Code Scanning Fixes Required for WASA

[gracekretschmer-metrostar]

Background

The platform reliability team is working on what is called Preview Environments - It allows teams to take their new code and combine it with isolated snapshots of the FE/BE repositories, so they can test their code in an isolated and low risk environment. The team's intent (and project requirements) includes making these Preview Environments publicly accessible, so teams can use these environments to test with real veteran end users.

In order to get anything publicly accessible, the team need to navigate through various stages of an approval process, which they've been working on and towards for quite some time to meet the various requirements that we become aware of. One of these requirements included having code scanning done on our repositories - which surfaced a number of critical & high issues for vets-website, vets-api, and content-build. In order to continue proceeding, we need to resolve the issues on that code scanning report, however it involves fixing a number of items in content-build, which we're not super familiar with.

In the WASA scan, three critical issues were identified within the content-build repo that the CMS team will own getting resolved.

Relevant Links

• https://vfs.atlassian.net/wiki/spaces/PRT/pages/2942369846/Code+Scanning+Fixes+Required+for+WASA

User Story or Problem Statement

As user researcher, I wanted to be able to make preview environments publicly accessible so that I can more meaningful run usability tests with members of the public. To make preview environments publicly available, the preview environments need to resolve all critical issues identified in the WASA scan.

Tasks

Beta Give feedback

1. Incomplete URL substring sanitization #18060
   CMS Team Defect content-build +3
2. Regular Expression Denial of Service in timespan #18059
   CMS Team Defect content-build +3
   
3. Inefficient Regular Expression Complexity in nth-check #18057
   CMS Team Defect content-build +3
4. Improper Verification of Cryptographic Signature in node-forge #18056
   CMS Team Defect content-build +3
5. Regular expression denial of service in scss-tokenizer #18055
   CMS Team Defect content-build +3
   
6. minimatch ReDoS vulnerability #18053
   CMS Team Defect content-build +3
7. qs vulnerable to Prototype Pollution #18052
   CMS Team Defect content-build +3
8. Prototype Pollution in JSON5 via Parse Method #18051
   CMS Team Defect content-build +3
9. debug Inefficient Regular Expression Complexity vulnerability #18050
   CMS Team Defect content-build +3

[gracekretschmer-metrostar]

@anantais and @JakeBapple, there is a backlog of security issues attached to this epic (see under the task list). When each of you have completed your sprint tasks, you can pick up work in this task list.