Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334

Open
JennaySDavis opened this issue Sep 18, 2024 · 2 comments

Comments

@JennaySDavis
Copy link
Contributor

No description provided.

@JennaySDavis
Copy link
Contributor Author

334 Acceptance Criteria

Pass/Fail Description
Pass Full Regression Testing of 889 Tool

Comments/Additional Notes
N/A

ADA Compliance (Automated scan via Chrome Lighthouse)

Criteria Score
Performance 95*
Accessibility 100
Best Practices 100
*Performance score is lower due to third-party integration with Google

Passed 10/15/2024 - JSD

felder101 added a commit that referenced this issue Oct 17, 2024
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334
Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #335
@johnbeallgsa
Copy link

Thanks for explaining on the demo, I am moving to Done.

felder101 added a commit that referenced this issue Oct 18, 2024
Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334
Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #335
felder101 added a commit that referenced this issue Nov 19, 2024
* Gsa/staging/production release (#148)

* Bump get-func-name from 2.0.0 to 2.0.2 in /front-end

Bumps [get-func-name](https://github.com/chaijs/get-func-name) from 2.0.0 to 2.0.2.
- [Release notes](https://github.com/chaijs/get-func-name/releases)
- [Commits](https://github.com/chaijs/get-func-name/commits/v2.0.2)

---
updated-dependencies:
- dependency-name: get-func-name
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump @vue/eslint-config-prettier from 7.1.0 to 8.0.0 in /front-end

Bumps [@vue/eslint-config-prettier](https://github.com/vuejs/eslint-config-prettier) from 7.1.0 to 8.0.0.
- [Release notes](https://github.com/vuejs/eslint-config-prettier/releases)
- [Changelog](https://github.com/vuejs/eslint-config-prettier/blob/main/CHANGELOG.md)
- [Commits](vuejs/eslint-config-prettier@v7.1.0...v8.0.0)

---
updated-dependencies:
- dependency-name: "@vue/eslint-config-prettier"
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump eslint-plugin-vue from 9.16.1 to 9.17.0 in /front-end

Bumps [eslint-plugin-vue](https://github.com/vuejs/eslint-plugin-vue) from 9.16.1 to 9.17.0.
- [Release notes](https://github.com/vuejs/eslint-plugin-vue/releases)
- [Commits](vuejs/eslint-plugin-vue@v9.16.1...v9.17.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-vue
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump wheel from 0.41.1 to 0.41.2

Bumps [wheel](https://github.com/pypa/wheel) from 0.41.1 to 0.41.2.
- [Changelog](https://github.com/pypa/wheel/blob/main/docs/news.rst)
- [Commits](pypa/wheel@0.41.1...0.41.2)

---
updated-dependencies:
- dependency-name: wheel
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump @rushstack/eslint-patch from 1.3.2 to 1.5.1 in /front-end

Bumps [@rushstack/eslint-patch](https://github.com/microsoft/rushstack/tree/HEAD/eslint/eslint-patch) from 1.3.2 to 1.5.1.
- [Changelog](https://github.com/microsoft/rushstack/blob/main/eslint/eslint-patch/CHANGELOG.md)
- [Commits](https://github.com/microsoft/rushstack/commits/@rushstack/eslint-patch_v1.5.1/eslint/eslint-patch)

---
updated-dependencies:
- dependency-name: "@rushstack/eslint-patch"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump @cypress/request and cypress in /front-end

Bumps [@cypress/request](https://github.com/cypress-io/request) to 3.0.1 and updates ancestor dependency [cypress](https://github.com/cypress-io/cypress). These dependencies need to be updated together.


Updates `@cypress/request` from 2.88.12 to 3.0.1
- [Release notes](https://github.com/cypress-io/request/releases)
- [Changelog](https://github.com/cypress-io/request/blob/master/CHANGELOG.md)
- [Commits](cypress-io/request@v2.88.12...v3.0.1)

Updates `cypress` from 12.17.3 to 13.2.0
- [Release notes](https://github.com/cypress-io/cypress/releases)
- [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md)
- [Commits](cypress-io/cypress@v12.17.3...v13.2.0)

---
updated-dependencies:
- dependency-name: "@cypress/request"
  dependency-type: indirect
- dependency-name: cypress
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>

* Updating build and run scripts

In part, the new top-level `npm run dev` command will run both the
backend and the frontend together.

* Updating .nvmrc

* Further updates to package build, run, and test scripts

* Updating README python instructions

Minor errors in fixed

* Updating lint config

`npm run lint` should now work correctly,with some initial settings
for Vue

* Undo linting changes

* Updating eslint config to specify JS files as modules

* Update README.md

* Update README.md

* Bump eslint from 8.47.0 to 8.51.0 in /front-end

Bumps [eslint](https://github.com/eslint/eslint) from 8.47.0 to 8.51.0.
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v8.47.0...v8.51.0)

---
updated-dependencies:
- dependency-name: eslint
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* update eslint to fix version conflict with prettier. Fix various linting errors

* add test coverage check

* revert prettier formatting from uswds files

* remove coverage-c8 dependency

* add workflow for front-end tests

* make test for date use UTC explicitly

* make utc explicit in date formating

* use recommended eslint settings from Eric - thank you - and fix additional linter warnings

* merge

* Combining READMEs

* Removing flaky test suite

* Fixing typo

* Adding top-level links to jump straight to instructions

Lets devs jump right to what they probably care about most at first

* Updating SAM key link

* Adding note about e2e tests

* Updated uswds version from 3.6.0 to 3.6.1

* Updated footer based on Issue 123.

Added NASA logo to the project to display in the footer.

* Updated footer css layout for responsiveness

* Updated footer logo placement on mobile.
Fixed footer broken unit test.

* Updated footer format to support mobile.
Override uswds default settings to allow more flex options.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Mark Meyer <[email protected]>
Co-authored-by: eric-gade <[email protected]>
Co-authored-by: Eric Gade <[email protected]>
Co-authored-by: Tim Hollosy <[email protected]>

* Gsa/issue 166/alert banner (#168)

* Added alert to home page to notify user possible issues with the search tool.

* Updated alert language based client feedback.

* Updated the alert message for search issue.

* Gsa/release/staging (#171)

* Updated uswds version from 3.6.1 to 3.7.1 (#164)

---------

Co-authored-by: Mark Meyer <[email protected]>
Co-authored-by: eric-gade <[email protected]>
Co-authored-by: Eric Gade <[email protected]>
Co-authored-by: Tim Hollosy <[email protected]>

* Addressed various dependency vulnerabilities in front-end and back-end that were flagged by dependabot. (#189)

* Sprint 25 (#201)

Issue #190 Dependabot Alert: FastAPI Content-Type Header ReDoS

* Production Release (#207)

Sprint 26 Changes:
Issue #200 889 Footer Identifier Update to include Domain

* Production Release (#211)

Includes the following issue(s):
Issue #203 Update USWDS from 3.71 to 3.8 | 889 Tool

* Production Release (#223)

Includes the following issues:

Issue #218 Dependabot Alert: Request smuggling leading to endpoint restriction bypass in Gunicorn

* Production Release (#249)

Sprint 32 Issues:

Update USWDS from 3.8 to 3.8.1 |889 Tool #237
Dependabot Alert: Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain #228
Dependabot Alert: follow-redirects' Proxy-Authorization header kept across hosts #208

* Production Release (#259)

Sprint 33 include(s) the following issues:

Improve performance by adding explicit height and width to image elements #146
Interactive elements indicate their purpose and state #185

* Production Release (#277)

Includes Spring 34 and 35 issues.

Implement the Link Checker on the 889 Tool #151
Research Issues found with Lighthouse  #162
Research Issues found with Lighthouse and address if applicable #269
Dependabot Alert: WS Affected by a DoS When Handlin a Request with many HTTP Headers #261

* Spell out FOUO (#284)
remove banner. (#285)

* Update to the latest version of USWDS 3.8.2 | 889 Tool #299
Dependabot Alert: Axios Cross-Site Request Forgery #278

* Production Release (#336)

* Commit includes the following::

Add Expiration Date field to the Search Results Information Displayed on the Results Screen #318
Dependabot Alert: Regular Expression Denial of Service (ReDoS) in micromatch #319

* Update packages.

* Production Release (#352)

Issue #333 Dependabot Alert: path-to-regexp outputs backtracking regular expressions
Issue #332 Dependabot Alert: DOMPurify allows tampering by prototype pollution
Issue #346 Research SAM.gov to determine why vendors/contractors marked to be shared are not appearing in the 889 Tool
Issue #327 Bug: Accessibility Issue; Lists do not contain only <li> elements and script supporting elements ( <script> and <template>)

* Production Release (Sprint 41) (#361)

Dependabot Alert: Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS #334
Dependabot Alert: Vite's server.fs.deny is bypassed when using ?import&raw #335

* Sprint 42 (#372)

* Merged staging into main (#379)

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Mark Meyer <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: eric-gade <[email protected]>
Co-authored-by: Eric Gade <[email protected]>
Co-authored-by: Tim Hollosy <[email protected]>
Co-authored-by: John Labbate <[email protected]>
Co-authored-by: John Labbate <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants