PROD Release - Work Manager Security Issues (5442)

config/constants/development.js

@@ -51,7 +51,7 @@ module.exports = {
   // duration to show the prompt saying user will be logged out, before actually logging out the user
   IDLE_TIMEOUT_GRACE_MINUTES: 5,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID: 'd4201ca4-8437-4d63-9957-3f7708184b07',
-  UNIVERSAL_NAV_URL: '//uni-nav.topcoder-dev.com/v1/tc-universal-nav.js',
+  UNIVERSAL_NAV_URL: 'https://uni-nav.topcoder-dev.com/v1/tc-universal-nav.js',
   HEADER_AUTH_URLS_HREF: `https://accounts-auth0.${DOMAIN}?utm_source=community-app-main`,
   HEADER_AUTH_URLS_LOCATION: `https://accounts-auth0.${DOMAIN}?retUrl=%S&utm_source=community-app-main`,
   SKILLS_V5_API_URL: `${API_V5}/standardized-skills/skills/autocomplete`,

config/constants/production.js

@@ -48,7 +48,7 @@ module.exports = {
   IDLE_TIMEOUT_MINUTES: 10,
   IDLE_TIMEOUT_GRACE_MINUTES: 5,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID: 'd4201ca4-8437-4d63-9957-3f7708184b07',
-  UNIVERSAL_NAV_URL: '//uni-nav.topcoder.com/v1/tc-universal-nav.js',
+  UNIVERSAL_NAV_URL: 'https://uni-nav.topcoder.com/v1/tc-universal-nav.js',
   HEADER_AUTH_URLS_HREF: `https://accounts-auth0.${DOMAIN}?utm_source=community-app-main`,
   HEADER_AUTH_URLS_LOCATION: `https://accounts-auth0.${DOMAIN}?retUrl=%S&utm_source=community-app-main`,
   SKILLS_V5_API_URL: `${API_V5}/standardized-skills/skills/autocomplete`,

config/env.js

@@ -49,7 +49,7 @@ dotenvFiles.forEach(dotenvFile => {
 // Otherwise, we risk importing Node.js core modules into an app instead of Webpack shims.
 // https://github.com/facebook/create-react-app/issues/1023#issuecomment-265344421
 // We also resolve them to make sure all tools using them work consistently.
-const appDirectory = fs.realpathSync(process.cwd())
+const appDirectory = process.cwd()
 process.env.NODE_PATH = (process.env.NODE_PATH || '')
   .split(path.delimiter)
   .filter(folder => folder && !path.isAbsolute(folder))

config/paths.js

@@ -6,7 +6,7 @@ const url = require('url')
 
 // Make sure any symlinks in the project folder are resolved:
 // https://github.com/facebook/create-react-app/issues/637
-const appDirectory = fs.realpathSync(process.cwd())
+const appDirectory = process.cwd()
 const resolveApp = relativePath => path.resolve(appDirectory, relativePath)
 
 const envPublicUrl = process.env.PUBLIC_URL

config/webpack.config.js

@@ -27,9 +27,6 @@ const shouldUseSourceMap = process.env.GENERATE_SOURCEMAP !== 'false'
 // makes for a smoother build process.
 const shouldInlineRuntimeChunk = process.env.INLINE_RUNTIME_CHUNK !== 'false'
 
-// Check if TypeScript is setup
-const useTypeScript = fs.existsSync(paths.appTsConfig)
-
 // style files regexes
 const cssRegex = /\.css$/
 const cssModuleRegex = /\.module\.css$/
@@ -257,7 +254,7 @@ module.exports = function (webpackEnv) {
       // for React Native Web.
       extensions: paths.moduleFileExtensions
         .map(ext => `.${ext}`)
-        .filter(ext => useTypeScript || !ext.includes('ts')),
+        .filter(ext => !ext.includes('ts')),
       alias: {
         // Support React Native Web
         // https://www.smashingmagazine.com/2016/08/a-glimpse-into-the-future-with-react-native-for-web/

docker/Dockerfile

@@ -1,5 +1,6 @@
 # Use the base image with Node.js
 FROM node:12
+RUN useradd -m -s /bin/bash appuser
 ARG NODE_ENV
 ARG BABEL_ENV
 
@@ -18,6 +19,9 @@ COPY . /challenge-engine-ui
 # Set working directory for future use
 WORKDIR /challenge-engine-ui
 
+RUN chown -R appuser:appuser /challenge-engine-ui
+USER appuser
+
 # Install the dependencies from package.json
 RUN echo "NODE ENV in Docker: $NODE_ENV"
 RUN echo "BABEL ENV in Docker: $BABEL_ENV"

package.json

@@ -38,9 +38,9 @@
     "jwt-decode": "^2.2.0",
     "lodash": "^4.17.11",
     "mini-css-extract-plugin": "0.4.3",
-    "moment": "^2.24.0",
-    "moment-duration-format": "^2.2.2",
-    "moment-timezone": "^0.5.34",
+    "moment": "^2.29.4",
+    "moment-duration-format": "^2.3.2",
+    "moment-timezone": "^0.5.43",
     "node-sass": "^4.14.0",
     "normalize-text": "^2.4.1",
     "optimize-css-assets-webpack-plugin": "5.0.1",

scripts/build.js

@@ -28,7 +28,7 @@ const printBuildError = require('react-dev-utils/printBuildError')
 const measureFileSizesBeforeBuild =
   FileSizeReporter.measureFileSizesBeforeBuild
 const printFileSizesAfterBuild = FileSizeReporter.printFileSizesAfterBuild
-const useYarn = fs.existsSync(paths.yarnLockFile)
+const useYarn = false
 
 // These sizes are pretty large. We'll warn for bundles exceeding them.
 const WARN_AFTER_BUNDLE_GZIP_SIZE = 512 * 1024

scripts/start.js

@@ -32,7 +32,7 @@ const paths = require('../config/paths')
 const configFactory = require('../config/webpack.config')
 const createDevServerConfig = require('../config/webpackDevServer.config')
 
-const useYarn = fs.existsSync(paths.yarnLockFile)
+const useYarn = false
 const isInteractive = process.stdout.isTTY
 
 // Warn and crash if required files are missing

scripts/test.js

@@ -16,36 +16,16 @@ process.on('unhandledRejection', err => {
 require('../config/env')
 
 const jest = require('jest')
-const execSync = require('child_process').execSync
 let argv = process.argv.slice(2)
 
-function isInGitRepository () {
-  try {
-    execSync('git rev-parse --is-inside-work-tree', { stdio: 'ignore' })
-    return true
-  } catch (e) {
-    return false
-  }
-}
-
-function isInMercurialRepository () {
-  try {
-    execSync('hg --cwd . root', { stdio: 'ignore' })
-    return true
-  } catch (e) {
-    return false
-  }
-}
-
 // Watch unless on CI, in coverage mode, or explicitly running all tests
 if (
   !process.env.CI &&
   argv.indexOf('--coverage') === -1 &&
   argv.indexOf('--watchAll') === -1
 ) {
   // https://github.com/facebook/create-react-app/issues/5210
-  const hasSourceControl = isInGitRepository() || isInMercurialRepository()
-  argv.push(hasSourceControl ? '--watch' : '--watchAll')
+  argv.push('--watchAll')
 }
 
 jest.run(argv)

src/components/ChallengeEditor/ChallengeView/index.js

@@ -4,7 +4,6 @@ import PropTypes from 'prop-types'
 import cn from 'classnames'
 import { withRouter } from 'react-router-dom'
 import styles from './ChallengeView.module.scss'
-import xss from 'xss'
 import Track from '../../Track'
 import NDAField from '../NDAField'
 import UseSchedulingAPIField from '../UseSchedulingAPIField'
@@ -18,7 +17,6 @@ import ChallengeTotalField from '../ChallengeTotal-Field'
 import Loader from '../../Loader'
 import AssignedMemberField from '../AssignedMember-Field'
 import { getResourceRoleByName } from '../../../util/tc'
-import { isBetaMode } from '../../../util/cookie'
 import { loadGroupDetails } from '../../../actions/challenges'
 import {
   REVIEW_TYPES,
@@ -29,6 +27,7 @@ import {
 } from '../../../config/constants'
 import PhaseInput from '../../PhaseInput'
 import CheckpointPrizesField from '../CheckpointPrizes-Field'
+import { isBetaMode } from '../../../util/localstorage'
 
 const ChallengeView = ({
   projectDetail,
@@ -114,10 +113,7 @@ const ChallengeView = ({
             <div className={cn(styles.row, styles.topRow)}>
               <div className={styles.col}>
                 <span>
-                  <span className={styles.fieldTitle}>Project:</span>
-                  <span dangerouslySetInnerHTML={{
-                    __html: xss(projectDetail ? projectDetail.name : '')
-                  }} />
+                  <span className={styles.fieldTitle}>Project: {projectDetail ? projectDetail.name : ''}</span>
                 </span>
               </div>
               {selectedMilestone &&

src/components/ChallengeEditor/index.js

@@ -8,8 +8,6 @@ import moment from 'moment-timezone'
 import { pick } from 'lodash/fp'
 import { withRouter } from 'react-router-dom'
 import { toastr } from 'react-redux-toastr'
-import xss from 'xss'
-
 import {
   VALIDATION_VALUE_TYPE,
   PRIZE_SETS_TYPE,
@@ -69,11 +67,11 @@ import Tooltip from '../Tooltip'
 import CancelDropDown from './Cancel-Dropdown'
 import UseSchedulingAPIField from './UseSchedulingAPIField'
 
-import { isBetaMode } from '../../util/cookie'
 import MilestoneField from './Milestone-Field'
 import DiscussionField from './Discussion-Field'
 import CheckpointPrizesField from './CheckpointPrizes-Field'
 import { canChangeDuration } from '../../util/phase'
+import { isBetaMode } from '../../util/localstorage'
 
 const theme = {
   container: styles.modalContainer
@@ -1704,10 +1702,7 @@ class ChallengeEditor extends Component {
             <div className={cn(styles.row, styles.topRow)}>
               <div className={styles.col}>
                 <span>
-                  <span className={styles.fieldTitle}>Project:</span>
-                  <span dangerouslySetInnerHTML={{
-                    __html: xss(projectDetail ? projectDetail.name : '')
-                  }} />
+                  <span className={styles.fieldTitle}>Project: {projectDetail ? projectDetail.name : ''}</span>
                 </span>
               </div>
               <div className={styles.col}>

src/components/ChallengesComponent/index.js

@@ -10,7 +10,6 @@ import { CONNECT_APP_URL, PROJECT_ROLES } from '../../config/constants'
 import { PrimaryButton } from '../Buttons'
 import ChallengeList from './ChallengeList'
 import styles from './ChallengesComponent.module.scss'
-import xss from 'xss'
 import { checkReadOnlyRoles } from '../../util/tc'
 
 const ChallengesComponent = ({
@@ -61,12 +60,9 @@ const ChallengesComponent = ({
       <Helmet title={activeProject ? activeProject.name : ''} />
       {!dashboard && <div className={styles.titleContainer}>
         <div className={styles.titleLinks}>
-          <div
-            className={styles.title}
-            dangerouslySetInnerHTML={{
-              __html: xss(activeProject ? activeProject.name : '')
-            }}
-          />
+          <div className={styles.title}>
+            {activeProject ? activeProject.name : ''}
+          </div>
           {activeProject && activeProject.id && (
             <span>
               (

src/components/ProjectCard/index.js

@@ -2,7 +2,6 @@ import React from 'react'
 import PT from 'prop-types'
 import { Link } from 'react-router-dom'
 import cn from 'classnames'
-import xss from 'xss'
 
 import styles from './ProjectCard.module.scss'
 
@@ -14,7 +13,7 @@ const ProjectCard = ({ projectName, projectId, selected, setActiveProject }) =>
         className={cn(styles.projectName, { [styles.selected]: selected })}
         onClick={() => setActiveProject(parseInt(projectId))}
       >
-        <div className={styles.name} dangerouslySetInnerHTML={{ __html: xss(projectName) }} />
+        <div className={styles.name}>{projectName}</div>
       </Link>
     </div>
   )

src/config/constants.js

@@ -19,7 +19,6 @@ export const {
   CP_TRACK_ID,
   CHALLENGE_TYPE_ID,
   MARATHON_TYPE_ID,
-  SEGMENT_API_KEY,
   MULTI_ROUND_CHALLENGE_TEMPLATE_ID,
   UNIVERSAL_NAV_URL,
   HEADER_AUTH_URLS_HREF,

src/index.js

@@ -6,41 +6,35 @@ import ReactDOM from 'react-dom'
 import './styles/main.scss'
 import 'react-redux-toastr/lib/css/react-redux-toastr.min.css'
 import App from './App'
-import { SEGMENT_API_KEY, UNIVERSAL_NAV_URL } from './config/constants'
+import { UNIVERSAL_NAV_URL } from './config/constants'
 
 ReactDOM.render(<App />, document.getElementById('root'))
 
-/* eslint-disable */
-if (!_.isEmpty(SEGMENT_API_KEY)) {
-    !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware"];analytics.factory=function(e){return function(){var t=Array.prototype.slice.call(arguments);t.unshift(e);analytics.push(t);return analytics}};for(var e=0;e<analytics.methods.length;e++){var t=analytics.methods[e];analytics[t]=analytics.factory(t)}analytics.load=function(e,t){var n=document.createElement("script");n.type="text/javascript";n.async=!0;n.src="https://cdn.segment.com/analytics.js/v1/"+e+"/analytics.min.js";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(n,a);analytics._loadOptions=t};analytics.SNIPPET_VERSION="4.1.0";
-    analytics.load(SEGMENT_API_KEY);
-    analytics.page();
-    }}();
-}
-/* eslint-enable */
-
 // <!-- Start of topcoder Topcoder Universal Navigation script -->
-// eslint-disable-next-line no-unused-expressions
-!(function (n, t, e, a, c, i, o) {
-// eslint-disable-next-line no-unused-expressions, no-sequences
-  ;(n['TcUnivNavConfig'] = c),
-  (n[c] =
-    n[c] ||
-    function () {
-      ;(n[c].q = n[c].q || []).push(arguments)
-    }),
-  (n[c].l = 1 * new Date())
+// SAST/open-redirect handling: make sure script hostname matches what we expect
+if ((new URL(UNIVERSAL_NAV_URL)).hostname.match(/uni-nav\.topcoder(-dev)?\.com$/i)) {
+  // eslint-disable-next-line no-unused-expressions
+  !(function (n, t, e, a, c, i, o) {
   // eslint-disable-next-line no-unused-expressions, no-sequences
-  ;(i = t.createElement(e)), (o = t.getElementsByTagName(e)[0])
-  i.async = 1
-  i.type = 'module'
-  i.src = a
-  o.parentNode.insertBefore(i, o)
-})(
-  window,
-  document,
-  'script',
-  UNIVERSAL_NAV_URL,
-  'tcUniNav'
-)
+    ;(n['TcUnivNavConfig'] = c),
+    (n[c] =
+      n[c] ||
+      function () {
+        ;(n[c].q = n[c].q || []).push(arguments)
+      }),
+    (n[c].l = 1 * new Date())
+    // eslint-disable-next-line no-unused-expressions, no-sequences
+    ;(i = t.createElement(e)), (o = t.getElementsByTagName(e)[0])
+    i.async = 1
+    i.type = 'module'
+    i.src = a
+    o.parentNode.insertBefore(i, o)
+  })(
+    window,
+    document,
+    'script',
+    UNIVERSAL_NAV_URL,
+    'tcUniNav'
+  )
+}
 // <!-- End of topcoder Topcoder Universal Navigation script -->

src/routes.js

@@ -17,11 +17,11 @@ import { saveToken } from './actions/auth'
 import { loadChallengeDetails } from './actions/challenges'
 import { connect } from 'react-redux'
 import { checkAllowedRoles, checkOnlyReadOnlyRoles, checkReadOnlyRoles } from './util/tc'
-import { setCookie, removeCookie, isBetaMode } from './util/cookie'
 import IdleTimer from 'react-idle-timer'
 import modalStyles from './styles/modal.module.scss'
 import ConfirmationModal from './components/Modal/ConfirmationModal'
 import Users from './containers/Users'
+import { isBetaMode, removeFromLocalStorage, saveToLocalStorage } from './util/localstorage'
 
 const { ACCOUNTS_APP_LOGIN_URL, IDLE_TIMEOUT_MINUTES, IDLE_TIMEOUT_GRACE_MINUTES, COMMUNITY_APP_URL } = process.env
 
@@ -94,9 +94,9 @@ class Routes extends React.Component {
     getFreshToken().then((token) => {
       this.props.saveToken(token)
     }).catch((error) => {
-      console.error(error)
-      const redirectBackToUrl = window.location.origin + this.props.location.pathname
-      window.location = ACCOUNTS_APP_LOGIN_URL + '?retUrl=' + redirectBackToUrl
+      console.error(error.message)
+      const redirectBackToUrl = encodeURIComponent(window.location.origin + this.props.location.pathname)
+      window.location = `${ACCOUNTS_APP_LOGIN_URL}?retUrl=${redirectBackToUrl}`
     })
   }
 
@@ -105,9 +105,9 @@ class Routes extends React.Component {
     const params = new URLSearchParams(search)
     if (!_.isEmpty(params.get('beta'))) {
       if (params.get('beta') === 'true' && !isBetaMode()) {
-        setCookie(BETA_MODE_COOKIE_TAG, 'true')
+        saveToLocalStorage(BETA_MODE_COOKIE_TAG, 'true')
       } else if (params.get('beta') === 'false' && isBetaMode()) {
-        removeCookie(BETA_MODE_COOKIE_TAG)
+        removeFromLocalStorage(BETA_MODE_COOKIE_TAG)
       }
       this.props.history.push(this.props.location.pathname)
     }