Dev #901
Merged
Dev #901
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…g, title of global field not merging in test stack and in final stack
feat:reolved global field issue in siteocore,when mapped with existin…
feat: add initial reference handling in content mapping service and i…
…de-server into hotfix/path-issue
Hotfix snyk fixes
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses security vulnerabilities identified by SNYK, fixes dropdown value persistence issues in system mapping resets (CMG-786), and resolves reference value cleanup problems during mapping resets (CMG-787).
Key Changes:
- Upgraded ESLint from v8 to v9 and TypeScript ESLint packages from v7 to v8 for security fixes
- Implemented protection against Open Redirect vulnerabilities (CWE-601) by using React Router's validated paths instead of window.location
- Added prototype pollution prevention in content mapper service with object sanitization
- Fixed mapping reset functionality to preserve dropdown values and properly clean up reference values
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| upload-api/package.json | Upgraded eslint to v9 and typescript-eslint packages to v8 for security fixes |
| upload-api/package-lock.json | Updated lock file with new dependency versions and transitive dependencies |
| ui/src/utilities/functions.ts | Added getSafeRouterPath utility to extract validated paths from React Router to prevent open redirects |
| ui/src/utilities/constants.interface.ts | Added RouterLocation interface for type-safe path handling |
| ui/src/hooks/userNavigation.tsx | Refactored to use safe path extraction instead of window.location to prevent open redirect vulnerabilities |
| ui/src/hooks/usePreventBackNavigation.tsx | Updated to store and use React Router's validated paths instead of window.location |
| ui/src/components/ContentMapper/index.tsx | Fixed reset functionality to restore reference values using initialRefrenceTo |
| ui/src/components/ContentMapper/contentMapper.interface.ts | Added initialRefrenceTo field to track original reference values for reset |
| api/src/utils/content-type-creator.utils.ts | Enhanced existingCtMapper to handle global fields separately from content types |
| api/src/services/globalField.service.ts | Refactored global field merging logic to use Set-based deduplication |
| api/src/services/contentMapper.service.ts | Added prototype pollution protection, fixed reference value tracking on reset, and improved field mapping logic |
Files not reviewed (1)
- upload-api/package-lock.json: Language not supported
Comments suppressed due to low confidence (1)
api/src/utils/content-type-creator.utils.ts:1006
- The catch block returns an empty object instead of null, which is inconsistent with the successful return paths that use null coalescing. This inconsistency could cause issues in calling code that expects null for error cases. Consider returning null or a consistent error indicator.
} catch (err) {
console.error("Error while getting the existing contentType from contenstack", err)
return {};
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+63
to
+64
| if(item?.refrenceTo) { | ||
| item.initialRefrenceTo = item?.refrenceTo; |
There was a problem hiding this comment.
The property name is misspelled as "refrenceTo" (should be "referenceTo"). This typo creates inconsistency with the backend code which uses the correct spelling "referenceTo" in the reset functionality, potentially causing the reference tracking to fail.
Suggested change
| if(item?.refrenceTo) { | |
| item.initialRefrenceTo = item?.refrenceTo; | |
| if (item?.referenceTo) { | |
| item.initialReferenceTo = item?.referenceTo; |
| ...row?.advanced?.initial, | ||
| }, | ||
| advanced: row?.advanced?.initial, | ||
| ...(row?.refrenceTo && { refrenceTo: row?.initialRefrenceTo }), |
There was a problem hiding this comment.
The property name is inconsistent between the frontend and backend. The frontend uses refrenceTo (typo: "refrence") in line 2016, but the backend expects referenceTo (correct spelling) in line 822. This mismatch will cause the reference value reset functionality to fail.
Suggested change
| ...(row?.refrenceTo && { refrenceTo: row?.initialRefrenceTo }), | |
| ...(row?.referenceTo && { referenceTo: row?.initialRefrenceTo }), |
umeshmore45
added a commit
that referenced
this pull request
Jan 7, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains:
SNYK fixes
https://contentstack.atlassian.net/browse/CMG-786 - When resetting system mapping, the dropdown value disappears from the advanced settings.
https://contentstack.atlassian.net/browse/CMG-787 - The newly added reference value does not get removed when the mapping is reset.[Sitecore - package 45]