Skip to content

security: härte XSS/SSRF + CodeQL/Dependabot-Sweep#4

Open
Musiker15 wants to merge 4 commits into
cmdscripts:mainfrom
MSK-Scripts:main
Open

security: härte XSS/SSRF + CodeQL/Dependabot-Sweep#4
Musiker15 wants to merge 4 commits into
cmdscripts:mainfrom
MSK-Scripts:main

Conversation

@Musiker15
Copy link
Copy Markdown
Contributor

@Musiker15 Musiker15 commented May 15, 2026

Summary

  • XSS fix components/WelcomeForm.tsx: HTML-escape vor Markdown
    → schließt Self-XSS in der Live-Vorschau
  • img-src hardening in TicketsForm, SuggestionsForm, BackgroundDialog
    via neuem lib/safeUrl.ts (safeHttpUrl() lässt nur http(s) durch)
  • SSRF hardening in lib/discord.ts + lib/discordBot.ts:
    buildDiscordUrl() mit URL-Constructor + fixed base + Deny-List
  • Dependabot: postcss Override auf ^8.5.10 (GHSA-XSS)
  • CI: ESLint-Workflow lädt SARIF zu Code Scanning hoch (suppression-aware)

Test plan

  • npx eslint . → exit 0
  • npx tsc --noEmit → exit 0
  • CodeQL-Scan auf Fork: 0 offene Findings
  • Dependabot: 0 offene Alerts

Musiker15 and others added 4 commits May 16, 2026 00:35
@Musiker15
security: härte XSS/SSRF-Findings + postcss-Override
6ae57d8 
security: härte XSS/SSRF-Findings + postcss-Override

- WelcomeForm: HTML-escape vor Markdown (Self-XSS in Live-Vorschau)
- TicketsForm/SuggestionsForm/BackgroundDialog: img-src via safeHttpUrl()
- lib/discord*.ts: assertDiscordPath() gegen SSRF (Defense-in-Depth)
- postcss-Override auf ^8.5.10 (Dependabot GHSA)
@Musiker15
security: CodeQL SSRF sanitizer + ESLint SARIF-Upload
e204291 
security: CodeQL SSRF sanitizer + ESLint SARIF-Upload

- buildDiscordUrl() ersetzt assertDiscordPath: URL-Constructor mit
  fixed base + Deny-List am fetch-Sink → CodeQL-erkennbar
- ESLint-Workflow lädt jetzt SARIF zu Code Scanning hoch
  → stale Alerts schließen automatisch beim nächsten Push
@Musiker15 @claude
ci(eslint): filter suppressed results from SARIF before upload
fdded48 
GitHub Code Scanning ignoriert SARIF-`suppressions[]` mit leerer
Justification — alle `/* eslint-disable-next-line */`-Treffer landeten
trotzdem als „offene Alerts" im Security-Tab. jq-Step entfernt sie
vor dem Upload. Zusätzlich upload-sarif@v3 → @v4 (Deprecation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Musiker15
Update release.yml
d785492
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 15, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Musiker15 @github-advanced-security