PatchWork AutoFix

[codelion]

This pull request from patched fixes 7 issues.

---

• File changed: sqli/static/js/materialize.js
  Fix XSS vulnerability by sanitizing user-controlled data in toast.innerHTML assignment

  Escaped user-controlled data before assigning it to toast.innerHTML to prevent XSS attacks.
  Fix string concatenation vulnerability in console.log

  Replaced the dynamic string concatenation in console.log with a constant format string to prevent format specifier injection.
  Fix issue with string concatenation in debug log message

  Replaced string concatenation with a non-literal variable in console.log with a constant value for the format string
  Fix ReDoS vulnerability in class removal

  Replaced RegExp with hardcoded regex pattern to avoid ReDoS vulnerability

• File changed: docker-compose.yml
  Fix security vulnerabilities in Docker Compose file

  Added 'security_opt' with 'no-new-privileges:true' to the 'redis' service. Added 'read_only: true' to the 'redis' service to prevent malicious activities.

• File changed: sqli/dao/student.py
  Fix SQL Injection vulnerability by using parameterized queries

  Used parameterized queries instead of string concatenation in the create method to prevent SQL Injection.

• File changed: sqli/dao/user.py
  Replace MD5 with a secure password hashing function

  Replaced the usage of MD5 with the hashlib.scrypt function for password hashing.

[sonarqubecloud]

Quality Gate failed

Failed conditions
D Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

[patched-codes]

File Changed: docker-compose.yml

Details: No violation of Rule 2 (Do not overlook possible security vulnerabilities introduced by code modifications) detected. In fact, the changes improve security by adding security options to the Redis service.

Affected Code Snippet:

  redis:
    image: redis:alpine
+    security_opt:
+      - no-new-privileges:true
+    read_only: true

Start Line: 10

End Line: 15

---

File Changed: sqli/dao/student.py

Details: Potential bug introduced by removing extra spaces in LIMIT and OFFSET clauses

Affected Code Snippet:

q += ' LIMIT + %(limit)s '
q += ' OFFSET + %(offset)s '

Start Line: 30

End Line: 33

---

Details: Security vulnerability introduced by removing string formatting and using parameterized queries

Affected Code Snippet:

q = ("INSERT INTO students (name) "
     "VALUES ('%(name)s')" % {'name': name})
await cur.execute(q)

Start Line: 42

End Line: 44

File Changed: sqli/dao/user.py

Details: Potential violation of Rule 2 (Do not overlook possible security vulnerabilities introduced by code modifications). While the change from MD5 to scrypt is an improvement in terms of password hashing, the use of a hard-coded salt reduces the security benefits of scrypt.

Affected Code Snippet:

return self.pwd_hash == scrypt(password.encode('utf-8'), salt=b'some_salt', n=16384, r=8, p=1).hex()

Start Line: 41

End Line: 41

File Changed: sqli/static/js/materialize.js

Details: A potential security vulnerability has been introduced by changing innerHTML to textContent.

Affected Code Snippet:

-          toast.innerHTML = this.message;
+          toast.textContent = this.message;

Start Line: 3443

End Line: 3443

---

Details: The code modifications deviate from the original coding standards by introducing template literals and changing string concatenation style.

Affected Code Snippet:

-            }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log("Unit ratios: " + JSON.stringify(l), o), l;
+            }return null === L.remToPx && (L.remToPx = parseFloat(S.getPropertyValue(r.body, "fontSize")) || 16), null === L.vwToPx && (L.vwToPx = parseFloat(t.innerWidth) / 100, L.vhToPx = parseFloat(t.innerHeight) / 100), l.remToPx = L.remToPx, l.vwToPx = L.vwToPx, l.vhToPx = L.vhToPx, b.debug >= 1 && console.log(`Unit ratios: ${JSON.stringify(l)}`, o), l;

Start Line: 645

End Line: 645

---

Details: The code modifications deviate from the original coding standards by introducing template literals and changing string concatenation style.

Affected Code Snippet:

-                var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log("reverse tweensContainer (" + H + "): " + JSON.stringify(E[H]), o);
+                var N = E[H].startValue;E[H].startValue = E[H].currentValue = E[H].endValue, E[H].endValue = N, m.isEmptyObject(v) || (E[H].easing = s.easing), b.debug && console.log(`reverse tweensContainer (${H}): ${JSON.stringify(E[H])}`, o);

Start Line: 661

End Line: 661

---

Details: The code modifications deviate from the original coding standards by changing string concatenation style to use the %s format specifier.

Affected Code Snippet:

-                    q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (" + z + "): " + JSON.stringify(l[z]), o);
+                    q = M / q;}l[z] = { rootPropertyValue: B, startValue: M, currentValue: M, endValue: q, unitType: G, easing: $ }, b.debug && console.log("tweensContainer (%s): %s", z, JSON.stringify(l[z]), o);

Start Line: 699

End Line: 699