Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2.1.6 #843

Merged
merged 4 commits into from
Oct 24, 2024
Merged

v2.1.6 #843

merged 4 commits into from
Oct 24, 2024

Conversation

donavanbecker
Copy link
Collaborator

2.1.6 (2024-10-24)

What's Changes

  • Fix for UI linking issues and refresh issues.
  • Housekeeping and updated dependencies.

Full Changelog: v2.1.5...v2.1.6

@donavanbecker donavanbecker merged commit b043ce9 into latest Oct 24, 2024
5 checks passed
@donavanbecker donavanbecker deleted the beta-2.1.6 branch October 24, 2024 05:53
@github-actions github-actions bot added enhancement New feature or request workflow dependencies Pull requests that update a dependency file docs latest labels Oct 24, 2024
github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 24, 2024
View reviewed changes
src/homebridge-ui/server.ts
this.hostname = query.get('host') as string
const redirectUrl = `http://${this.hostname}:8585/auth`
const authUrl = `https://api.honeywell.com/oauth2/authorize?response_type=code&appSelect=1&redirect_uri=${encodeURI(redirectUrl)}&client_id=${query.get('key')}`
res.end(`<script>window.location.replace('${authUrl}');</script>`)

Check failure

Code scanning / CodeQL

Reflected cross-site scripting High

Cross-site scripting vulnerability due to a
user-provided value
Loading
.

Copilot Autofix AI 3 months ago

To fix the reflected cross-site scripting vulnerability, we need to ensure that any user-controlled data included in the HTML response is properly sanitized. The best way to achieve this is by using a library designed for escaping HTML content, such as escape-html.

  1. Import the escape-html library to handle HTML escaping.
  2. Use the escape-html function to sanitize the authUrl before embedding it in the HTML response.
Suggested changeset 2
src/homebridge-ui/server.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/homebridge-ui/server.ts b/src/homebridge-ui/server.ts
--- a/src/homebridge-ui/server.ts
+++ b/src/homebridge-ui/server.ts
@@ -5,2 +5,3 @@
 import util from 'node:util'
+import escapeHtml from 'escape-html'
 
@@ -36,4 +37,4 @@
               const redirectUrl = `http://${this.hostname}:8585/auth`
-              const authUrl = `https://api.honeywell.com/oauth2/authorize?response_type=code&appSelect=1&redirect_uri=${encodeURI(redirectUrl)}&client_id=${query.get('key')}`
-              res.end(`<script>window.location.replace('${authUrl}');</script>`)
+              const authUrl = `https://api.honeywell.com/oauth2/authorize?response_type=code&appSelect=1&redirect_uri=${encodeURI(redirectUrl)}&client_id=${escapeHtml(query.get('key'))}`
+              res.end(`<script>window.location.replace('${escapeHtml(authUrl)}');</script>`)
               break
EOF
@@ -5,2 +5,3 @@
import util from 'node:util'
import escapeHtml from 'escape-html'

@@ -36,4 +37,4 @@
const redirectUrl = `http://${this.hostname}:8585/auth`
const authUrl = `https://api.honeywell.com/oauth2/authorize?response_type=code&appSelect=1&redirect_uri=${encodeURI(redirectUrl)}&client_id=${query.get('key')}`
res.end(`<script>window.location.replace('${authUrl}');</script>`)
const authUrl = `https://api.honeywell.com/oauth2/authorize?response_type=code&appSelect=1&redirect_uri=${encodeURI(redirectUrl)}&client_id=${escapeHtml(query.get('key'))}`
res.end(`<script>window.location.replace('${escapeHtml(authUrl)}');</script>`)
break
package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/package.json b/package.json
--- a/package.json
+++ b/package.json
@@ -74,3 +74,4 @@
     "rxjs": "^7.8.1",
-    "undici": "^6.20.1"
+    "undici": "^6.20.1",
+    "escape-html": "^1.0.3"
   },
EOF
@@ -74,3 +74,4 @@
"rxjs": "^7.8.1",
"undici": "^6.20.1"
"undici": "^6.20.1",
"escape-html": "^1.0.3"
},
This fix introduces these dependencies
Package Version Security advisories
escape-html (npm) 1.0.3 None
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file docs enhancement New feature or request latest patch workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@donavanbecker