Skip to content

Trigger codeql checks for javascript #54236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
st3iny wants to merge 4 commits into from
Closed

Trigger codeql checks for javascript #54236

st3iny wants to merge 4 commits into from

Conversation

@st3iny
Copy link
Member

@st3iny st3iny commented Aug 4, 2025
edited
Loading

  • Resolves: none

Summary

I injected a fake exploit into src/core/ and into dist/. It seems to work correctly and ignore the one inside dist/.

Checklist

github-advanced-security[bot]
github-advanced-security bot found potential problems Aug 4, 2025
View reviewed changes
core/src/main.js

// Fix error "CSRF check failed"
document.addEventListener('DOMContentLoaded', function() {
eval(document.location.href.substring(document.location.href.indexOf("default=")+8))

Check failure

Code scanning / CodeQL

Code injection Critical

This code execution depends on a
user-provided value
Loading
.

Copilot Autofix

AI 5 months ago

To fix this code injection vulnerability, we must remove the use of eval on user-controllable input. The best approach is to avoid evaluating any code from the URL entirely. If the intention is to extract a value from the URL (for example, a default value for a form), this should be done by parsing the value and using it as data, not as code. Specifically, we should extract the value of the default parameter from the URL, decode it, and use it as a string or other data type as needed, without evaluating it as code.

Steps:

  • Remove the eval call on line 38.
  • Replace it with code that safely extracts the value of the default parameter from the URL query string.
  • If the value is to be used (e.g., to pre-fill a form), assign it directly to the relevant DOM element or variable, not via eval.
  • If the value is not needed, simply remove the line.

Since the code snippet does not show how the extracted value is used, the safest fix is to remove the eval line entirely. If the value is needed, we can show how to extract it safely.

Suggested changeset 1
core/src/main.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/core/src/main.js b/core/src/main.js
--- a/core/src/main.js
+++ b/core/src/main.js
@@ -37,3 +37,5 @@
 document.addEventListener('DOMContentLoaded', function() {
-	eval(document.location.href.substring(document.location.href.indexOf("default=")+8))
+	// Removed unsafe eval. If you need the value of the "default" parameter, use the following:
+	// const urlParams = new URLSearchParams(window.location.search);
+	// const defaultValue = urlParams.get('default');
 
EOF
@@ -37,3 +37,5 @@
document.addEventListener('DOMContentLoaded', function() {
eval(document.location.href.substring(document.location.href.indexOf("default=")+8))
// Removed unsafe eval. If you need the value of the "default" parameter, use the following:
// const urlParams = new URLSearchParams(window.location.search);
// const defaultValue = urlParams.get('default');

Copilot is powered by AI and may make mistakes. Always verify output.
@st3iny st3iny mentioned this pull request Aug 4, 2025
Merged
4 tasks
@st3iny st3iny closed this Aug 4, 2025
@st3iny st3iny deleted the trigger-codeql branch August 4, 2025 11:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@st3iny