Rocky/web wallet #774
Rocky/web wallet #774
Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 18 Skipped Deployments
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| accounts: namespaceToUpdate.accounts.concat( | ||
| `${namespaceToUpdate.chains?.[0]}:${baseAddress}${Math.floor( | ||
| Math.random() * (9 - 1 + 1) + 0 | ||
| )}` | ||
| ) // generates random number between 0 and 9 |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI about 1 month ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In the browser environment, we can use window.crypto.getRandomValues to generate a secure random number. This change will ensure that the generated account addresses are not predictable and thus more secure.
| @@ -102,3 +102,3 @@ | ||
| `${namespaceToUpdate.chains?.[0]}:${baseAddress}${Math.floor( | ||
| Math.random() * (9 - 1 + 1) + 0 | ||
| window.crypto.getRandomValues(new Uint32Array(1))[0] / (0xFFFFFFFF + 1) * (9 - 1 + 1) + 0 | ||
| )}` |
|
|
||
| const redirect = router.query.redirect as string | ||
| if (redirect) { | ||
| window.location.assign(redirect) |
Check warning
Code scanning / CodeQL
Client-side URL redirect Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that the redirect parameter is validated against a list of authorized URLs before performing the redirection. This can be achieved by maintaining a list of trusted URLs and checking if the redirect parameter matches any of these URLs before redirecting.
- Create a list of authorized URLs.
- Check if the
redirectparameter is in the list of authorized URLs. - Only perform the redirection if the
redirectparameter is authorized.
| @@ -55,3 +55,8 @@ | ||
| const redirect = router.query.redirect as string | ||
| if (redirect) { | ||
| const authorizedUrls = [ | ||
| 'https://trusted-site1.com', | ||
| 'https://trusted-site2.com', | ||
| // Add more trusted URLs here | ||
| ] | ||
| if (redirect && authorizedUrls.includes(redirect)) { | ||
| window.location.assign(redirect) |
|
|
||
| const redirect = router.query.redirect as string | ||
| if (redirect) { | ||
| window.location.assign(redirect) |
Check failure
Code scanning / CodeQL
Client-side cross-site scripting High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 14 days ago
To fix the problem, we need to ensure that the redirect parameter is properly sanitized or validated before being used in window.location.assign. The best way to do this is to use a whitelist of allowed URLs or to ensure that the URL is safe by using a library that can parse and validate URLs.
In this case, we will use a simple whitelist approach to ensure that only allowed URLs can be used for redirection. We will define a list of allowed domains and check if the redirect URL belongs to one of these domains before performing the redirection.
| @@ -55,4 +55,14 @@ | ||
| const redirect = router.query.redirect as string | ||
| const allowedDomains = ['example.com', 'another-example.com']; // Add allowed domains here | ||
| if (redirect) { | ||
| window.location.assign(redirect) | ||
| try { | ||
| const url = new URL(redirect); | ||
| if (allowedDomains.includes(url.hostname)) { | ||
| window.location.assign(redirect); | ||
| } else { | ||
| console.warn('Redirect URL is not allowed:', redirect); | ||
| } | ||
| } catch (e) { | ||
| console.error('Invalid redirect URL:', redirect); | ||
| } | ||
| } |
No description provided.