Beta2 community Release [Beta2] 2024-07-01 #53

stepcellwolf · 2024-07-02T17:26:16Z

No description provided.

Signed-off-by: StepSecurity Bot <[email protected]>

gitguardian · 2024-08-25T19:51:07Z

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
12727652	Triggered	PostgreSQL Credentials	`32ad759`	Dockerfile	View secret

🛠 Guidelines to remediate hardcoded secrets

Understand the implications of revoking this secret by investigating where it is used in your code.
Replace and store your secret safely. Learn here the best practices.
Revoke and rotate this secret.
If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

following these best practices for managing and storing secrets including API keys and other credentials
install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

…n_1721745950 [StepSecurity] Apply security best practices

github-advanced-security · 2025-07-23T12:41:48Z

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

components/interfaces/CSC/issue_panel/ControlBlock.tsx

+    const response = await axios.put(`/api/teams/${slug}/csc`, {
+      control,
+      value,
+    });


To fix the SSRF vulnerability, the slug value should be validated or restricted before being used in the URL. The best approach is to use an allow-list (whitelist) of acceptable slug values, ensuring that only predefined, trusted values can be used. This prevents attackers from injecting arbitrary or malicious values.

Steps to fix:

Define an allow-list of valid slug values that the application expects.

Validate the slug value against the allow-list before constructing the URL.

If the slug value is not valid, handle the error gracefully (e.g., return an error response or log the issue).

components/interfaces/CSC/issue_panel/CscPanel.tsx

+        response = await axios.put(
+          `/api/teams/${slug}/tasks/${task.taskNumber}/csc`,
+          {
+            controls: [newControl],
+            operation: 'add',
+            ISO,
+          }
+        );


To fix the SSRF vulnerability, we need to ensure that the slug value is validated against a trusted allow-list or sanitized before being used in the URL. This will prevent attackers from injecting malicious values into the URL.

The best approach is to:

Define a trusted allow-list of valid slug values.

Validate the slug value against this allow-list before using it in the URL.

If the slug value is invalid, handle the error gracefully (e.g., show an error message or redirect the user).

The changes will be made in the CscPanel component, specifically in the controlHanlder and deleteControls functions where the slug value is used.

components/interfaces/CSC/issue_panel/CscPanel.tsx

+        response = await axios.put(
+          `/api/teams/${slug}/tasks/${task.taskNumber}/csc`,
+          {
+            controls: [oldControl, newControl],
+            operation: 'change',
+            ISO,
+          }
+        );


To fix the SSRF vulnerability, we need to ensure that the slug value is validated against a predefined allowlist of acceptable values before it is used in the URL. This approach ensures that only trusted and expected values are used, preventing attackers from injecting malicious input.

Steps to implement the fix:

Define an allowlist of valid slug values that the application expects.

Validate the slug value against this allowlist before using it in the URL.

If the slug value is not valid, handle the error gracefully (e.g., show an error message or redirect the user).

components/interfaces/RPA/CreateRPA.tsx

+        const response = await axios.post<ApiResponse<Task>>(
+          `/api/teams/${slug}/tasks/${task.taskNumber}/rpa`,
+          {
+            prevProcedure: prevProcedure,
+            nextProcedure: procedure,
+          }
+        );


To fix the SSRF vulnerability, we need to ensure that the slug value is validated against a predefined allow-list of acceptable values before it is used in the URL. This approach ensures that only known and trusted values can be used, preventing attackers from injecting malicious input.

Steps to fix:

Define an allow-list of valid slug values. This could be a hardcoded array or fetched from a trusted source.

Validate the slug value against the allow-list before constructing the URL.

If the slug value is invalid, handle the error gracefully (e.g., show an error message or redirect the user).

components/interfaces/RPA/DashboardCreateRPA.tsx

+        const response = await axios.post<ApiResponse<Task>>(
+          `/api/teams/${slug}/tasks/${task.taskNumber}/rpa`,
+          {
+            prevProcedure: prevProcedure,
+            nextProcedure: procedure,
+          }
+        );


To fix the SSRF vulnerability, we need to ensure that the slug value is validated against a predefined allow-list of acceptable values before it is used in the URL. This approach ensures that only known and trusted values are allowed, preventing attackers from injecting malicious input.

Steps to fix:

Define an allow-list of valid slug values. This could be a hardcoded list or dynamically fetched from a trusted source.

Validate the slug value against the allow-list before using it in the URL.

If the slug value is invalid, handle the error gracefully (e.g., show an error message or redirect the user).

components/interfaces/Task/Comments.tsx

+      const response = await axios.put<ApiResponse<unknown>>(
+        `/api/teams/${slug}/tasks/${taskNumber}/comments`,
+        {
+          id,
+          text,
+        }
+      );


To fix the issue, we need to ensure that the slug and taskNumber values are validated before being used in the URL. This can be achieved by implementing an allow-list for slug and ensuring taskNumber is a valid numeric value. The allow-list should contain predefined valid slug values that the application expects, and any unrecognized values should be rejected. This approach prevents attackers from injecting arbitrary values into the URL.

Changes to be made:

Introduce validation logic for slug and taskNumber before constructing the URL.

Reject or sanitize invalid values to prevent SSRF attacks.

components/interfaces/Task/Comments.tsx

+      const response = await axios.delete<ApiResponse<unknown>>(
+        `/api/teams/${slug}/tasks/${taskNumber}/comments`,
+        {
+          data: {
+            id,
+          },
+        }
+      );


To fix the issue, we need to validate and sanitize the slug and taskNumber values before using them to construct the URL. This can be achieved by:

Defining an allow-list of acceptable slug values and ensuring that the slug matches one of these values.

Validating that taskNumber is a numeric value, as it appears to represent a task identifier.

The fix will involve:

Adding validation logic for slug and taskNumber before constructing the URL.

Rejecting or handling invalid inputs gracefully to prevent SSRF vulnerabilities.

components/interfaces/Task/DeleteAttachment.tsx

+      const response = await axios.delete(
+        `/api/teams/${teamSlug}/tasks/${taskNumber}/attachments?id=${attachment.id}`
+      );


To fix the SSRF vulnerability, we need to validate or sanitize the user-provided values (taskNumber and teamSlug) before using them in the URL. The best approach is to use an allow-list of acceptable values for these parameters. This ensures that only known, trusted values are used in the request.

Steps to fix:

Introduce validation logic to check taskNumber and teamSlug against an allow-list or predefined set of acceptable values.

Reject or handle invalid values gracefully, preventing them from being used in the URL.

Apply this validation in the DeleteAttachment component before constructing the URL.

components/interfaces/Task/DeleteTask.tsx

+      const response = await axios.delete<ApiResponse<unknown>>(
+        `/api/teams/${slug}/tasks/${taskNumber}`
+      );


To fix the SSRF vulnerability, we need to validate or sanitize the slug value before using it in the URL. The best approach is to use an allow-list of valid slug values. This ensures that only predefined, trusted values can be used in the URL, effectively mitigating the risk of SSRF.

Steps to implement the fix:

Define an allow-list of valid slug values.

Check if the slug value from router.query is in the allow-list.

If the slug value is not valid, handle the error appropriately (e.g., show an error message or redirect the user).

Use the validated slug value in the URL.

pages/teams/[slug]/csc.tsx

+      const response = await axios.put(`/api/teams/${slug}/csc`, {
+        control,
+        value,
+      });


To fix the issue, we need to validate or sanitize the slug value before using it in the URL of the outgoing HTTP request. The best approach is to use an allow-list of valid slug values, ensuring that only known and trusted values are used. This prevents attackers from injecting malicious input into the URL.

Steps to implement the fix:

Define an allow-list of valid slug values, either as a hardcoded list or by fetching them from a trusted source (e.g., a database or configuration file).

Before making the HTTP request, check if the slug value is in the allow-list.

If the slug is not valid, handle the error gracefully (e.g., show an error message or redirect the user).

Veloti and others added 30 commits November 1, 2023 15:21

New logo

feb4080

CSC Iso sets

21ac597

added captain and dockerfile

9bed279

dev build

e187b7f

delete docker composer

3dbfe75

dockerfile changes

c03e124

change the package name

1d6d63e

test env

6377669

build

b68ce6b

change the port

0dea7a5

ISO default property hotfix

05631df

Merge

cb7fdfe

changes in package

ceae14a

latest tests and scripts running.

e973231

changed node version 18.18.2

e50f9e9

Dockerfile DATABASE_URL env

bc9f9c0

add var_name_here in dockerfile

812144e

add the env variable

a2ba8c1

manually add the env varialble

32ad759

prisma update

eaad669

Eslint rules off + type fixes

8ab9eca

Empty pages fix

87026ba

Eslint errors + types

35251bd

#15 BoxyHQ labels removed

c301228

#15 Bigger logo

c87d285

#16 Login logo png -> svg + bigger size

5c44849

test rpa not saved

94be0e5

prettier write

8e4796f

Dangerous: accept data loss on db push

39ba42f

test dev local db-dev

276ad1a

Veloti and others added 14 commits June 28, 2024 23:55

NIST CSF v2 for Ultimate plan

d463f67

added a data privacy overview header to dashboard

0bf7e90

add the Framework on header and change tickets -> task table

c961865

Formattion

d35fa6d

Test errors fixed

b7ee55b

add billing to docker file

dce6477

npm install --legacy-peer-deps -> dockerfile

303de26

Initial migration

de0650d

Billing email checking hotfix

a04cbb9

Subscription for existing team hotfix

dee8223

changes for the community edition

ae4cd9d

fix the links and shields in Readme

d580b8f

[StepSecurity] Apply security best practices

55b7c6c

Signed-off-by: StepSecurity Bot <[email protected]>

Update docker-compose.yml

c6cebb9

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 TeamNavigation selected tab hotfix

f3c7802

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 Open external links from sidebar in new tab

7daf469

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 Task tab responsiveness

93c243f

Veloti pushed a commit that referenced this pull request Feb 14, 2025

change the logos #53

a26cf67

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 #note_2324903141 Create Risk modal: save/next button fix

18b14c0

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 TIA Stage Tracker

7e15b2e

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 StageTracker dark theme color fixes

04760d8

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 dublicated StageTracker for RPA deleted

9f7f785

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 RM Task panel: % and text

560cfca

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 #note_2324894910 RM Analysis chart left borders removed

37fc1d9

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 Permissions for CSC, PIA, TIA, RPA, RM

6a0d94d

Veloti added a commit that referenced this pull request Feb 14, 2025

#53 #note_2325457084 PIA Analysis charts reorder

12f72c2

Merge pull request #54 from step-security-bot/stepsecurity_remediatio…

28810d2

…n_1721745950 [StepSecurity] Apply security best practices

github-advanced-security bot found potential problems Jul 23, 2025

View reviewed changes

@@ -50,2 +50,5 @@
+              const validSlugs = useMemo(() => ['team1', 'team2', 'team3'], []); // Define allow-list
+              const isValidSlug = validSlugs.includes(slug as string); // Validate slug
               const controlOptions = useMemo(() => getControlOptions(ISO), [ISO]);
@@ -56,2 +59,7 @@
               const statusHandler = useCallback(async (control: string, value: string) => {
+                if (!isValidSlug) {
+                  toast.error('Invalid team slug.');
+                  return;
+                }
                 const response = await axios.put(`/api/teams/${slug}/csc`, {
@@ -70,3 +78,3 @@
                 setStatuses(data.statuses);
-              }, []);
+              }, [isValidSlug]);

@@ -41,3 +41,5 @@
               const router = useRouter();
-              const { slug } = router.query;
+              const { slug: rawSlug } = router.query;
+              const allowedSlugs = ['team1', 'team2', 'team3']; // Example allow-list
+              const slug = allowedSlugs.includes(rawSlug) ? rawSlug : null;
@@ -63,2 +65,7 @@
               const deleteControls = useCallback(async () => {
+                if (!slug) {
+                  toast.error('Invalid team identifier.');
+                  return;
+                }
                 setIsDeleting(true);
@@ -93,2 +100,8 @@
                   if (oldControl === '') {
+                    if (!slug) {
+                      toast.error('Invalid team identifier.');
+                      setIsSaving(false);
+                      return;
+                    }
                     response = await axios.put(

@@ -42,2 +42,7 @@
               const { slug } = router.query;
+              const allowedSlugs = ['team1', 'team2', 'team3']; // Example allowlist
+              if (!allowedSlugs.includes(slug)) {
+                toast.error('Invalid team identifier.');
+                return;
+              }

@@ -29,2 +29,4 @@
               const { slug } = router.query;
+              const validSlugs = ['team1', 'team2', 'team3']; // Example allow-list of valid slugs
+              const validatedSlug = validSlugs.includes(slug) ? slug : null;
@@ -47,4 +49,10 @@
+                    if (!validatedSlug) {
+                      toast.error(t('invalid-slug'));
+                      setIsLoading(false);
+                      return;
+                    }
                     const response = await axios.post<ApiResponse<Task>>(
-                      `/api/teams/${slug}/tasks/${task.taskNumber}/rpa`,
+                      `/api/teams/${validatedSlug}/tasks/${task.taskNumber}/rpa`,
                       {

@@ -31,2 +31,7 @@
               const { slug } = router.query;
+              const validSlugs = ['team1', 'team2', 'team3']; // Example allow-list of valid slugs
+              if (!validSlugs.includes(slug)) {
+                toast.error(t('invalid-slug')); // Show an error message for invalid slugs
+                return;
+              }

@@ -29,2 +29,8 @@
               const { slug, taskNumber } = router.query;
+              const validSlugs = ['team1', 'team2', 'team3']; // Example allow-list
+              const sanitizedSlug = validSlugs.includes(slug) ? slug : null;
+              const sanitizedTaskNumber = /^\d+$/.test(taskNumber) ? taskNumber : null;
+              if (!sanitizedSlug || !sanitizedTaskNumber) {
+                throw new Error('Invalid slug or task number');
+              }
               const [commentToEdit, setCommentToEdit] = useState<number | null>(null);
@@ -72,3 +78,3 @@
                   const response = await axios.put<ApiResponse<unknown>>(
-                    `/api/teams/${slug}/tasks/${taskNumber}/comments`,
+                    `/api/teams/${sanitizedSlug}/tasks/${sanitizedTaskNumber}/comments`,
                     {

@@ -28,3 +28,10 @@
               const router = useRouter();
-              const { slug, taskNumber } = router.query;
+              const { slug: rawSlug, taskNumber: rawTaskNumber } = router.query;
+              const allowedSlugs = ['team1', 'team2', 'team3']; // Example allow-list
+              const slug = typeof rawSlug === 'string' && allowedSlugs.includes(rawSlug) ? rawSlug : null;
+              const taskNumber = typeof rawTaskNumber === 'string' && /^\d+$/.test(rawTaskNumber) ? rawTaskNumber : null;
+              if (!slug || !taskNumber) {
+                toast.error('Invalid task or team identifier.');
+                return;
+              }
               const [commentToEdit, setCommentToEdit] = useState<number | null>(null);

@@ -32,2 +32,11 @@
+                  const allowedTeamSlugs = ['team1', 'team2', 'team3']; // Example allow-list
+                  const allowedTaskNumbers = ['123', '456', '789']; // Example allow-list
+                  if (!allowedTeamSlugs.includes(teamSlug) || !allowedTaskNumbers.includes(taskNumber)) {
+                    toast.error('Invalid team or task number.');
+                    setIsLoading(false);
+                    return;
+                  }
                   const response = await axios.delete(

Uh oh!

Beta2 community Release [Beta2] 2024-07-01 #53

Are you sure you want to change the base?

Beta2 community Release [Beta2] 2024-07-01 #53

Uh oh!

Conversation

stepcellwolf commented Jul 2, 2024

Uh oh!

gitguardian bot commented Aug 25, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Uh oh!

github-advanced-security bot commented Jul 23, 2025

Uh oh!

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Check failure

Uh oh!

Uh oh!

Copilot Autofix

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

gitguardian bot commented Aug 25, 2024 •

edited

Loading