[FIX] Backport GHSA patches and fixes from hotfix_v2.4.29#1087
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. 🗂️ Base branches to auto review (1)
Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…filter values - 'owner' (case owner username) and 'asset_type' were left unsanitized by the previous sanitation pass in this same table config. - sanitizeHTML was being applied unconditionally for every DataTables render call (display/sort/filter/type), causing the search box and sort order to operate on the HTML-encoded value instead of the raw one. Sanitize only for the 'display' type via a shared helper. - Guard asset_type/owner renderers against a null value (asset_type_id and case owner are both nullable).
user and action come from modification_history, which embeds the acting user's username verbatim. They were appended as raw HTML via jQuery .append(), so a username containing HTML/script executed when an analyst opened the alert history modal.
alert_title was only quote-escaped before being embedded in the popover's HTML content, so a title containing unquoted HTML (e.g. an img tag with an onerror handler) still executed. Run it through sanitizeHTML before the quote-escaping used for the attribute context.
…olumns Use the same falsy check (!data) as the owner/asset_type renderers instead of a strict === null comparison, so an undefined state value falls back to 'Unknown' instead of throwing on data.state_name.
ce2ba69 to
224d353
Compare
|
Hi @whikernel |
This PR backports multiple security patches and stability fixes that are currently missing from the develop branch.
Context
The GHSA security patches (GHSA-vjc3-7jwv-j9qf, GHSA-w78h-mx7h-qm3h, GHSA-g588-5gmf-p5cx, GHSA-8hwq-v6vm-9grr, GHSA-qhqj-8qw6-wp8v) were only implemented in the master and hotfix branches, not in the current develop branch.
Additionally, this PR includes the latest fixes from hotfix_v2.4.29 to address stability issues that affect the develop branch as well.
Changes
These fixes improve security and stability without breaking changes.