chore(tests): clear 5 CodeQL code-quality notes in test files#193
Merged
Conversation
Addresses the security-relevant code-scanning findings surfaced by the CodeQL workflow (#179): - HIGH js/polynomial-redos + js/incomplete-multi-character-sanitization (frontend/packages/data/src/format.ts): the HTML→text approximation used `replace(/<[^>]*>/g, '')`. Replaced with `stripTags()` — a bounded `[^<>]` char class (linear, no ReDoS backtracking) looped until stable (no residual tag on nested/overlapping input). This path only produces display *text* (React escapes it), but the strip is now ReDoS-free and complete. - MEDIUM py/url-redirection (views.py `_redirect_to_login`): the `?next=` value interpolated `request.path` unencoded. Now `urlencode({"next": request.get_full_path()})` so a crafted path can't break out of the query param. The redirect *target* was already trusted; `next` is re-validated by Django's login view. - MEDIUM py/stack-trace-exposure (api/views/update.py): the inline malformed-payload branch returned `bad_request(str(exc))`, echoing exception text. Now a fixed generic "Malformed 'inlines' payload." message — never the exception string. Test: updated test_spa_index to decode the now-encoded `next` param; all spa-index + inline-write tests pass. Tier 5 — touches views.py login-redirect + the wire surface. The 5 remaining CodeQL items are code-quality NOTES in test files (unused imports/locals, implicit string concat) — addressed separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The note-severity (non-security) half of the CodeQL "Security and quality" findings — all in test code: - test_autocomplete.py: remove unused `Group` import (py/unused-import). - test_list_filter.py: drop unused `g1`/`g2` bindings (keep the row creates) + unused `body` binding (test asserts status only) (py/unused-local-variable ×3). - test_serializers.py: remove the unused `_FakeMeta` class (py/unused-local-variable). - test_security.py: make the secret-pattern regex concatenation explicit with `+` so it reads as intentional, not an accidental missing comma (py/implicit-string-concatenation-in-list). No behavior change; 97 tests across the four files pass. With the 4 security fixes in #191, this takes CodeQL to 0 open alerts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
MartinCastroAlvarez
added a commit
that referenced
this pull request
May 26, 2026
… js/missing-origin-check) (#208) The PWA service worker's `message` handler (the `dar:purge` cache-on-logout hook, #200) processed messages without verifying the sender origin — CodeQL `js/missing-origin-check` (medium). A cross-origin frame must never be able to drive the SW cache. Add `if (event.origin && event.origin !== self.location.origin) return;` so only same-origin clients (the SPA pages this worker controls) can trigger a purge. Same-origin internal `client.postMessage` (empty origin) is still accepted; anything cross-origin is dropped. This is the one open CodeQL alert on main (the other 10 are fixed via #191/#193). Clears it → 0 open. Test asserts the served SW embeds the origin check. Co-authored-by: Martin Castro Laminrs <mcastro@laminr.ai> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
8 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The note-severity (non-security) half of the CodeQL findings — unused imports/locals + implicit string concat, all in test files. No behavior change; 97 tests pass. With #191 (the 4 security alerts), this takes CodeQL to 0 open. Tier 2 (test-only).