Skip to content

Commit

Permalink
chore: clean up Critical and high code scanning alerts flagged in Git…
Browse files Browse the repository at this point in the history 
…hub (#9417)

* fix: Potentially unsafe external link

* fix: Incomplete URL substring sanitization

* fix: URL redirection from remote source
  • Loading branch information
@thelostone-mc
thelostone-mc authored Sep 15, 2021
1 parent ba529c5 commit 25e557a
Show file tree
Hide file tree
Showing 24 changed files with 76 additions and 54 deletions.
6 changes: 4 additions & 2 deletions app/assets/v2/js/base.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,10 @@ document.addEventListener('DOMContentLoaded', function() {
}

var force_no_www = function() {
if (document.location.href.indexOf('https://www.gitcoin.co') != -1) {
var new_url = document.location.href.replace('www.gitcoin.co', 'gitcoin.co');
const url = new URL(document.location.href);

if (url.host == 'www.gitcoin.co') {
const new_url = document.location.href.replace('www.gitcoin.co', 'gitcoin.co');

document.location.href = new_url;
}
Expand Down
6 changes: 3 additions & 3 deletions app/assets/v2/js/pages/hackathon_new_bounty.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,14 @@ Vue.mixin({
return vm.form.issueDetails;
}

if (url.indexOf('github.com/') < 0) {
const ghIssueUrl = new URL(url);

if (ghIssueUrl.host == 'github.com') {
vm.form.issueDetails = null;
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url');
return;
}

let ghIssueUrl = new URL(url);

vm.orgSelected = '';

const apiUrldetails = `/sync/get_issue_details?url=${encodeURIComponent(url.trim())}&hackathon_slug=${vm.hackathonSlug}`;
Expand Down
7 changes: 4 additions & 3 deletions app/assets/v2/js/pages/new_bounty.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,19 @@ Vue.mixin({
return vm.form.issueDetails;
}

if (url.indexOf('github.com/') < 0) {
const ghIssueUrl = new URL(url);

if (ghIssueUrl.host == 'github.com') {
vm.form.issueDetails = undefined;
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url');
return;
}

if (url.indexOf('/pull/') > 0) {
if (ghIssueUrl.pathname.contains('/pull/')) {
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url and not a PR');
return;
}

let ghIssueUrl = new URL(url);

vm.orgSelected = ghIssueUrl.pathname.split('/')[1].toLowerCase();

Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/users-elastic.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,8 @@ Vue.mixin({

vm.errorIssueDetails = undefined;

if (url.indexOf('github.com/') < 0) {
url = new URL(url);
if (url.host == 'github.com') {
vm.issueDetails = null;
vm.errorIssueDetails = 'Please paste a github issue url';
return;
Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/users.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,11 +175,12 @@ Vue.mixin({

vm.errorIssueDetails = undefined;

if (url.indexOf('github.com/') < 0) {
if (new URL(url).host == 'github.com') {
vm.issueDetails = null;
vm.errorIssueDetails = 'Please paste a github issue url';
return;
}

vm.issueDetails = undefined;
const getIssue = fetchData(apiUrldetails, 'GET');

Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/wallet.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ if (window.ethereum) {

function initWallet() {
// Determine if we're on prod or not
const isProd = document.location.href.startsWith('https://gitcoin.co');
const url = new URL(document.location.href);
const isProd = url.host == 'gitcoin.co' && url.protocol == 'https:';
const formaticKey = isProd ? document.contxt['fortmatic_live_key'] : document.contxt['fortmatic_test_key'];
const providerOptions = {
authereum: {
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/addinterest.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,11 @@ <h5 class="text-center font-title">{% trans "Submit a Plan" %}</h5>
{% elif is_registered and bounty.event %}
<form class="mt-3 border-top pt-3" id="projectForm">
<p class="alert-danger p-2">
This bounty is part of <b>{{bounty.event.name}}</b>, please read the <a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank">rules to participate</a> before you continue.
This bounty is part of <b>{{bounty.event.name}}</b>, please read the
<a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank" rel="noopener noreferrer">
rules to participate
</a>
before you continue.
</p>
<input type="hidden" name="bounty_id" value="{{bounty.id}}">
<div class="form-group">
Expand Down
14 changes: 7 additions & 7 deletions app/dashboard/templates/bounty/details.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ <h5 class="bounty-heading">{% trans "Projects" %}</h5>
{% endif %}

<div class="text-center mt-2">
<a href="{{project.url_bounty_page}}" target="_blank" class="font-weight-bold card-subtitle">{{project.name}}</a>
<a href="{{project.url_bounty_page}}" target="_blank" rel="noopener noreferrer" class="font-weight-bold card-subtitle">{{project.name}}</a>
<div class="mb-2">
<b class="text-muted font-smaller-2">Team Members</b>
<div class="mt-1">
Expand Down Expand Up @@ -273,11 +273,11 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<span [[if id]] id="[[>id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[>title]]</div>'>
[[if pending_acceptance]]
<a class="btn btn-primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<a rel="noopener noreferrer" class="btn btn-primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<span class="font-caption">[[:text]] ( [[>pending_acceptance]] )</span>
</a>
[[else]]
<a class="btn [[if primary]]btn-primary[[else]]btn-outline-primary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<a rel="noopener noreferrer" class="btn [[if primary]]btn-primary[[else]]btn-outline-primary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[:text]]</span>
</a>
[[/if]]
Expand All @@ -294,7 +294,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
</div>
<div class="col-12 col-md-2">
<div class="activity-name text-center text-md-left">
<a href="/profile/[[>name]]" target="_blank" data-usercard="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
<a href="/profile/[[>name]]" rel="noopener noreferrer" target="_blank" data-usercard="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
[[>name]]
</a>
</div>
Expand Down Expand Up @@ -341,7 +341,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="activity-status">
[[>text]]
[[if activity_type == 'worker_approved']]
<a href="/profile/[[>worker_handle]]" target="_blank">
<a rel="noopener noreferrer" href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a> to work on the bounty
[[/if]]
Expand Down Expand Up @@ -388,7 +388,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[>text]]
<a href="/profile/[[>worker_handle]]" target="_blank">
<a rel="noopener noreferrer" href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a>
</div>
Expand All @@ -398,7 +398,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="activity-status">
[[>text]]
[[if fulfiller_github_url]]
<a target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
<a rel="noopener noreferrer" target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
[[/if]]
</div>
[[if slash_possible]]
Expand Down
17 changes: 9 additions & 8 deletions app/dashboard/templates/dashboard/hackathon/onboard.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -261,15 +261,13 @@ <h4 class="text-uppercase font-weight-bolder text-left">How does the Hackathon w
<div class="collapse" id="collapse-info">
<div class="row px-5 my-5" >
<div class="col-12 col-md-5">
<img src="{% static "v2/images/how-it-works/hackathon/pic1.jpg" %}" class="mw-100" alt="bounty explorer" />
<img src="{% static "v2/images/how-it-works/hackathon/pic1.jpg" %}" class="mw-100" alt="bounty explorer" />
</div>
<div class="col-12 col-md-6 d-flex flex-column justify-content-center pt-4 pt-md-0">
<b class="counter">{% trans "Check out the Prizes" %}</b>

<p class="">
Visit the <a target="_blank" href="{% url 'hackathon' hackathon.slug %}">Prize Explorer</a> to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.
</p>

<b class="counter">{% trans "Check out the Prizes" %}</b>
<p class="">
Visit the <a target="_blank" rel="noopener noreferrer" href="{% url 'hackathon' hackathon.slug %}">Prize Explorer</a> to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.
</p>
</div>
</div>
<div class="row px-5 my-5">
Expand All @@ -280,7 +278,10 @@ <h4 class="text-uppercase font-weight-bolder text-left">How does the Hackathon w
<b class="counter">{% trans " Join the Hackathons Chat Workspace" %}</b>
{% blocktrans %}
<p class="">
Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time. <a target="_blank" href="https://discord.gg/gitcoin">Click here to join the party!</a>.
Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time.
<a rel="noopener noreferrer" target="_blank" href="https://discord.gg/gitcoin">
Click here to join the party!
</a>
</p>
{% endblocktrans %}
</div>
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/dashboard/hackathon/project_new.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,11 @@ <h2 class="h5 text-center font-weight-bold mb-4">Let's Get Started!</h2>

<form action="" class="mt-3 border-top pt-3" id="projectForm">
<p class="alert-danger p-2">
This bounty is part of <b>{{bounty.event.name}}</b>, please read the <a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank">rules to participate</a> before you continue.
This bounty is part of <b>{{bounty.event.name}}</b>, please read the
<a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank" rel="noopener noreferrer">
rules to participate
</a>
before you continue.
</p>
{% if project_selected %}
<input type="hidden" name="bounty_id" value="{{project_selected.bounty.id}}">
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/onepager/send2.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,11 @@ <h1>{% trans "Send Tip." %}</h1>
{% if profile %}
<div class="user-tooltip" user-id="{{profile.id}}" username="{{profile.username}}" avatar-url="{{profile.avatar_url}}" preferred_payout_address="{{profile.preferred_payout_address}}">
<img class="user-img" src="{{profile.avatar_url}}">
<div class='user-tooltip-text tooltip-xs'><a href="{% url 'profile' profile %}" target="_blank">@{{profile.username}}</a></div>
<div class='user-tooltip-text tooltip-xs'>
<a href="{% url 'profile' profile %}" target="_blank" rel="noopener noreferrer">
@{{profile.username}}
</a>
</div>
</div>
{% endif %}
{% endfor %}
Expand Down
2 changes: 1 addition & 1 deletion app/dashboard/templates/process_bounty.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ <h3>{% trans "Basic Payout" %}</h3>
<div class="my-4">
<div class="d-flex justify-content-between align-items-center">
<h3 class="font-subheader mb-0">Suggested Kudos</h3>
<a href="{% url 'kudos_about' %}" target="_blank">What is kudos?</a>
<a href="{% url 'kudos_about' %}" target="_blank" rel="noopener noreferrer">What is kudos?</a>
</div>

<div id="kudos-holder">
Expand Down
2 changes: 1 addition & 1 deletion app/dashboard/templates/profiles/tab_hackathons.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ <h5 class="card-title text-uppercase"><a href="
{% url 'hackathon_project_page' hackathon=project.hackathon.slug project_id=project.id project_name=project.name|slug %}
{% else %}
{% url 'hackathon_project_page' hackathon=project.hackathon.slug project_id=project.id %}
{% endif %}" target="_blank" class="font-weight-bold card-subtitle">{{ project.name }}</a></h5>
{% endif %}" target="_blank" rel="noopener noreferrer" class="font-weight-bold card-subtitle">{{ project.name }}</a></h5>
<div class="my-2">
<b class="text-muted">Project Summary</b>
<p>
Expand Down
16 changes: 8 additions & 8 deletions app/dashboard/templates/profiles/tribes-vue.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -960,12 +960,12 @@ <h3 class="featured-bounties__title">
<div class="d-flex flex-column py-1">
<button class="btn position-absolute align-self-end" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false"><i class="fas fa-ellipsis-v"></i></button>
<div class="dropdown-menu dropdown-menu-right font-caption bg-white">
<a :href="`/funding/new?invite=${ user.id }`" target="_blank" class="dropdown-item p-2">
<a rel="noopener noreferrer" :href="`/funding/new?invite=${ user.id }`" target="_blank" class="dropdown-item p-2">
<i class="fab fa-ethereum mr-2"></i>
Fund Bounty
</a>
<div class="dropdown-divider"></div>
<a :href="`/profile/${ user.handle }`" class="dropdown-item p-2" target="_blank">
<a rel="noopener noreferrer" :href="`/profile/${ user.handle }`" class="dropdown-item p-2" target="_blank">
<i class="fas fa-user mr-2"></i>
View profile
</a>
Expand Down Expand Up @@ -1075,15 +1075,15 @@ <h5 class="text-center card-user_name">
<h6 class="font-weight-bold mb-3">Invite User to Bounty</h6>
<img class="rounded-circle mx-auto mb-3" width="64" height="64" :src="`/dynamic/avatar/${ userSelected.handle }`" alt="Avatar"/>
<span>[[ userSelected.name ]]</span>
<a :href="`/profile/${ userSelected.handle }`" class="text-center d-block" target="_blank">
<a rel="noopener noreferrer" :href="`/profile/${ userSelected.handle }`" class="text-center d-block" target="_blank">
[[ userSelected.handle ]]
</a>
</div>
</div>
<div slot="body" v-if="userSelected.handle">
<div v-if="funderBounties.length">
<div class="my-2 text-center">
<b>Select a bounty</b> or <a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" class="font-weight-bold">create a new one</a>
<b>Select a bounty</b> or <a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" rel="noopener noreferrer" class="font-weight-bold">create a new one</a>
</div>
<div class="bounties-box">
<div v-for="bounty in funderBounties" :key="bounty.id" @click="bountySelected = bounty" v-bind:class="{ 'btn-primary': bountySelected && bounty.id === bountySelected.id, 'hidden': contributorInvite === userSelected.handle && currentBounty == bounty.id }" class="bounty-select py-2 px-3 border-bottom d-flex align-items-center">
Expand All @@ -1101,13 +1101,13 @@ <h6 class="font-weight-bold mb-3">Invite User to Bounty</h6>
<div v-else class="text-center font-subheader mt-4">
<p class="font-weight-semibold">You've got NO open bounties</p>
<p class="font-body">
<a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank">Create a bounty</a>
<a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" rel="noopener noreferrer">Create a bounty</a>
to invite [[ userSelected.handle ]]
</p>
</div>
</div>
<div slot="footer" class="d-flex align-items-center flex-fill">
<a v-if="bountySelected" :href="bountySelected.url" target="_blank" class="mr-5">view bounty</a>
<a v-if="bountySelected" :href="bountySelected.url" target="_blank" rel="noopener noreferrer" class="mr-5">view bounty</a>
<div class="ml-auto">
<button class="btn btn-outline-primary" data-dismiss="modal">Cancel</button>
<button v-if="funderBounties.length" class="btn btn-primary" :disabled="!bountySelected" @click="sendInvite(bountySelected, userSelected.id)">Invite</button>
Expand Down Expand Up @@ -1223,7 +1223,7 @@ <h3 class="font-subheader font-weight-bold">[[ suggested_bounty.title ]]</h3>
<p class="font-caption text-black-60 mb-1" v-html="suggested_bounty.comment"></p>
<div class="row font-caption">
<div class="col-12">
<a :href="suggested_bounty.github_url" target="_blank">
<a :href="suggested_bounty.github_url" target="_blank" rel="noopener noreferrer">
<i class="fab fa-github mr-1"></i> {% trans "View Github Issue" %}
</a>
<span class="mx-2 text-grey">
Expand All @@ -1245,7 +1245,7 @@ <h3 class="font-subheader font-weight-bold">[[ suggested_bounty.title ]]</h3>
</div>

<div v-if="is_my_org" class="col-5 my-auto text-right">
<a target="_blank" class="btn btn-sm btn-outline-secondary font-smaller-4 mx-2" :href="`{% url 'new_bounty' %}?type=public&url=${suggested_bounty.github_url}&invite=${suggested_bounty.requested_by.id}&amount=${suggested_bounty.amount}`">
<a target="_blank" rel="noopener noreferrer" class="btn btn-sm btn-outline-secondary font-smaller-4 mx-2" :href="`{% url 'new_bounty' %}?type=public&url=${suggested_bounty.github_url}&invite=${suggested_bounty.requested_by.id}&amount=${suggested_bounty.amount}`">
<i class="fas fa-plus-circle mr-1"></i>
{% trans "Fund Request" %}
</a>
Expand Down
Loading

0 comments on commit 25e557a

Please sign in to comment.