gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-08 15:18:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(bundle-8): Frontend Hardening — 2 audit findings closed + 3 partial

Browse Source 
Closes Audit-2026-04-25 L-015 (Low) and L-019 (Low) — both
verified-already-clean at HEAD; new CI regression guards prevent
regression. Partial closures for M-009, M-010, M-026 — Bundle 8 ships
the helpers + contract tests + a soft CI budget guard, defers the
long-tail per-page migrations to a new tracker ID M-029.

What changed
- web/src/utils/safeHtml.ts (NEW) — sanitizeHtml() chokepoint for
  any future code that genuinely needs dangerouslySetInnerHTML.
  Bundle-8 placeholder body throws — DOMPurify dependency is the
  activation procedure documented in the file header.
- web/src/components/ExternalLink.tsx (NEW) — single chokepoint for
  target="_blank" anchors. Hardcodes rel="noopener noreferrer".
- web/src/hooks/useListParams.ts (NEW) — URL-state hook for filter /
  sort / pagination state on list pages. Canonicalises the existing
  DashboardPage useSearchParams pattern. Per-page migrations of the
  ~14 remaining list pages tracked as M-029.
- web/src/hooks/useTrackedMutation.ts (NEW) — useMutation wrapper
  enforcing the M-009 invalidation contract via discriminated-union
  type: caller MUST declare invalidates: QueryKey[] OR
  invalidates: 'noop' + noopReason: string.
- 4 new Vitest test files — full unit coverage for ExternalLink
  (target/rel preservation), safeHtml (placeholder throws + activation
  hint), useListParams (URL contract / defaults / filter-resets-page),
  useTrackedMutation (invalidate-then-onSuccess / noop variant).
- .github/workflows/ci.yml — three new regression guards:
    Bundle-8 / L-015: greps for any target="_blank" outside ExternalLink
      that lacks rel="noopener noreferrer"; clean at HEAD.
    Bundle-8 / L-019: greps for any dangerouslySetInnerHTML outside
      safeHtml.ts; clean at HEAD (0 sites).
    Bundle-8 / M-009: SOFT budget guard — useMutation sites must not
      exceed invalidation sites + 5. At HEAD: 61 mutations vs 82
      invalidations + 5 = 87 budget. Stricter per-site enforcement
      tracked as M-029.

Verification at HEAD
- web/src/ target=_blank sites: 3 (all in OnboardingWizard.tsx)
  — all three already carry rel="noopener noreferrer". L-015 closed.
- web/src/ dangerouslySetInnerHTML sites: 0. L-019 closed.
- useMutation sites: 61 / invalidateQueries: 82 (M-009 budget healthy)

Per-finding mapping
- L-015 closed (CWE-1022) — verified-already-clean + ExternalLink
  component + CI grep guard.
- L-019 closed (CWE-79) — verified-already-clean + safeHtml chokepoint
  + CI grep guard.
- M-009 partial — useTrackedMutation wrapper authored; soft CI budget
  guard. Migrating the 56 existing useMutation sites to the wrapper
  tracked as M-029.
- M-010 partial — useListParams hook authored + tested. Per-page
  migration of the ~14 list pages tracked as M-029.
- M-026 partial — bundle-prompt called for XSS-hardening tests on the
  T-1 deferred allowlist of 14 pages. Bundle 8 ships the testing
  pattern via the new helpers but does NOT execute the per-page
  migrations — tracked as M-029.

NOT addressed in this bundle (deferred to M-029)
- Migrating existing 56 useMutation sites to useTrackedMutation
- Migrating ~14 list pages from local useState to useListParams
- Adding XSS-hardening tests to the 14 T-1-deferred pages

Verification
- npx tsc --noEmit                                     → clean
- npx vitest run on the 4 new Bundle-8 test files     → 15/15 pass
- L-015 grep guard simulation                          → clean
- L-019 grep guard simulation                          → clean
- M-009 budget simulation                              → 61 ≤ 87 (clean)
- go vet ./...                                         → clean (no backend changes)
- python3 yaml.safe_load(api/openapi.yaml)             → clean
- python3 yaml.safe_load(.github/workflows/ci.yml)     → clean

Backwards compatibility
- All 4 new helper files are additive; no existing call sites were
  modified. Existing list pages keep their useState pagination until
  M-029 ships per-page migrations.

Bundle 8 of the 2026-04-25 comprehensive audit. Per-page migration
backlog tracked as new audit finding M-029.
This commit is contained in:
Shankar
2026-04-26 15:10:32 +00:00
parent 221a1cf6ff
commit 6993e4484c
9 changed files with 613 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/components/ExternalLink.test.tsx
+32
View File
@@ -0,0 +1,32 @@
// Bundle-8 / Audit L-015 / CWE-1022:
// regression coverage for the ExternalLink component. Confirms the
// rel="noopener noreferrer" pair is hardcoded and the forwarded
// attributes survive — defends against a future "I'll just spread the
// rest props" refactor that accidentally lets the caller override `rel`.
import { describe, it, expect } from 'vitest';
import { render, screen } from '@testing-library/react';
import { ExternalLink } from './ExternalLink';
describe('ExternalLink — Bundle-8 / L-015', () => {
it('renders target=_blank with rel=noopener noreferrer', () => {
render(
<ExternalLink href="https://docs.example.com/setup">Setup guide</ExternalLink>,
);
const link = screen.getByRole('link', { name: 'Setup guide' });
expect(link.getAttribute('target')).toBe('_blank');
expect(link.getAttribute('rel')).toBe('noopener noreferrer');
expect(link.getAttribute('href')).toBe('https://docs.example.com/setup');
});
it('preserves caller className without dropping rel', () => {
render(
<ExternalLink href="https://example.com" className="text-accent">
Link
</ExternalLink>,
);
const link = screen.getByRole('link', { name: 'Link' });
expect(link.className).toBe('text-accent');
expect(link.getAttribute('rel')).toBe('noopener noreferrer');
});
});
web/src/components/ExternalLink.tsx
+48
View File
@@ -0,0 +1,48 @@
// Bundle-8 / Audit L-015 / CWE-1022 (Use of Web Link to Untrusted Target
// with window.opener Access) / Reverse-tabnabbing:
//
// Single chokepoint for any anchor that opens in a new tab. Forces the
// `rel="noopener noreferrer"` pair so a malicious page at the target URL
// cannot navigate the opener window via `window.opener.location =
// 'https://evil.example/'`.
//
// At Bundle-8 time the codebase has 3 `target="_blank"` sites (all in
// OnboardingWizard.tsx, all already correct). This component exists so
// future external-link additions route through one path and the CI
// regression guard at `.github/workflows/ci.yml` ("Bundle-8 / L-015
// target=_blank guard") can grep-fail any new bare `target="_blank"`
// outside this component.
//
// Usage:
//
// <ExternalLink href="https://docs.example.com/setup">Setup guide</ExternalLink>
//
// The component renders the same `<a>` element + className conventions
// as the existing OnboardingWizard sites so retrofits are mechanical.
import type { AnchorHTMLAttributes, ReactNode } from 'react';
interface ExternalLinkProps
extends Omit<AnchorHTMLAttributes<HTMLAnchorElement>, 'rel' | 'target'> {
/** The external URL to open in a new tab. Required. */
href: string;
/** Anchor body. Typically the link text. */
children: ReactNode;
}
export function ExternalLink({ href, children, className, ...rest }: ExternalLinkProps) {
return (
<a
{...rest}
href={href}
target="_blank"
// Bundle-8 / L-015: NEVER drop the rel value. The CI regression
// guard greps for any `target="_blank"` outside this component
// and fails the build if it finds one without `noopener`.
rel="noopener noreferrer"
className={className}
>
{children}
</a>
);
}