Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Prod] Resolve issues found during pen test #2087

Merged
merged 27 commits into from
Apr 9, 2024
Merged

[Prod] Resolve issues found during pen test #2087

merged 27 commits into from
Apr 9, 2024

Conversation

thewatermethod
Copy link
Collaborator

Description of change

Ensure select fields on the AR & TR are escaped from arbitrary HTML before being saved

How to test

Essentially, to test you need to have credentials to our system and the technical knowledge to intercept the communication between the front and the back end. I used a tool called Postman, and was able to inject HTML into our database by watching the traffic and duplicating it. There are unit tests verifying this fix.

Issue(s)

Checklists

Every PR

  • Meets issue criteria
  • JIRA ticket status updated
  • Code is meaningfully tested
  • Meets accessibility standards (WCAG 2.1 Levels A, AA)
  • API Documentation updated
  • Boundary diagram updated
  • Logical Data Model updated
  • Architectural Decision Records written for major infrastructure decisions
  • UI review complete

Before merge to main

  • OHS demo complete
  • Ready to create production PR

Production Deploy

  • Staging smoke test completed

After merge/deploy

  • Update JIRA ticket status

@thewatermethod
v2.0.19
cc7eb2f
@thewatermethod
Update readme
4a3deb2
@thewatermethod
escape HTML function in common
dc0209f
@thewatermethod
v2.1.0
f08a19b
@thewatermethod
Remove function to use lodash version instead
c7a37ab
@thewatermethod
v2.1.2
859d687
@thewatermethod
Catch XSS
9eafa0b
@thewatermethod
Use safe parse
c9987d7
@thewatermethod
try to de-flakify mocks
a9e02a2
@thewatermethod
Fix some additional tests and improve mocks
b2689a5
@thewatermethod
Is this the source of OOM?
efbeab4
@thewatermethod
Try without do... while
b5f5634
@thewatermethod
revert changes to createGrant util
d0aa29b
@thewatermethod
Move hooks to own folder from subfolder, to free up jest memory
a53aaed
@thewatermethod
Update mock paths
7eae158
@thewatermethod
rearrange test
1c743d7
@thewatermethod
Tweak test
06894fc
@thewatermethod
add some unit tests for coverage
8a977da
@thewatermethod
Remove duplicative check that implicitly cannot be tested
a842351
@thewatermethod
Add another missing test
ccefab2
@thewatermethod
Add ARC test
588173a
@thewatermethod
Add test for ARO hooks
37514f2
@thewatermethod
add tests for model directory
4a4db2b
@thewatermethod
Remove console.log
4b72a4c
@thewatermethod
Add more tests
83089e2
@thewatermethod
Merge remote-tracking branch 'origin/main' into mb/TTAHUB-2575/escape…
b2f7a52 
…-html
@thewatermethod
Merge pull request #2076 from HHS/mb/TTAHUB-2575/escape-html
4218e12
@thewatermethod thewatermethod marked this pull request as ready for review April 9, 2024 12:26
@Jones-QuarteyDana Jones-QuarteyDana merged commit 7c2c761 into production Apr 9, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Jones-QuarteyDana Jones-QuarteyDana Jones-QuarteyDana approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thewatermethod @Jones-QuarteyDana