Hotfix snyk fixes #900
Hotfix snyk fixes #900
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request implements security fixes identified by Snyk, focusing on dependency updates and addressing Open Redirect (CWE-601) and Prototype Pollution vulnerabilities.
Key changes:
- Upgraded ESLint ecosystem from v7/v8 to v9 with TypeScript ESLint v8, including major version bumps for related plugins
- Implemented safe router path utilities to prevent Open Redirect vulnerabilities by using React Router's validated state instead of window.location
- Added prototype pollution protection in contentMapper service with object sanitization
Reviewed changes
Copilot reviewed 6 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| upload-api/package.json | Updated TypeScript ESLint packages (v7→v8), ESLint (v8→v9), and React Hooks plugin (v4→v5) to address security vulnerabilities |
| upload-api/package-lock.json | Lock file updates reflecting the package version changes with new ESLint v9 dependencies |
| ui/src/utilities/functions.ts | Added getSafeRouterPath utility to extract safe paths from React Router's validated location object |
| ui/src/utilities/constants.interface.ts | Added RouterLocation interface to type React Router location objects |
| ui/src/hooks/userNavigation.tsx | Refactored to use safe path utilities and stored validated paths instead of window.location |
| ui/src/hooks/usePreventBackNavigation.tsx | Updated to use React Router's validated location state instead of window.location.href |
| api/src/services/contentMapper.service.ts | Added sanitizeObject function for prototype pollution protection, fixed spacing, and changed map to forEach |
Files not reviewed (1)
- upload-api/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| projectId, | ||
| contentTypeId: type?.id, | ||
| isDeleted: false, | ||
| ...safeField, |
There was a problem hiding this comment.
Security vulnerability: The spread operator on line 114 reintroduces the prototype pollution risk by spreading the original unsanitized safeField object. After sanitizing with sanitizeObject, you're spreading safeField which could still contain malicious properties. The sanitizeObject call on line 100 creates a safe copy, but then spreading it allows all properties (including dangerous ones) to be included. Remove the spread operator and only use the explicitly defined properties.
| ...safeField, |
SNYK fixes