Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oauth2 #2974

Merged
merged 15 commits into from
Mar 1, 2025
Merged

Oauth2 #2974

merged 15 commits into from
Mar 1, 2025

Conversation

GermanBluefox
Copy link
Contributor

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 1, 2025
View reviewed changes
packages/adapter-react-v5/src/Components/ObjectBrowser.tsx
Comment on lines +4924 to +4929
this.setState({
showRenameDialog: {
...this.state.showRenameDialog,
value: e.target.value.replace(/\./g, '_'),
},
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
packages/adapter-react-v5/src/Components/ObjectBrowser.tsx
Comment on lines +4931 to +4933
this.setState({
showRenameDialog: { ...this.state.showRenameDialog, value },
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
packages/adapter-react-v5/src/Components/ObjectBrowser.tsx
Comment on lines +4950 to +4956
this.setState({
showRenameDialog: {
...this.state.showRenameDialog,
value: parts.pop(),
extended: false,
},
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
packages/adapter-react-v5/src/Components/ObjectBrowser.tsx
Comment on lines +4962 to +4968
this.setState({
showRenameDialog: {
...this.state.showRenameDialog,
value: `${parts.join('.')}.${this.state.showRenameDialog.value}`,
extended: true,
},
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
Component state update uses
potentially inconsistent value
Loading
.
packages/adapter-react-v5/src/Components/ObjectBrowser.tsx
Comment on lines +4982 to +4987
this.setState({
showRenameDialog: {
...this.state.showRenameDialog,
renameAllChildren: !this.state.showRenameDialog.renameAllChildren,
},
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
Component state update uses
potentially inconsistent value
Loading
.
packages/admin/src-admin/src/components/Instances/InstanceGeneric.tsx
Comment on lines +1217 to +1220
this.setState({
showStopAdminDialog: `system.adapter.${this.props.instance.id}`,
openDialog: true,
});

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
packages/admin/src-admin/src/components/Markdown.tsx
Comment on lines +594 to +596
this.setState({
adapterNews: repo[this.props.adapter]?.news as Record<string, ioBroker.StringOrTranslated>,
}),

Check warning

Code scanning / CodeQL

Potentially inconsistent state update Warning

Component state update uses
potentially inconsistent value
Loading
.
packages/admin/src-admin/src/login/Login.tsx
} else {
origin = './';
}
window.location.href = origin;

Check warning

Code scanning / CodeQL

Client-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 5 days ago

To fix the problem, we need to ensure that the redirection URL is validated against a list of authorized URLs. This can be achieved by maintaining a list of allowed URLs and checking if the href parameter matches one of these URLs before performing the redirection.

  1. Create a list of authorized URLs.
  2. Validate the href parameter against this list.
  3. Only redirect if the href parameter is in the list of authorized URLs.
Suggested changeset 1
packages/admin/src-admin/src/login/Login.tsx

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/admin/src-admin/src/login/Login.tsx b/packages/admin/src-admin/src/login/Login.tsx
--- a/packages/admin/src-admin/src/login/Login.tsx
+++ b/packages/admin/src-admin/src/login/Login.tsx
@@ -154,10 +154,10 @@
                 const href = urlObj.searchParams.get('href');
-                let origin;
-                if (href) {
+                const authorizedUrls = [
+                    'http://localhost:8084/home',
+                    'http://localhost:8084/dashboard',
+                    // Add more authorized URLs here
+                ];
+                let origin = './';
+                if (href && authorizedUrls.includes(href)) {
                     origin = href;
-                    if (origin.startsWith('#')) {
-                        origin = `./${origin}`;
-                    }
-                } else {
-                    origin = './';
                 }
EOF
@@ -154,10 +154,10 @@
const href = urlObj.searchParams.get('href');
let origin;
if (href) {
const authorizedUrls = [
'http://localhost:8084/home',
'http://localhost:8084/dashboard',
// Add more authorized URLs here
];
let origin = './';
if (href && authorizedUrls.includes(href)) {
origin = href;
if (origin.startsWith('#')) {
origin = `./${origin}`;
}
} else {
origin = './';
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
packages/admin/src/lib/web.ts
if (isDev) {
res.redirect('http://127.0.0.1:3000/index.html?login');
} else {
res.redirect(origin ? origin + this.LOGIN_PAGE : this.LOGIN_PAGE);

Check warning

Code scanning / CodeQL

Server-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix AI 5 days ago

To fix the problem, we need to validate the origin parameter to ensure it is a trusted URL before using it in the redirection. We can achieve this by maintaining a list of authorized redirect URLs and checking the origin against this list. If the origin is not in the list, we should redirect to a default safe URL.

  1. Create a list of authorized redirect URLs.
  2. Validate the origin parameter against this list.
  3. If the origin is valid, use it for redirection; otherwise, use a default safe URL.
Suggested changeset 1
packages/admin/src/lib/web.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/admin/src/lib/web.ts b/packages/admin/src/lib/web.ts
--- a/packages/admin/src/lib/web.ts
+++ b/packages/admin/src/lib/web.ts
@@ -588,2 +588,8 @@
 
+                    const authorizedRedirects = [
+                        'http://example.com',
+                        'https://example.com',
+                        // Add other authorized URLs here
+                    ];
+
                     if (isDev) {
@@ -591,3 +597,4 @@
                     } else {
-                        res.redirect(origin ? origin + this.LOGIN_PAGE : this.LOGIN_PAGE);
+                        const isValidOrigin = origin && authorizedRedirects.includes(origin);
+                        res.redirect(isValidOrigin ? origin + this.LOGIN_PAGE : this.LOGIN_PAGE);
                     }
EOF
@@ -588,2 +588,8 @@

const authorizedRedirects = [
'http://example.com',
'https://example.com',
// Add other authorized URLs here
];

if (isDev) {
@@ -591,3 +597,4 @@
} else {
res.redirect(origin ? origin + this.LOGIN_PAGE : this.LOGIN_PAGE);
const isValidOrigin = origin && authorizedRedirects.includes(origin);
res.redirect(isValidOrigin ? origin + this.LOGIN_PAGE : this.LOGIN_PAGE);
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@GermanBluefox GermanBluefox merged commit 17bd4c3 into master Mar 1, 2025
15 checks passed
@GermanBluefox GermanBluefox deleted the oauth2 branch March 1, 2025 23:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@GermanBluefox