Skip to content

Test vun #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Test vun #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a35f034
test rabit
Jun 4, 2024
595b5bf
test vunarabble code
Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions bin2dec/src/App.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ function App() {
const binaryChangeHandler = (e) =>{
let num = e.target.value
var regExp = /[a-zA-Z2-9]/g;

const a = "dsadsdsadsadsaadas"
Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codacy found a critical Error Prone issue: 'a' is assigned a value but never used.

The issue here is that the variable a is declared and assigned a string value but is never used in the code. This is considered an error-prone practice because it introduces unnecessary code that can confuse readers and potentially lead to maintenance issues.

To fix this issue, you can simply remove the unused variable a.

Suggested change
const a = "dsadsdsadsadsaadas"

This comment was generated by an experimental AI tool.

Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codacy found a critical Error Prone issue: 'a' is assigned a value but never used.

The issue identified by ESLint is that the variable a is declared and assigned a value, but it is never used in the code. This results in unnecessary code that can be removed to improve readability and maintainability.

To fix this issue, you should remove the line where the variable a is declared and assigned.

Suggested change
const a = "dsadsdsadsadsaadas"
// Remove the unused variable 'a'

This comment was generated by an experimental AI tool.

Copy link

@coderabbitai coderabbitai bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove unused constant a.

- const a = "dsadsdsadsadsaadas"

This constant is declared but never used, which could lead to confusion and clutter in the codebase.

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change
const a = "dsadsdsadsadsaadas"
Tools
GitHub Check: Codacy Static Code Analysis

[failure] 12-12: bin2dec/src/App.js#L12
'a' is assigned a value but never used.

[failure] 12-12: bin2dec/src/App.js#L12
'a' is assigned a value but never used.

GitHub Check: Qodana for JS

[warning] 12-12: Unused local symbol
Unused constant a

if(regExp.test(num)|| num ===""){
setAppstate({
binary: num,
Expand Down
46 changes: 46 additions & 0 deletions calendar/src/components/VunComponent/comp.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
import React, { useState, useEffect } from 'react';

interface VulnerableComponentProps {
someProp: string;
}

const VulnerableFunctionalComponent: React.FC<VulnerableComponentProps> = ({ someProp }) => {
const [data, setData] = useState<string | null>(null);
const [input, setInput] = useState<string>('');

useEffect(() => {
// Simulating an API call
const fetchData = (prop: string) => {
// Vulnerable to XSS if prop is user-controlled
setTimeout(() => {
setData(`Data for ${prop}`);
}, 1000);
};

fetchData(someProp);
Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codacy found a critical Error Prone issue: Unsafe argument of type any assigned to a parameter of type string.

The issue identified by ESLint is that the variable someProp is of type any, which means it could potentially hold any type of value, including types that could lead to vulnerabilities like Cross-Site Scripting (XSS) if not properly sanitized. By assigning it directly to a parameter of type string, you risk passing unsafe values into the fetchData function.

To fix this issue, you should ensure that someProp is explicitly typed as string. This will enforce type safety and help prevent potential vulnerabilities.

Here is the code suggestion to fix the issue:

Suggested change
fetchData(someProp);
fetchData(someProp as string);

This comment was generated by an experimental AI tool.

}, [someProp]);

// Vulnerable to XSS if input is user-controlled and rendered directly
const handleInputChange = (event: React.ChangeEvent<HTMLInputElement>) => {
setInput(event.target.value);
Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codacy found a critical Error Prone issue: Unsafe member access .target on an any value.

The issue identified by ESLint is related to the type safety of the event object in the handleInputChange function. Specifically, the linter warns that accessing the .target property on an any type is unsafe because TypeScript cannot guarantee that the event object indeed has a target property. This can lead to potential runtime errors if the assumption is incorrect.

To fix this issue, you should ensure that the event object is properly typed. In this case, the event is a React.ChangeEvent<HTMLInputElement>, which is already specified in the function signature. However, to ensure that TypeScript can infer the type correctly, you can explicitly cast the event parameter.

Here's the code suggestion to fix the issue:

Suggested change
setInput(event.target.value);
const handleInputChange = (event: React.ChangeEvent<HTMLInputElement>) => {

This will ensure that TypeScript correctly understands the type of event and that accessing event.target.value is safe.

This comment was generated by an experimental AI tool.

Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codacy found a critical Error Prone issue: Unsafe argument of type any assigned to a parameter of type SetStateAction<string>.

The issue described by ESLint indicates that the event.target.value is being assigned to the setInput function, which expects a SetStateAction<string> type. The event.target.value is of type any, which can potentially lead to type safety issues, as it can hold values of any type, not just strings.

To fix this issue, you should explicitly cast event.target.value to a string. This ensures that the value being assigned to setInput is of the expected type.

Here's the code suggestion to fix the issue:

Suggested change
setInput(event.target.value);
setInput(event.target.value as string);

This comment was generated by an experimental AI tool.

};

// Vulnerable to SQL injection if data is directly used in database queries
const handleSubmit = () => {
// Simulating a SQL injection vulnerability
const query = `SELECT * FROM users WHERE name = '${input}'`;
console.warn('SQL Query:', query);
// Do not actually run this query against a database in real applications
};

return (
<div>
<h1>Vulnerable Functional React Component</h1>
<p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p> {/* Vulnerable to XSS */}
Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: The application was found calling dangerouslySetInnerHTML which may lead to Cross Site Scripting (XSS). By default, React components will encode the data properly before rendering.

The issue described by the Semgrep linter is a potential Cross Site Scripting (XSS) vulnerability. Using dangerouslySetInnerHTML in React can expose the application to XSS attacks if the content being rendered is not properly sanitized. This can allow attackers to inject malicious scripts that can execute in the context of the user's browser.

To fix this issue, we should avoid using dangerouslySetInnerHTML and instead render the data safely. If the data contains HTML that needs to be rendered, it should be sanitized before being used.

Here's the code suggestion to fix the issue:

Suggested change
<p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p> {/* Vulnerable to XSS */}
<p>{data ? data : 'Loading data...'}</p>

This change removes the use of dangerouslySetInnerHTML and ensures that the content is rendered as plain text, preventing potential XSS attacks.

This comment was generated by an experimental AI tool.

Copy link

@codacy-production codacy-production bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Codacy found a medium Security issue: Unencoded input 'data' used in HTML context

The issue identified by ESLint is that the dangerouslySetInnerHTML prop is being used with unencoded input, which can lead to Cross-Site Scripting (XSS) vulnerabilities. XSS attacks occur when malicious scripts are injected into web pages viewed by other users. In this case, if data contains any malicious scripts, they will be executed in the user's browser.

To fix this issue, you should avoid using dangerouslySetInnerHTML unless absolutely necessary. Instead, you can render the text content directly. Here's the code suggestion to fix the issue:

Suggested change
<p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p> {/* Vulnerable to XSS */}
<p>{data ? data : 'Loading data...'}</p>

This change ensures that the content is rendered as plain text, which mitigates the risk of XSS attacks.

This comment was generated by an experimental AI tool.

Copy link

@coderabbitai coderabbitai bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Avoid using dangerouslySetInnerHTML due to XSS risks.

- <p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p>
+ <p>{data ? data : 'Loading data...'}</p>
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change
<p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p> {/* Vulnerable to XSS */}
<p>{data ? data : 'Loading data...'}</p> {/* Vulnerable to XSS */}
Tools
Biome

[error] 39-39: Avoid passing content using the dangerouslySetInnerHTML prop. (lint/security/noDangerouslySetInnerHtml)

Setting content using code can expose users to cross-site scripting (XSS) attacks

GitHub Check: Codacy Static Code Analysis

[warning] 39-39: calendar/src/components/VunComponent/comp.tsx#L39
The application was found calling dangerouslySetInnerHTML which may lead to Cross Site Scripting (XSS). By default, React components will encode the data properly before rendering.

[warning] 39-39: calendar/src/components/VunComponent/comp.tsx#L39
Unencoded input 'data' used in HTML context

<input type="text" value={input} onChange={handleInputChange} />
<button onClick={handleSubmit}>Submit</button>
Copy link

@coderabbitai coderabbitai bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Specify button type to prevent unintended form submissions.

- <button onClick={handleSubmit}>Submit</button>
+ <button type="button" onClick={handleSubmit}>Submit</button>
Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change
<button onClick={handleSubmit}>Submit</button>
<button type="button" onClick={handleSubmit}>Submit</button>
Tools
Biome

[error] 41-41: Provide an explicit type prop for the button element. (lint/a11y/useButtonType)

The default type of a button is submit, which causes the submission of a form when placed inside a form element. This is likely not the behaviour that you want inside a React application.
Allowed button types are: submit, button or reset

</div>
);
};

export default VulnerableFunctionalComponent;
Comment on lines +7 to +46
Copy link

@coderabbitai coderabbitai bot Jun 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Address multiple security vulnerabilities related to XSS and SQL injection.

- const fetchData = (prop: string) => {
-     setTimeout(() => {
-         setData(`Data for ${prop}`);
-     }, 1000);
- };
+ const fetchData = (prop: string) => {
+     setTimeout(() => {
+         setData(`Data for ${encodeURIComponent(prop)}`);
+     }, 1000);
+ };

- const query = `SELECT * FROM users WHERE name = '${input}'`;
+ const query = `SELECT * FROM users WHERE name = '${encodeURIComponent(input)}'`;

- <p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p>
+ <p>{data ? data : 'Loading data...'}</p>

Consider using parameterized queries for database interactions and encoding or sanitizing data before rendering to prevent XSS.

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change
const VulnerableFunctionalComponent: React.FC<VulnerableComponentProps> = ({ someProp }) => {
const [data, setData] = useState<string | null>(null);
const [input, setInput] = useState<string>('');
useEffect(() => {
// Simulating an API call
const fetchData = (prop: string) => {
// Vulnerable to XSS if prop is user-controlled
setTimeout(() => {
setData(`Data for ${prop}`);
}, 1000);
};
fetchData(someProp);
}, [someProp]);
// Vulnerable to XSS if input is user-controlled and rendered directly
const handleInputChange = (event: React.ChangeEvent<HTMLInputElement>) => {
setInput(event.target.value);
};
// Vulnerable to SQL injection if data is directly used in database queries
const handleSubmit = () => {
// Simulating a SQL injection vulnerability
const query = `SELECT * FROM users WHERE name = '${input}'`;
console.warn('SQL Query:', query);
// Do not actually run this query against a database in real applications
};
return (
<div>
<h1>Vulnerable Functional React Component</h1>
<p dangerouslySetInnerHTML={{ __html: data ? data : 'Loading data...' }}></p> {/* Vulnerable to XSS */}
<input type="text" value={input} onChange={handleInputChange} />
<button onClick={handleSubmit}>Submit</button>
</div>
);
};
export default VulnerableFunctionalComponent;
const VulnerableFunctionalComponent: React.FC<VulnerableComponentProps> = ({ someProp }) => {
const [data, setData] = useState<string | null>(null);
const [input, setInput] = useState<string>('');
useEffect(() => {
// Simulating an API call
const fetchData = (prop: string) => {
// Vulnerable to XSS if prop is user-controlled
setTimeout(() => {
setData(`Data for ${encodeURIComponent(prop)}`);
}, 1000);
};
fetchData(someProp);
}, [someProp]);
// Vulnerable to XSS if input is user-controlled and rendered directly
const handleInputChange = (event: React.ChangeEvent<HTMLInputElement>) => {
setInput(event.target.value);
};
// Vulnerable to SQL injection if data is directly used in database queries
const handleSubmit = () => {
// Simulating a SQL injection vulnerability
const query = `SELECT * FROM users WHERE name = '${encodeURIComponent(input)}'`;
console.warn('SQL Query:', query);
// Do not actually run this query against a database in real applications
};
return (
<div>
<h1>Vulnerable Functional React Component</h1>
<p>{data ? data : 'Loading data...'}</p> {/* Vulnerable to XSS */}
<input type="text" value={input} onChange={handleInputChange} />
<button onClick={handleSubmit}>Submit</button>
</div>
);
};
export default VulnerableFunctionalComponent;
Tools
Biome

[error] 39-39: Avoid passing content using the dangerouslySetInnerHTML prop. (lint/security/noDangerouslySetInnerHtml)

Setting content using code can expose users to cross-site scripting (XSS) attacks

[error] 41-41: Provide an explicit type prop for the button element. (lint/a11y/useButtonType)

The default type of a button is submit, which causes the submission of a form when placed inside a form element. This is likely not the behaviour that you want inside a React application.
Allowed button types are: submit, button or reset

GitHub Check: Codacy Static Code Analysis

[failure] 20-20: calendar/src/components/VunComponent/comp.tsx#L20
Unsafe argument of type any assigned to a parameter of type string.

[failure] 25-25: calendar/src/components/VunComponent/comp.tsx#L25
Unsafe argument of type any assigned to a parameter of type SetStateAction<string>.

[failure] 25-25: calendar/src/components/VunComponent/comp.tsx#L25
Unsafe member access .target on an any value.

[warning] 39-39: calendar/src/components/VunComponent/comp.tsx#L39
The application was found calling dangerouslySetInnerHTML which may lead to Cross Site Scripting (XSS). By default, React components will encode the data properly before rendering.

[warning] 39-39: calendar/src/components/VunComponent/comp.tsx#L39
Unencoded input 'data' used in HTML context

1 change: 0 additions & 1 deletion calendar/src/react-app-env.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +0,0 @@
/// <reference types="react-scripts" />
29 changes: 29 additions & 0 deletions qodana.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#-------------------------------------------------------------------------------#
# Qodana analysis is configured by qodana.yaml file #
# https://www.jetbrains.com/help/qodana/qodana-yaml.html #
#-------------------------------------------------------------------------------#
version: "1.0"

#Specify inspection profile for code analysis
profile:
name: qodana.starter

#Enable inspections
#include:
# - name: <SomeEnabledInspectionId>

#Disable inspections
#exclude:
# - name: <SomeDisabledInspectionId>
# paths:
# - <path/where/not/run/inspection>

#Execute shell command before Qodana execution (Applied in CI/CD pipeline)
#bootstrap: sh ./prepare-qodana.sh

#Install IDE plugins before Qodana execution (Applied in CI/CD pipeline)
#plugins:
# - id: <plugin.id> #(plugin id can be found at https://plugins.jetbrains.com)

#Specify Qodana linter for analysis (Applied in CI/CD pipeline)
linter: jetbrains/qodana-js:latest