v2.27.2 #1930
v2.27.2 #1930
Conversation
fix: custom applogo not visible in header
dark-theme logo
*Total -- 487.98kb -> 238.96kb (51.03%) /apps/OpenSign/public/logo512.png -- 10.72kb -> 2.72kb (74.62%) /apps/OpenSignServer/logo.png -- 86.48kb -> 24.83kb (71.28%) /apps/OpenSign/src/assets/images/logo.png -- 86.48kb -> 24.83kb (71.28%) /apps/OpenSign/public/static/js/assets/images/logo.2a7bff0c1189183fafe71d7d5b94e0cd.png -- 86.48kb -> 24.83kb (71.28%) /apps/OpenSign/public/logo192.png -- 2.13kb -> 0.65kb (69.69%) /apps/OpenSign/src/assets/images/dp.png -- 12.83kb -> 4.25kb (66.9%) /apps/OpenSign/src/assets/images/folder.png -- 4.39kb -> 1.93kb (56.05%) /apps/OpenSign/public/static/js/assets/images/logo-dark.png -- 95.21kb -> 57.21kb (39.91%) /apps/OpenSignServer/public/assets/images/parse-logo.png -- 5.16kb -> 3.81kb (26.21%) /apps/OpenSign/src/assets/images/pdf3.png -- 11.66kb -> 9.77kb (16.21%) /apps/OpenSign/src/assets/images/login_img.svg -- 40.75kb -> 39.10kb (4.04%) /apps/OpenSign/src/assets/images/recreatedoc.png -- 40.69kb -> 40.08kb (1.48%) /apps/OpenSign/src/assets/images/pad.svg -- 5.00kb -> 4.94kb (1.07%) Signed-off-by: ImgBotApp <ImgBotHelp@gmail.com>
[ImgBot] Optimize images
fix: remove agreement checkbox and remove agreement checkbox tour
remove checkbox from sign agreement screen
Fix: show signers list in completed documents
fix: add dynamic truncate for email in list of signers
refactor: correct grammar and normalise font size of signer email in report
feat: allow preferences menu for all user and add smtp setting in it
feat: allow preferences menu for all user
refactor: remove form-name from form title
refactor: remove form-name from form title
fix: managesign report alignment and loader issue
fix: managesign report alignment and loader issue
fix: not able update public username and save sign, initials not working
fix: save sign, initials not working
Merge pull request
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| }; | ||
|
|
||
| // Only set custom endpoint if not using AWS | ||
| if (endpoint && !endpoint.includes('amazonaws.com')) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the security issue, instead of checking if 'amazonaws.com' is present anywhere in the endpoint string, you should parse the endpoint as a URL (using the URL constructor) and check whether the hostname exactly matches or ends with 'amazonaws.com'. This ensures that only real AWS endpoints are detected, and trick endpoints (e.g., those with 'amazonaws.com' in a different part of the URL or as a subdomain of an unrelated host) are not falsely classified as AWS endpoints.
- Update line 22 of
createS3Clientto parseendpointwithnew URL(...)and check its hostname. - Use either:
endpointHostname === 'amazonaws.com'orendpointHostname.endsWith('.amazonaws.com')orendpointHostname === 'amazonaws.com' || endpointHostname.endsWith('.amazonaws.com')
- If
endpointdoes not parse as a URL, fallback gracefully (ignore custom endpoint). - No additional imports are needed.
- Only lines inside the function
createS3Clientneed changes.
| @@ -19,8 +19,17 @@ | ||
| }; | ||
|
|
||
| // Only set custom endpoint if not using AWS | ||
| if (endpoint && !endpoint.includes('amazonaws.com')) { | ||
| config.endpoint = `https://${endpoint}`; | ||
| if (endpoint) { | ||
| let endpointHost; | ||
| try { | ||
| endpointHost = (new URL(endpoint.includes('://') ? endpoint : `https://${endpoint}`)).hostname; | ||
| } catch { | ||
| endpointHost = ''; | ||
| } | ||
| // Only set custom endpoint if NOT AWS (hostname must NOT equal or end with 'amazonaws.com') | ||
| if (!(endpointHost === 'amazonaws.com' || endpointHost.endsWith('.amazonaws.com'))) { | ||
| config.endpoint = `https://${endpoint}`; | ||
| } | ||
| } | ||
|
|
||
| return new S3Client(config); |
| </body> | ||
| </html> | ||
| `; | ||
| res.send(htmlForm); |
Check failure
Code scanning / CodeQL
Reflected cross-site scripting
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the vulnerability, any user-supplied value that is included in HTML output must be properly escaped for the appropriate context. Since userId ends up embedded in an HTML attribute value (the action attribute of a form), we need to use an HTML-escaping function. The best and most robust way is to use a mature and well-tested escaping library such as escape-html.
Steps to fix:
- Import the
escape-htmlpackage at the top of the file. - When building the
htmlFormstring on line 265–346, wrapuserIdwith the escaping function when interpolating it in the string:
action="${routePath}/delete-account/${escapeHtml(userId)}" - This will ensure that any HTML special characters in
userId(such as",<,>,&) are properly encoded, preventing XSS.
Only the relevant block needs to be changed, and the required import added at the top.
| @@ -1,4 +1,5 @@ | ||
| import axios from 'axios'; | ||
| import escapeHtml from 'escape-html'; | ||
| import { cloudServerUrl, generateId, serverAppId } from '../../Utils.js'; | ||
| import sendmailtoSupport from './sendMailToSupport.js'; | ||
| import { deleteContactsInBatch, deleteDataFiles, deleteInBatches } from './deleteFileUrl.js'; | ||
| @@ -335,7 +336,7 @@ | ||
| <div class="container"> | ||
| <h2>Confirm Account Deletion</h2> | ||
| <p class="warning">This action is irreversible. Please confirm by entering your password.</p> | ||
| <form method="POST" action="${routePath}/delete-account/${userId}"> | ||
| <form method="POST" action="${routePath}/delete-account/${escapeHtml(userId)}"> | ||
| <label for="password">Password</label> | ||
| <input type="password" name="password" id="password" placeholder="Please provide your password" required /> | ||
| <button type="submit">Delete My Account</button> |
| @@ -54,7 +54,8 @@ | ||
| "rate-limiter-flexible": "^7.2.0", | ||
| "sharp": "^0.34.3", | ||
| "speakeasy": "^2.0.0", | ||
| "ws": "^8.18.3" | ||
| "ws": "^8.18.3", | ||
| "escape-html": "^1.0.3" | ||
| }, | ||
| "type": "module", | ||
| "devDependencies": { |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
| console.log('err while validating password: ', err?.response?.data || err); | ||
| const errorMessage = `Invalid password. <a href="${routePath}/delete-account/${userId}">Try again</a>`; | ||
| sendmailtoSupport(userDetails, errorMessage); | ||
| return res.status(401).send(errorMessage); |
Check failure
Code scanning / CodeQL
Reflected cross-site scripting
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix this issue, we must sanitize or escape the userId prior to including it in the HTML response. Since the context is within an HTML "href" attribute, the value must be escaped to prevent breaking the attribute or enabling script execution via malformed values. The best, simplest way is to use a well-known HTML-escaping utility such as escape-html. This library safely escapes HTML special characters, preventing injection attacks.
Implementation steps:
- Add the
escape-htmlimport at the top of the file. - When building
errorMessage, applyescape()touserIdbefore interpolating it into the HTML anchor. - No changes to the actual business logic or user IDs.
| @@ -1,4 +1,5 @@ | ||
| import axios from 'axios'; | ||
| import escape from 'escape-html'; | ||
| import { cloudServerUrl, generateId, serverAppId } from '../../Utils.js'; | ||
| import sendmailtoSupport from './sendMailToSupport.js'; | ||
| import { deleteContactsInBatch, deleteDataFiles, deleteInBatches } from './deleteFileUrl.js'; | ||
| @@ -393,7 +394,7 @@ | ||
| console.log('Res ', res?.data); | ||
| } catch (err) { | ||
| console.log('err while validating password: ', err?.response?.data || err); | ||
| const errorMessage = `Invalid password. <a href="${routePath}/delete-account/${userId}">Try again</a>`; | ||
| const errorMessage = `Invalid password. <a href="${routePath}/delete-account/${escape(userId)}">Try again</a>`; | ||
| sendmailtoSupport(userDetails, errorMessage); | ||
| return res.status(401).send(errorMessage); | ||
| } |
| @@ -54,7 +54,8 @@ | ||
| "rate-limiter-flexible": "^7.2.0", | ||
| "sharp": "^0.34.3", | ||
| "speakeasy": "^2.0.0", | ||
| "ws": "^8.18.3" | ||
| "ws": "^8.18.3", | ||
| "escape-html": "^1.0.3" | ||
| }, | ||
| "type": "module", | ||
| "devDependencies": { |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
| console.error('Account deletion error:', error); | ||
| const errorMessage = error?.message || 'An error occurred while deleting your account.'; | ||
| sendmailtoSupport(userDetails, errorMessage); | ||
| return res.status(500).send(errorMessage); |
Check warning
Code scanning / CodeQL
Exception text reinterpreted as HTML
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 4 months ago
To fix the XSS vulnerability, any error message or user-controllable string sent as part of a server response with HTML or text content must be properly escaped before being sent to the client. The most robust approach is to encode HTML meta-characters (<, >, &, ", ', /) in the error message such that if the message is rendered in a browser, it can't be interpreted as HTML or JavaScript. This can be accomplished by using a standard library such as he or escape-html, which specifically escapes HTML characters. The replacement should be at the point where the error message is being sent to clients, i.e., inside the catch block on line 409. Add the relevant import at the top of the file.
Required changes:
- Add an import for an HTML-escaping function (such as from the
escape-htmlpackage). - Before sending
errorMessage, ensure it is properly escaped. - Only touch the lines sending the error message (
res.status(500).send(errorMessage);→ escape before send). - No other functionality should change.
| @@ -1,4 +1,5 @@ | ||
| import axios from 'axios'; | ||
| import escapeHtml from 'escape-html'; | ||
| import { cloudServerUrl, generateId, serverAppId } from '../../Utils.js'; | ||
| import sendmailtoSupport from './sendMailToSupport.js'; | ||
| import { deleteContactsInBatch, deleteDataFiles, deleteInBatches } from './deleteFileUrl.js'; | ||
| @@ -406,7 +407,7 @@ | ||
| console.error('Account deletion error:', error); | ||
| const errorMessage = error?.message || 'An error occurred while deleting your account.'; | ||
| sendmailtoSupport(userDetails, errorMessage); | ||
| return res.status(500).send(errorMessage); | ||
| return res.status(500).send(escapeHtml(errorMessage)); | ||
| } | ||
| }; | ||
|
|
| @@ -54,7 +54,8 @@ | ||
| "rate-limiter-flexible": "^7.2.0", | ||
| "sharp": "^0.34.3", | ||
| "speakeasy": "^2.0.0", | ||
| "ws": "^8.18.3" | ||
| "ws": "^8.18.3", | ||
| "escape-html": "^1.0.3" | ||
| }, | ||
| "type": "module", | ||
| "devDependencies": { |
| Package | Version | Security advisories |
| escape-html (npm) | 1.0.3 | None |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
No description provided.