Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

0.27.0 #860

Merged
merged 462 commits into from
Oct 24, 2024
Merged

0.27.0 #860

merged 462 commits into from
Oct 24, 2024

Conversation

chavda-bhavik
Copy link
Member

No description provided.

Mayur added 30 commits September 20, 2024 13:02
Copy link

nx-cloud bot commented Oct 24, 2024

☁️ Nx Cloud Report

CI is running/has finished running commands for commit 618ae64. As they complete they will appear below. Click to see the status, the terminal output, and the build insights.

📂 See all runs for this CI Pipeline Execution


✅ Successfully ran 1 target

Sent with 💌 from NxCloud.

libs/dal/src/repositories/environment/environment.repository.ts Dismissed Show dismissed Hide dismissed
<body>
<div class="container">
<div class="header">
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.
<body>
<div class="container">
<div class="header">
<h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

<div class="content">
<p>Hello</p>
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.
<p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p>

<div class="button-container">
<a href="${invitationUrl}" class="button">Accept Invitation</a>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that the invitationUrl is properly sanitized before being used in the HTML template. This can be achieved by using a library like DOMPurify to sanitize the URL. This will prevent any potential HTML injection attacks.

  1. Install the DOMPurify library.
  2. Import DOMPurify in the file.
  3. Use DOMPurify to sanitize the invitationUrl before interpolating it into the HTML.
Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -2,2 +2,3 @@
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
+import DOMPurify from 'dompurify';
 
@@ -419,76 +420,79 @@
 
-  TEAM_INVITATION_EMAIL: ({ invitedBy, projectName, invitationUrl }: ITeamnvitationEmailOptions) => `
-  <!DOCTYPE html>
-  <html lang="en">
-  <head>
-      <meta charset="UTF-8">
-      <meta name="viewport" content="width=device-width, initial-scale=1.0">
-      <style>
-          body {
-              font-family: Arial, sans-serif;
-              background-color: #f5f5f5;
-              margin: 0;
-              padding: 20px;
-          }
-          .container {
-              max-width: 600px;
-              margin: 0 auto;
-              background-color: white;
-              padding: 30px;
-              border-radius: 8px;
-              box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
-          }
-          .header {
-              text-align: center;
-              margin-bottom: 20px;
-          }
-          .header h1 {
-              font-size: 24px;
-              color: #333;
-          }
-          .content {
-              color: #555;
-              line-height: 1.6;
-          }
-          .button-container {
-              text-align: center;
-              margin-top: 20px;
-          }
-          .button {
-              background-color: #4caf50;
-              color: white;
-              padding: 10px 20px;
-              text-decoration: none;
-              border-radius: 5px;
-              font-size: 16px;
-          }
-          .footer {
-              margin-top: 20px;
-              text-align: center;
-              color: #777;
-          }
-          .centered-text {
-              text-align: center;
-          }
-      </style>
-  </head>
-  <body>
-      <div class="container">
-          <div class="header">
-              <h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1>
-          </div>
-          
-          <div class="content">
-            <p>Hello</p>
-              <p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p>
-              
-              <div class="button-container">
-                  <a href="${invitationUrl}" class="button">Accept Invitation</a>
-              </div>
-              
-          </div>
-       <p class="centered-text">If you don't know about this request, please ignore this email.</p>   
-      </div>
-  </body>
-  </html>`,
+  TEAM_INVITATION_EMAIL: ({ invitedBy, projectName, invitationUrl }: ITeamnvitationEmailOptions) => {
+    const sanitizedInvitationUrl = DOMPurify.sanitize(invitationUrl);
+    return `
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <style>
+            body {
+                font-family: Arial, sans-serif;
+                background-color: #f5f5f5;
+                margin: 0;
+                padding: 20px;
+            }
+            .container {
+                max-width: 600px;
+                margin: 0 auto;
+                background-color: white;
+                padding: 30px;
+                border-radius: 8px;
+                box-shadow: 0 2px 4px rgba(0, 0, 0, 0.1);
+            }
+            .header {
+                text-align: center;
+                margin-bottom: 20px;
+            }
+            .header h1 {
+                font-size: 24px;
+                color: #333;
+            }
+            .content {
+                color: #555;
+                line-height: 1.6;
+            }
+            .button-container {
+                text-align: center;
+                margin-top: 20px;
+            }
+            .button {
+                background-color: #4caf50;
+                color: white;
+                padding: 10px 20px;
+                text-decoration: none;
+                border-radius: 5px;
+                font-size: 16px;
+            }
+            .footer {
+                margin-top: 20px;
+                text-align: center;
+                color: #777;
+            }
+            .centered-text {
+                text-align: center;
+            }
+        </style>
+    </head>
+    <body>
+        <div class="container">
+            <div class="header">
+                <h1>${invitedBy} invited you to join the project <b>"${projectName}"</b></h1>
+            </div>
+            
+            <div class="content">
+              <p>Hello</p>
+                <p>You have been invited to join the project <strong>${projectName}</strong>. Please click the button below to accept the invitation.</p>
+                
+                <div class="button-container">
+                    <a href="${sanitizedInvitationUrl}" class="button">Accept Invitation</a>
+                </div>
+                
+            </div>
+         <p class="centered-text">If you don't know about this request, please ignore this email.</p>   
+        </div>
+    </body>
+    </html>`;
+  },
 
EOF
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "dompurify": "^3.1.7"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"dompurify": "^3.1.7"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.1.7 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
<body>
<div class="container">
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any dynamic content inserted into the HTML is properly sanitized to prevent XSS attacks. The best way to fix this issue without changing existing functionality is to use an HTML sanitizer library to clean the input before inserting it into the HTML. This will ensure that any potentially malicious content is removed.

We will:

  1. Import an HTML sanitizer library.
  2. Sanitize the projectName, invitedBy, and declinedBy variables before inserting them into the HTML.
Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -1,2 +1,3 @@
 import * as nodemailer from 'nodemailer';
+import sanitizeHtml from 'sanitize-html';
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
 </html>`,
-  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
+  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
+    const sanitizedProjectName = sanitizeHtml(projectName);
+    const sanitizedInvitedBy = sanitizeHtml(invitedBy);
+    const sanitizedDeclinedBy = sanitizeHtml(declinedBy);
+    return `
 <!DOCTYPE html>
@@ -678,8 +683,8 @@
         <div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
-        <h1>Project Invitation Declined: ${projectName}</h1>
-        <p>${declinedBy} has declined the invitation to join the project.</p>
+        <h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
+        <p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
         <ul>
-            <li><strong>Project Name:</strong> ${projectName}</li>
-            <li><strong>Invited By:</strong> ${invitedBy}</li>
-            <li><strong>Declined By:</strong> ${declinedBy}</li>
+            <li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
+            <li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
+            <li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
         </ul>
@@ -691,3 +696,4 @@
 </body>
-</html>`,
+</html>`;
+  },
 };
EOF
@@ -1,2 +1,3 @@
import * as nodemailer from 'nodemailer';
import sanitizeHtml from 'sanitize-html';
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
</html>`,
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
const sanitizedProjectName = sanitizeHtml(projectName);
const sanitizedInvitedBy = sanitizeHtml(invitedBy);
const sanitizedDeclinedBy = sanitizeHtml(declinedBy);
return `
<!DOCTYPE html>
@@ -678,8 +683,8 @@
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
</ul>
@@ -691,3 +696,4 @@
</body>
</html>`,
</html>`;
},
};
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "sanitize-html": "^2.13.1"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"sanitize-html": "^2.13.1"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
sanitize-html (npm) 2.13.1 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
<div class="container">
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any user-supplied input is properly sanitized before being inserted into the HTML content. This can be achieved by using an HTML sanitizer library to remove any potentially harmful content from the input.

The best way to fix this issue without changing the existing functionality is to use a library like striptags to sanitize the declinedBy, projectName, and invitedBy variables before inserting them into the HTML content. This will ensure that any HTML tags or scripts are removed from the input, preventing XSS attacks.

Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -1,2 +1,3 @@
 import * as nodemailer from 'nodemailer';
+import * as striptags from 'striptags';
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
 </html>`,
-  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
+  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
+    const sanitizedInvitedBy = striptags(invitedBy);
+    const sanitizedProjectName = striptags(projectName);
+    const sanitizedDeclinedBy = striptags(declinedBy);
+    return `
 <!DOCTYPE html>
@@ -678,8 +683,8 @@
         <div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
-        <h1>Project Invitation Declined: ${projectName}</h1>
-        <p>${declinedBy} has declined the invitation to join the project.</p>
+        <h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
+        <p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
         <ul>
-            <li><strong>Project Name:</strong> ${projectName}</li>
-            <li><strong>Invited By:</strong> ${invitedBy}</li>
-            <li><strong>Declined By:</strong> ${declinedBy}</li>
+            <li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
+            <li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
+            <li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
         </ul>
@@ -691,3 +696,4 @@
 </body>
-</html>`,
+</html>`;
+  },
 };
EOF
@@ -1,2 +1,3 @@
import * as nodemailer from 'nodemailer';
import * as striptags from 'striptags';
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
</html>`,
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
const sanitizedInvitedBy = striptags(invitedBy);
const sanitizedProjectName = striptags(projectName);
const sanitizedDeclinedBy = striptags(declinedBy);
return `
<!DOCTYPE html>
@@ -678,8 +683,8 @@
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
</ul>
@@ -691,3 +696,4 @@
</body>
</html>`,
</html>`;
},
};
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "striptags": "^3.2.0"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"striptags": "^3.2.0"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
striptags (npm) 3.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any dynamic content inserted into the HTML is properly sanitized to prevent XSS attacks. The best way to fix this issue is to use an HTML sanitizer library to clean the input before inserting it into the HTML. This approach maintains the existing functionality while ensuring the content is safe.

  1. Install an HTML sanitizer library such as dompurify.
  2. Import the sanitizer library in the file.
  3. Use the sanitizer to clean the dynamic content before inserting it into the HTML.
Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -2,2 +2,3 @@
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
+import DOMPurify from 'dompurify';
 
@@ -678,8 +679,8 @@
         <div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
-        <h1>Project Invitation Declined: ${projectName}</h1>
-        <p>${declinedBy} has declined the invitation to join the project.</p>
+        <h1>Project Invitation Declined: ${DOMPurify.sanitize(projectName)}</h1>
+        <p>${DOMPurify.sanitize(declinedBy)} has declined the invitation to join the project.</p>
         <ul>
-            <li><strong>Project Name:</strong> ${projectName}</li>
-            <li><strong>Invited By:</strong> ${invitedBy}</li>
-            <li><strong>Declined By:</strong> ${declinedBy}</li>
+            <li><strong>Project Name:</strong> ${DOMPurify.sanitize(projectName)}</li>
+            <li><strong>Invited By:</strong> ${DOMPurify.sanitize(invitedBy)}</li>
+            <li><strong>Declined By:</strong> ${DOMPurify.sanitize(declinedBy)}</li>
         </ul>
EOF
@@ -2,2 +2,3 @@
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
import DOMPurify from 'dompurify';

@@ -678,8 +679,8 @@
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<h1>Project Invitation Declined: ${DOMPurify.sanitize(projectName)}</h1>
<p>${DOMPurify.sanitize(declinedBy)} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>
<li><strong>Project Name:</strong> ${DOMPurify.sanitize(projectName)}</li>
<li><strong>Invited By:</strong> ${DOMPurify.sanitize(invitedBy)}</li>
<li><strong>Declined By:</strong> ${DOMPurify.sanitize(declinedBy)}</li>
</ul>
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "dompurify": "^3.1.7"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"dompurify": "^3.1.7"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
dompurify (npm) 3.1.7 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
<p>${declinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any dynamic content interpolated into the HTML is properly sanitized or escaped to prevent XSS attacks. The best way to fix this without changing the existing functionality is to use a library like striptags to sanitize the input before including it in the HTML content.

  1. Install the striptags library to sanitize the input.
  2. Modify the code to sanitize the invitedBy, projectName, and declinedBy variables before they are interpolated into the HTML content.
Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -1,2 +1,3 @@
 import * as nodemailer from 'nodemailer';
+import * as striptags from 'striptags';
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
 </html>`,
-  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
+  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
+    const sanitizedInvitedBy = striptags(invitedBy);
+    const sanitizedProjectName = striptags(projectName);
+    const sanitizedDeclinedBy = striptags(declinedBy);
+    return `
 <!DOCTYPE html>
@@ -678,8 +683,8 @@
         <div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
-        <h1>Project Invitation Declined: ${projectName}</h1>
-        <p>${declinedBy} has declined the invitation to join the project.</p>
+        <h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
+        <p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
         <ul>
-            <li><strong>Project Name:</strong> ${projectName}</li>
-            <li><strong>Invited By:</strong> ${invitedBy}</li>
-            <li><strong>Declined By:</strong> ${declinedBy}</li>
+            <li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
+            <li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
+            <li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
         </ul>
@@ -691,3 +696,4 @@
 </body>
-</html>`,
+</html>`;
+  },
 };
EOF
@@ -1,2 +1,3 @@
import * as nodemailer from 'nodemailer';
import * as striptags from 'striptags';
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
</html>`,
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
const sanitizedInvitedBy = striptags(invitedBy);
const sanitizedProjectName = striptags(projectName);
const sanitizedDeclinedBy = striptags(declinedBy);
return `
<!DOCTYPE html>
@@ -678,8 +683,8 @@
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
</ul>
@@ -691,3 +696,4 @@
</body>
</html>`,
</html>`;
},
};
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "striptags": "^3.2.0"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"striptags": "^3.2.0"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
striptags (npm) 3.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>

Check warning

Code scanning / CodeQL

Unsafe HTML constructed from library input Medium

This HTML construction which depends on
library input
might later allow
html injection
.

Copilot Autofix AI 2 months ago

To fix the problem, we need to ensure that any user-supplied input is properly sanitized before being included in the HTML content. This can be achieved by using an HTML sanitizer library to strip out any potentially harmful content from the input.

The best way to fix this issue without changing existing functionality is to use a library like striptags to sanitize the declinedBy, projectName, and invitedBy variables before they are interpolated into the HTML content. This ensures that any malicious scripts are removed from the input.

Suggested changeset 2
libs/services/src/email/email.service.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/src/email/email.service.ts b/libs/services/src/email/email.service.ts
--- a/libs/services/src/email/email.service.ts
+++ b/libs/services/src/email/email.service.ts
@@ -1,2 +1,3 @@
 import * as nodemailer from 'nodemailer';
+import * as striptags from 'striptags';
 import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
 </html>`,
-  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
+  DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
+    const sanitizedInvitedBy = striptags(invitedBy);
+    const sanitizedProjectName = striptags(projectName);
+    const sanitizedDeclinedBy = striptags(declinedBy);
+    return `
 <!DOCTYPE html>
@@ -678,8 +683,8 @@
         <div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
-        <h1>Project Invitation Declined: ${projectName}</h1>
-        <p>${declinedBy} has declined the invitation to join the project.</p>
+        <h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
+        <p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
         <ul>
-            <li><strong>Project Name:</strong> ${projectName}</li>
-            <li><strong>Invited By:</strong> ${invitedBy}</li>
-            <li><strong>Declined By:</strong> ${declinedBy}</li>
+            <li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
+            <li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
+            <li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
         </ul>
@@ -691,3 +696,4 @@
 </body>
-</html>`,
+</html>`;
+  },
 };
EOF
@@ -1,2 +1,3 @@
import * as nodemailer from 'nodemailer';
import * as striptags from 'striptags';
import { SESClient, SendRawEmailCommand } from '@aws-sdk/client-ses';
@@ -629,3 +630,7 @@
</html>`,
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => `
DECLINE_INVITATION_EMAIL: ({ invitedBy, projectName, declinedBy }: IDeclineInvitationEmailOptions) => {
const sanitizedInvitedBy = striptags(invitedBy);
const sanitizedProjectName = striptags(projectName);
const sanitizedDeclinedBy = striptags(declinedBy);
return `
<!DOCTYPE html>
@@ -678,8 +683,8 @@
<div class="logo"><img src="https://impler.io/wp-content/uploads/2024/07/Logo-black.png" style="width: 150px;" alt="Impler Logo" /></div>
<h1>Project Invitation Declined: ${projectName}</h1>
<p>${declinedBy} has declined the invitation to join the project.</p>
<h1>Project Invitation Declined: ${sanitizedProjectName}</h1>
<p>${sanitizedDeclinedBy} has declined the invitation to join the project.</p>
<ul>
<li><strong>Project Name:</strong> ${projectName}</li>
<li><strong>Invited By:</strong> ${invitedBy}</li>
<li><strong>Declined By:</strong> ${declinedBy}</li>
<li><strong>Project Name:</strong> ${sanitizedProjectName}</li>
<li><strong>Invited By:</strong> ${sanitizedInvitedBy}</li>
<li><strong>Declined By:</strong> ${sanitizedDeclinedBy}</li>
</ul>
@@ -691,3 +696,4 @@
</body>
</html>`,
</html>`;
},
};
libs/services/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/services/package.json b/libs/services/package.json
--- a/libs/services/package.json
+++ b/libs/services/package.json
@@ -9,4 +9,13 @@
   "main": "dist/index.js",
-  "keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
-  "files": ["dist", "package.json"],
+  "keywords": [
+    "impler",
+    "implerhq",
+    "data-import",
+    "excel-import",
+    "csv-import"
+  ],
+  "files": [
+    "dist",
+    "package.json"
+  ],
   "scripts": {
@@ -35,6 +44,9 @@
     "nodemailer": "^6.9.14",
-    "uuid": "^9.0.0"
+    "uuid": "^9.0.0",
+    "striptags": "^3.2.0"
   },
   "lint-staged": {
-    "*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
+    "*.{js,jsx,ts,tsx}": [
+      "prettier --ignore-path .eslintignore --write"
+    ],
     "{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
     ],
-    "*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
+    "*.{html,md,yml}": [
+      "prettier --ignore-path .eslintignore --single-quote --write"
+    ]
   }
EOF
@@ -9,4 +9,13 @@
"main": "dist/index.js",
"keywords": ["impler", "implerhq", "data-import", "excel-import", "csv-import"],
"files": ["dist", "package.json"],
"keywords": [
"impler",
"implerhq",
"data-import",
"excel-import",
"csv-import"
],
"files": [
"dist",
"package.json"
],
"scripts": {
@@ -35,6 +44,9 @@
"nodemailer": "^6.9.14",
"uuid": "^9.0.0"
"uuid": "^9.0.0",
"striptags": "^3.2.0"
},
"lint-staged": {
"*.{js,jsx,ts,tsx}": ["prettier --ignore-path .eslintignore --write"],
"*.{js,jsx,ts,tsx}": [
"prettier --ignore-path .eslintignore --write"
],
"{*.json,.{babelrc,eslintrc,prettierrc,stylelintrc}}": [
@@ -42,3 +54,5 @@
],
"*.{html,md,yml}": ["prettier --ignore-path .eslintignore --single-quote --write"]
"*.{html,md,yml}": [
"prettier --ignore-path .eslintignore --single-quote --write"
]
}
This fix introduces these dependencies
Package Version Security advisories
striptags (npm) 3.2.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@chavda-bhavik chavda-bhavik merged commit f1f9958 into main Oct 24, 2024
7 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant