Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: clean up Critical and high code scanning alerts flagged in Github #9417

Merged
merged 4 commits into from
Sep 15, 2021
Merged

chore: clean up Critical and high code scanning alerts flagged in Github #9417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1709619
fix: Potentially unsafe external link
thelostone-mc Aug 23, 2021
af1818c
fix: Incomplete URL substring sanitization
thelostone-mc Aug 23, 2021
442bcef
fix: URL redirection from remote source
thelostone-mc Aug 23, 2021
944e220
Merge branch 'master' into scan
thelostone-mc Sep 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions app/assets/v2/js/base.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,8 +64,10 @@ document.addEventListener('DOMContentLoaded', function() {
}

var force_no_www = function() {
if (document.location.href.indexOf('https://www.gitcoin.co') != -1) {
var new_url = document.location.href.replace('www.gitcoin.co', 'gitcoin.co');
const url = new URL(document.location.href);

if (url.host == 'www.gitcoin.co') {
const new_url = document.location.href.replace('www.gitcoin.co', 'gitcoin.co');

document.location.href = new_url;
}
Expand Down
6 changes: 3 additions & 3 deletions app/assets/v2/js/pages/hackathon_new_bounty.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,14 @@ Vue.mixin({
return vm.form.issueDetails;
}

if (url.indexOf('github.com/') < 0) {
const ghIssueUrl = new URL(url);

if (ghIssueUrl.host == 'github.com') {
vm.form.issueDetails = null;
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url');
return;
}

let ghIssueUrl = new URL(url);

vm.orgSelected = '';

const apiUrldetails = `/sync/get_issue_details?url=${encodeURIComponent(url.trim())}&hackathon_slug=${vm.hackathonSlug}`;
Expand Down
7 changes: 4 additions & 3 deletions app/assets/v2/js/pages/new_bounty.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,18 +22,19 @@ Vue.mixin({
return vm.form.issueDetails;
}

if (url.indexOf('github.com/') < 0) {
const ghIssueUrl = new URL(url);

if (ghIssueUrl.host == 'github.com') {
vm.form.issueDetails = undefined;
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url');
return;
}

if (url.indexOf('/pull/') > 0) {
if (ghIssueUrl.pathname.contains('/pull/')) {
vm.$set(vm.errors, 'issueDetails', 'Please paste a github issue url and not a PR');
return;
}

let ghIssueUrl = new URL(url);

vm.orgSelected = ghIssueUrl.pathname.split('/')[1].toLowerCase();

Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/users-elastic.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,8 @@ Vue.mixin({

vm.errorIssueDetails = undefined;

if (url.indexOf('github.com/') < 0) {
url = new URL(url);
if (url.host == 'github.com') {
vm.issueDetails = null;
vm.errorIssueDetails = 'Please paste a github issue url';
return;
Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/users.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -175,11 +175,12 @@ Vue.mixin({

vm.errorIssueDetails = undefined;

if (url.indexOf('github.com/') < 0) {
if (new URL(url).host == 'github.com') {
vm.issueDetails = null;
vm.errorIssueDetails = 'Please paste a github issue url';
return;
}

vm.issueDetails = undefined;
const getIssue = fetchData(apiUrldetails, 'GET');

Expand Down
3 changes: 2 additions & 1 deletion app/assets/v2/js/wallet.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,8 @@ if (window.ethereum) {

function initWallet() {
// Determine if we're on prod or not
const isProd = document.location.href.startsWith('https://gitcoin.co');
const url = new URL(document.location.href);
const isProd = url.host == 'gitcoin.co' && url.protocol == 'https:';
const formaticKey = isProd ? document.contxt['fortmatic_live_key'] : document.contxt['fortmatic_test_key'];
const providerOptions = {
authereum: {
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/addinterest.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,11 @@ <h5 class="text-center font-title">{% trans "Submit a Plan" %}</h5>
{% elif is_registered and bounty.event %}
<form class="mt-3 border-top pt-3" id="projectForm">
<p class="alert-danger p-2">
This bounty is part of <b>{{bounty.event.name}}</b>, please read the <a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank">rules to participate</a> before you continue.
This bounty is part of <b>{{bounty.event.name}}</b>, please read the
<a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank" rel="noopener noreferrer">
rules to participate
</a>
before you continue.
</p>
<input type="hidden" name="bounty_id" value="{{bounty.id}}">
<div class="form-group">
Expand Down
14 changes: 7 additions & 7 deletions app/dashboard/templates/bounty/details.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,7 +218,7 @@ <h5 class="bounty-heading">{% trans "Projects" %}</h5>
{% endif %}

<div class="text-center mt-2">
<a href="{{project.url_bounty_page}}" target="_blank" class="font-weight-bold card-subtitle">{{project.name}}</a>
<a href="{{project.url_bounty_page}}" target="_blank" rel="noopener noreferrer" class="font-weight-bold card-subtitle">{{project.name}}</a>
<div class="mb-2">
<b class="text-muted font-smaller-2">Team Members</b>
<div class="mt-1">
Expand Down Expand Up @@ -273,11 +273,11 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<span [[if id]] id="[[>id]]" [[if id == 'submit']] [[if !work_started]] class="none" [[/if]] [[/if]] [[/if]]
title='<div class="tooltip-info tooltip-sm">[[>title]]</div>'>
[[if pending_acceptance]]
<a class="btn btn-primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<a rel="noopener noreferrer" class="btn btn-primary accept [[if !enabled]]disabled[[/if]]" role="button" href="[[>href]]" target="[[>target]]">
<span class="font-caption">[[:text]] ( [[>pending_acceptance]] )</span>
</a>
[[else]]
<a class="btn [[if primary]]btn-primary[[else]]btn-outline-primary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<a rel="noopener noreferrer" class="btn [[if primary]]btn-primary[[else]]btn-outline-primary[[/if]] mr-2 font-caption [[if !enabled]]disabled[[/if]] [[>buttonclass]]" role="button" href="[[>href]]" target="[[>target]]" [[if modal]] data-toggle="modal" data-target=".share-modal" [[/if]]>
<span class="font-caption">[[:text]]</span>
</a>
[[/if]]
Expand All @@ -294,7 +294,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
</div>
<div class="col-12 col-md-2">
<div class="activity-name text-center text-md-left">
<a href="/profile/[[>name]]" target="_blank" data-usercard="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
<a href="/profile/[[>name]]" rel="noopener noreferrer" target="_blank" data-usercard="[[>name]]" data-html="true" data-toggle="popover" data-container="body">
[[>name]]
</a>
</div>
Expand Down Expand Up @@ -341,7 +341,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="activity-status">
[[>text]]
[[if activity_type == 'worker_approved']]
<a href="/profile/[[>worker_handle]]" target="_blank">
<a rel="noopener noreferrer" href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a> to work on the bounty
[[/if]]
Expand Down Expand Up @@ -388,7 +388,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="col-12 col-md-7 text-center text-md-left">
<div class="activity-status">
[[>text]]
<a href="/profile/[[>worker_handle]]" target="_blank">
<a rel="noopener noreferrer" href="/profile/[[>worker_handle]]" target="_blank">
[[>worker_handle]]
</a>
</div>
Expand All @@ -398,7 +398,7 @@ <h5 class="bounty-heading">{% trans "Funder" %}</h5>
<div class="activity-status">
[[>text]]
[[if fulfiller_github_url]]
<a target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
<a rel="noopener noreferrer" target="_blank" href="[[>fulfiller_github_url]]">[{% trans "View Work" %}]</a>
[[/if]]
</div>
[[if slash_possible]]
Expand Down
17 changes: 9 additions & 8 deletions app/dashboard/templates/dashboard/hackathon/onboard.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,15 +261,13 @@ <h4 class="text-uppercase font-weight-bolder text-left">How does the Hackathon w
<div class="collapse" id="collapse-info">
<div class="row px-5 my-5" >
<div class="col-12 col-md-5">
<img src="{% static "v2/images/how-it-works/hackathon/pic1.jpg" %}" class="mw-100" alt="bounty explorer" />
<img src="{% static "v2/images/how-it-works/hackathon/pic1.jpg" %}" class="mw-100" alt="bounty explorer" />
</div>
<div class="col-12 col-md-6 d-flex flex-column justify-content-center pt-4 pt-md-0">
<b class="counter">{% trans "Check out the Prizes" %}</b>

<p class="">
Visit the <a target="_blank" href="{% url 'hackathon' hackathon.slug %}">Prize Explorer</a> to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.
</p>

<b class="counter">{% trans "Check out the Prizes" %}</b>
<p class="">
Visit the <a target="_blank" rel="noopener noreferrer" href="{% url 'hackathon' hackathon.slug %}">Prize Explorer</a> to check out the prizes posted by our hackathon sponsors. Click each prize to show important details, including the submission requirements, submission deadline, etc.
</p>
</div>
</div>
<div class="row px-5 my-5">
Expand All @@ -280,7 +278,10 @@ <h4 class="text-uppercase font-weight-bolder text-left">How does the Hackathon w
<b class="counter">{% trans " Join the Hackathons Chat Workspace" %}</b>
{% blocktrans %}
<p class="">
Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time. <a target="_blank" href="https://discord.gg/gitcoin">Click here to join the party!</a>.
Chat with other hackers, ask sponsors and the Gitcoin team questions, find or create a team, and communicate real-time.
<a rel="noopener noreferrer" target="_blank" href="https://discord.gg/gitcoin">
Click here to join the party!
</a>
</p>
{% endblocktrans %}
</div>
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/dashboard/hackathon/project_new.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,11 @@ <h2 class="h5 text-center font-weight-bold mb-4">Let's Get Started!</h2>

<form action="" class="mt-3 border-top pt-3" id="projectForm">
<p class="alert-danger p-2">
This bounty is part of <b>{{bounty.event.name}}</b>, please read the <a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank">rules to participate</a> before you continue.
This bounty is part of <b>{{bounty.event.name}}</b>, please read the
<a href="{% url 'hackathon_onboard' bounty.event.slug %}" target="_blank" rel="noopener noreferrer">
rules to participate
</a>
before you continue.
</p>
{% if project_selected %}
<input type="hidden" name="bounty_id" value="{{project_selected.bounty.id}}">
Expand Down
6 changes: 5 additions & 1 deletion app/dashboard/templates/onepager/send2.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -194,7 +194,11 @@ <h1>{% trans "Send Tip." %}</h1>
{% if profile %}
<div class="user-tooltip" user-id="{{profile.id}}" username="{{profile.username}}" avatar-url="{{profile.avatar_url}}" preferred_payout_address="{{profile.preferred_payout_address}}">
<img class="user-img" src="{{profile.avatar_url}}">
<div class='user-tooltip-text tooltip-xs'><a href="{% url 'profile' profile %}" target="_blank">@{{profile.username}}</a></div>
<div class='user-tooltip-text tooltip-xs'>
<a href="{% url 'profile' profile %}" target="_blank" rel="noopener noreferrer">
@{{profile.username}}
</a>
</div>
</div>
{% endif %}
{% endfor %}
Expand Down
2 changes: 1 addition & 1 deletion app/dashboard/templates/process_bounty.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ <h3>{% trans "Basic Payout" %}</h3>
<div class="my-4">
<div class="d-flex justify-content-between align-items-center">
<h3 class="font-subheader mb-0">Suggested Kudos</h3>
<a href="{% url 'kudos_about' %}" target="_blank">What is kudos?</a>
<a href="{% url 'kudos_about' %}" target="_blank" rel="noopener noreferrer">What is kudos?</a>
</div>

<div id="kudos-holder">
Expand Down
2 changes: 1 addition & 1 deletion app/dashboard/templates/profiles/tab_hackathons.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ <h5 class="card-title text-uppercase"><a href="
{% url 'hackathon_project_page' hackathon=project.hackathon.slug project_id=project.id project_name=project.name|slug %}
{% else %}
{% url 'hackathon_project_page' hackathon=project.hackathon.slug project_id=project.id %}
{% endif %}" target="_blank" class="font-weight-bold card-subtitle">{{ project.name }}</a></h5>
{% endif %}" target="_blank" rel="noopener noreferrer" class="font-weight-bold card-subtitle">{{ project.name }}</a></h5>
<div class="my-2">
<b class="text-muted">Project Summary</b>
<p>
Expand Down
16 changes: 8 additions & 8 deletions app/dashboard/templates/profiles/tribes-vue.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -960,12 +960,12 @@ <h3 class="featured-bounties__title">
<div class="d-flex flex-column py-1">
<button class="btn position-absolute align-self-end" data-toggle="dropdown" href="#" role="button" aria-haspopup="true" aria-expanded="false"><i class="fas fa-ellipsis-v"></i></button>
<div class="dropdown-menu dropdown-menu-right font-caption bg-white">
<a :href="`/funding/new?invite=${ user.id }`" target="_blank" class="dropdown-item p-2">
<a rel="noopener noreferrer" :href="`/funding/new?invite=${ user.id }`" target="_blank" class="dropdown-item p-2">
<i class="fab fa-ethereum mr-2"></i>
Fund Bounty
</a>
<div class="dropdown-divider"></div>
<a :href="`/profile/${ user.handle }`" class="dropdown-item p-2" target="_blank">
<a rel="noopener noreferrer" :href="`/profile/${ user.handle }`" class="dropdown-item p-2" target="_blank">
<i class="fas fa-user mr-2"></i>
View profile
</a>
Expand Down Expand Up @@ -1075,15 +1075,15 @@ <h5 class="text-center card-user_name">
<h6 class="font-weight-bold mb-3">Invite User to Bounty</h6>
<img class="rounded-circle mx-auto mb-3" width="64" height="64" :src="`/dynamic/avatar/${ userSelected.handle }`" alt="Avatar"/>
<span>[[ userSelected.name ]]</span>
<a :href="`/profile/${ userSelected.handle }`" class="text-center d-block" target="_blank">
<a rel="noopener noreferrer" :href="`/profile/${ userSelected.handle }`" class="text-center d-block" target="_blank">
[[ userSelected.handle ]]
</a>
</div>
</div>
<div slot="body" v-if="userSelected.handle">
<div v-if="funderBounties.length">
<div class="my-2 text-center">
<b>Select a bounty</b> or <a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" class="font-weight-bold">create a new one</a>
<b>Select a bounty</b> or <a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" rel="noopener noreferrer" class="font-weight-bold">create a new one</a>
</div>
<div class="bounties-box">
<div v-for="bounty in funderBounties" :key="bounty.id" @click="bountySelected = bounty" v-bind:class="{ 'btn-primary': bountySelected && bounty.id === bountySelected.id, 'hidden': contributorInvite === userSelected.handle && currentBounty == bounty.id }" class="bounty-select py-2 px-3 border-bottom d-flex align-items-center">
Expand All @@ -1101,13 +1101,13 @@ <h6 class="font-weight-bold mb-3">Invite User to Bounty</h6>
<div v-else class="text-center font-subheader mt-4">
<p class="font-weight-semibold">You've got NO open bounties</p>
<p class="font-body">
<a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank">Create a bounty</a>
<a :href="`/funding/new?invite=${ userSelected.id }`" target="_blank" rel="noopener noreferrer">Create a bounty</a>
to invite [[ userSelected.handle ]]
</p>
</div>
</div>
<div slot="footer" class="d-flex align-items-center flex-fill">
<a v-if="bountySelected" :href="bountySelected.url" target="_blank" class="mr-5">view bounty</a>
<a v-if="bountySelected" :href="bountySelected.url" target="_blank" rel="noopener noreferrer" class="mr-5">view bounty</a>
<div class="ml-auto">
<button class="btn btn-outline-primary" data-dismiss="modal">Cancel</button>
<button v-if="funderBounties.length" class="btn btn-primary" :disabled="!bountySelected" @click="sendInvite(bountySelected, userSelected.id)">Invite</button>
Expand Down Expand Up @@ -1223,7 +1223,7 @@ <h3 class="font-subheader font-weight-bold">[[ suggested_bounty.title ]]</h3>
<p class="font-caption text-black-60 mb-1" v-html="suggested_bounty.comment"></p>
<div class="row font-caption">
<div class="col-12">
<a :href="suggested_bounty.github_url" target="_blank">
<a :href="suggested_bounty.github_url" target="_blank" rel="noopener noreferrer">
<i class="fab fa-github mr-1"></i> {% trans "View Github Issue" %}
</a>
<span class="mx-2 text-grey">
Expand All @@ -1245,7 +1245,7 @@ <h3 class="font-subheader font-weight-bold">[[ suggested_bounty.title ]]</h3>
</div>

<div v-if="is_my_org" class="col-5 my-auto text-right">
<a target="_blank" class="btn btn-sm btn-outline-secondary font-smaller-4 mx-2" :href="`{% url 'new_bounty' %}?type=public&url=${suggested_bounty.github_url}&invite=${suggested_bounty.requested_by.id}&amount=${suggested_bounty.amount}`">
<a target="_blank" rel="noopener noreferrer" class="btn btn-sm btn-outline-secondary font-smaller-4 mx-2" :href="`{% url 'new_bounty' %}?type=public&url=${suggested_bounty.github_url}&invite=${suggested_bounty.requested_by.id}&amount=${suggested_bounty.amount}`">
<i class="fas fa-plus-circle mr-1"></i>
{% trans "Fund Request" %}
</a>
Expand Down
Loading