fix: [M3-8424] - Fix CodeQL alerts for DOM text reinterpreted as HTML

[carrillo-erik]

Description 📝

This PR attempts to reproduce and resolve the CodeQL code scan alerts for DOM text reinterpreted as HTML. Alternatively, these alerts might be determined to be false positives and will be dismissed as so.

Changes 🔄

List any change relevant to the reviewer.

• The changes proposed by this PR were generated by GitHub's Copilot Autofix feature.

Target release date 🗓️

10/16/2024

How to test 🧪

Prerequisites

(How to setup test environment)

• Install the CodeQL extension on VSCode
• Install the CodeQL CLI tool using this guide
  • Once you reached the Create a database of your code with CodeQL step, cd into the src/ directory of the manager package and execute the codeql database create codeqldb --language=javascript command.
  • This is the last step you'll follow on this guide.
• In a separate VSCode window, open the codeql-repo (this is one of the directories created using the linked guide).
• Click on the CodeQL icon found in the VSCode sidebar.
• Select the DataBase created from executing the codeql database create codeqldb --language=javascript command. (This DataBase will be located in the src/ directory of the manager package.

Verification steps

(How to verify changes)

• In the Queries tab, navigate to the javascript/ql/src/Security/ directory.
• Under CWE-079 locate the XssThroughDom.ql query and run it by clicking the play button.
  • Verify that running the query returns 0 results.
• Under CWE-116 run all the queries by clicking the play button at the directory level.
  • Verify that running the query returns 0 results.

As an Author I have considered 🤔

Check all that apply

• 👀 Doing a self review
• ❔ Our contribution guidelines
• 🤏 Splitting feature into small PRs
• ➕ Adding a changeset
• 🧪 Providing/Improving test coverage
• 🔐 Removing all sensitive information from the code and PR description
• 🚩 Using a feature flag to protect the release
• 👣 Providing comprehensive reproduction steps
• 📑 Providing or updating our documentation
• 🕛 Scheduling a pair reviewing session
• 📱 Providing mobile support
• ♿ Providing accessibility support

[github-actions]

Coverage Report: ✅
Base Coverage: 86.98%
Current Coverage: 86.98%

[hkhalil-akamai]

I may have my local CodeQL configured incorrectly but I'm not seeing any results when scanning the selected vulnerabilities either before or after this change. Still, reviewing the changes, I believe they are sensical and will cause no harm.

[hkhalil-akamai]

Was the vulnerability detected in this file a false alarm?

[carrillo-erik]

The changes didn't really make sense to include as part of the PR because they didn't see to accomplish anything different than the existing code, so I removed them. The change made in the sessions.ts file actually made sense and I decided to leave it.

[coliu-akamai]

In the same boat as Hussain - encodeURIComponent makes sense to me. Will the other alerts be dismissed as false positives?

[carrillo-erik]

In the same boat as Hussain - encodeURIComponent makes sense to me. Will the other alerts be dismissed as false positives?

My hope is that by merging this small change, we should see if the alert goes away or at least trigger a new alert, which may provide more context. I will check with John and Jaalah before I take an action with respect to handling the alert on the GitHub page.

[cypress]

Cloud Manager E2E    Run #6582

Run Properties:   Failed #6582  •  8a771ca548: fix: [M3-8424] - Fix CodeQL alerts for `DOM text reinterpreted as HTML` (#11008)

Project	Cloud Manager E2E
Branch Review	develop
Run status	Failed #6582
Run duration	27m 17s
Commit	8a771ca548: fix: [M3-8424] - Fix CodeQL alerts for `DOM text reinterpreted as HTML` (#11008)
Committer	carrillo-erik
View all properties for this run ↗︎

---

Test results
Failures	1
Flaky	2
Pending	2
Skipped	0
Passing	407
View all changes introduced in this branch ↗︎

---

Tests for review

  cypress/e2e/core/linodes/clone-linode.spec.ts • 1 failed test

View Output Video

Test		Artifacts
clone linode > can clone a Linode from Linode details page		Screenshots Video

  linodes/rebuild-linode.spec.ts • 1 flaky test

View Output Video

Test		Artifacts
rebuild linode > cannot rebuild a provisioning linode		Screenshots Video

  placementGroups/delete-placement-groups.spec.ts • 1 flaky test

View Output Video

Test		Artifacts
Placement Group deletion > can unassign Linode when unexpected error show up and reopen the dialog		Screenshots Video

[abailly-akamai]

@carrillo-erik This PR is being reverted. Not only did it not fix the dependabot warnings but it introduced a bad bug - see #11017