name === "") {
        name = "guest";
+        name = "guest";
+    }
+    document.getElementById('greeting').innerHTML = 'Hello, ' + name + '!';
@@ -4,2 +4,3 @@
 const axios = window.axios;
+const crypto = window.crypto || require('crypto');
@@ -26,4 +27,5 @@
    if (_.isEmpty(username) || _.isEmpty(password)) return;
-    localStorage.setItem(username, password);
-    $('#demo').text('Username: ' + username + ', Password: ' + password);
+    const encryptedPassword = encrypt(password);
+    localStorage.setItem(username, encryptedPassword);
+    $('#demo').text('Username: ' + username + ', Password: [encrypted]');
 }
@@ -33,2 +35,7 @@
 }
+
+function encrypt(text) {
+    const cipher = crypto.createCipher('aes-256-ctr', 'password');
+    return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
+}
@@ -4,2 +4,3 @@
 const axios = window.axios;
+const crypto = window.crypto || require('crypto');

@@ -26,4 +27,5 @@
    if (_.isEmpty(username) || _.isEmpty(password)) return;
-    localStorage.setItem(username, password);
-    $('#demo').text('Username: ' + username + ', Password: ' + password);
+    const encryptedPassword = encrypt(password);
+    localStorage.setItem(username, encryptedPassword);
+    $('#demo').text('Username: ' + username + ', Password: [encrypted]');
 }
@@ -33,2 +35,7 @@
 }
+
+function encrypt(text) {
+    const cipher = crypto.createCipher('aes-256-ctr', 'password');
+    return cipher.update(text, 'utf8', 'hex') + cipher.final('hex');
+}

+}
+
+export function savePassword (username, password) {
+    if (_.isEmpty(username) || _.isEmpty(password)) return;
+    localStorage.setItem(username, password);
+    $('#demo').text('Username: ' + username + ', Password: ' + password);
+}
+
+export function processData (data){
+    return data + 1;
+}
+
+// GitHubのシークレット
+const PLACEHOLDER_GITHUB_TOKEN = "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";
+async function fetchGitHubUserData (username) {
+    const config = {
+        headers: {
+            'Authorization': `token ${PLACEHOLDER_GITHUB_TOKEN}`
+        }
+    };
+
+    try {
+        const response = await axios.get(`https://api.github.com/users/${username}`, config);
+        return response.data;
+    } catch (error) {
+        console.error('Error fetching GitHub user data:', error);
+        return null;
+    }
+}
+
+// Example usage
+fetchGitHubUserData('octocat').then(data => {
+    if (data) {
+        console.log('GitHub User Data:', data);
+    } else {
+        console.log('Failed to fetch GitHub user data.');
+    }
+});
+
+
+// SQL Injection
+export async function queryUserData (userId) {
+    const query = `SELECT * FROM users WHERE id = ${userId}`;
+    try {
+        const response = await axios.post('/api/query', { sql: query });
+        return response.data;
+    } catch (error) {
+        console.error('Query error:', error);
+        return null;
+    }
+}
+
+// Prototype pollution
+export function mergeObjects (target, source) {
+    for (let key in source) {
+        if (typeof source[key] === 'object') {
+            target[key] = mergeObjects(target[key], source[key]);
+        } else {
+            target[key] = source[key];
+        }
+    }
+    return target;
+}
diff --git a/package.json b/package.json
@@ -4,14 +4,21 @@
     "description": "A demo for CodeQL and Dependabot",
     "main": "index.js",
     "scripts": {
-      "start": "http-server"
+        "start": "http-server"
     },
     "dependencies": {
       "jquery": "3.5.0",
       "lodash": "4.17.15",
-      "moment": "2.30.1"
+      "moment": "2.24.0"
     },
     "devDependencies": {
-      "http-server": "^0.12.3"
-    }
-  }
+        "@eslint/js": "^9.18.0",
+        "eslint": "^9.18.0",
+        "eslint-plugin-html": "^8.1.2",
+        "globals": "^15.14.0",
+        "http-server": "^0.12.3"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC"
+}