Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: code scanning alert no. 12: Reflected cross-site scripting #5078

Merged
merged 1 commit into from
Nov 8, 2024
Merged

fix: code scanning alert no. 12: Reflected cross-site scripting #5078

merged 1 commit into from
Nov 8, 2024
+2 −1

Conversation

X-Guardian
Copy link
Contributor

Fixes https://github.com/runatlantis/atlantis/security/code-scanning/12

To fix the reflected cross-site scripting vulnerability, we need to ensure that any user-controlled input is properly sanitized or escaped before being included in the HTTP response. In this case, we can use the html.EscapeString function from the html package to escape any potentially dangerous characters in the githubReqID before including it in the resp.body.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@X-Guardian @github-advanced-security
Fix code scanning alert no. 12: Reflected cross-site scripting
36c02a2 
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Simon Heather <[email protected]>
@X-Guardian X-Guardian changed the title Fix code scanning alert no. 12: Reflected cross-site scripting fix: code scanning alert no. 12: Reflected cross-site scripting Nov 7, 2024
@X-Guardian X-Guardian marked this pull request as ready for review November 7, 2024 23:50
@X-Guardian X-Guardian requested review from a team as code owners November 7, 2024 23:50
@X-Guardian X-Guardian requested review from chenrui333, lukemassa and nitrocode and removed request for a team November 7, 2024 23:50
@github-actions github-actions bot added the go Pull requests that update Go code label Nov 7, 2024
@dosubot dosubot bot added the security label Nov 7, 2024
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Nov 8, 2024
@jamengual jamengual merged commit aedc1b0 into main Nov 8, 2024
53 of 54 checks passed
@jamengual jamengual deleted the alert-autofix-12 branch November 8, 2024 00:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamengual jamengual jamengual approved these changes

@chenrui333 chenrui333 Awaiting requested review from chenrui333 chenrui333 is a code owner automatically assigned from runatlantis/maintainers

@lukemassa lukemassa Awaiting requested review from lukemassa lukemassa is a code owner automatically assigned from runatlantis/core-contributors

@nitrocode nitrocode Awaiting requested review from nitrocode nitrocode is a code owner automatically assigned from runatlantis/core-contributors

Assignees
No one assigned
Labels
go Pull requests that update Go code lgtm This PR has been approved by a maintainer security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@X-Guardian @jamengual