mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 13:41:30 +00:00
shankar0123
6c00f7b0d3
CodeQL alert #36 (severity: HIGH, rule: js/regex/missing-regexp-anchor) fired on commita9e229b: web/src/__tests__/multi-page-flows.test.tsx:161 Missing regular expression anchor When this is used as a regular expression on a URL, it may match anywhere, and arbitrary hosts may come before or after it. Root cause: Phase 8's TEST-M1 multi-page-flow test verifies the CertificateDetailPage surfaces the same common_name the list row showed. The original assertion used a case-insensitive regex matcher: screen.getAllByText(/api\.example\.com/i) CodeQL's heuristic flagged this as URL-shaped (literal-dot pattern with TLD structure) and missing `^`/`$` anchors. The rule exists because unanchored URL regexes are dangerous in security contexts (host-allowlist sanitizers). This is a test file matching DOM text content — not URL sanitization — so the alert is technically a false positive in semantic terms. But CodeQL is correct that the pattern READS as a URL regex, and a future engineer copy-pasting this matcher into actual validation code would inherit the vuln. Best to remove the unanchored-regex pattern from the codebase at the source. Fix: Switch from a regex matcher to testing-library's function matcher with a plain-string `.includes()`. Same case-insensitive substring semantics, zero regex for CodeQL to flag: screen.getAllByText((content) => content.toLowerCase().includes('api.example.com'), ) The function form is also more accurate for what the test actually checks: the detail page may render the cn inside a labelled cell ("Common name: api.example.com"), so substring match is the intended semantic. Comment block above the assertion documents the rationale so a future refactor doesn't re-introduce a URL-shaped regex. Other unanchored regexes elsewhere in the test suite (`screen.getByText(/UTC/)`, `/2026/`, `/Enabled/`, etc.) do NOT pattern-match as URL-shaped and have passed prior CodeQL scans — not touching them. Over-reach has its own cost. Verification: • npx tsc --noEmit — exit 0 • npx vitest run src/__tests__/multi-page-flows.test.tsx — 3/3 pass • npx vite build — ✓ built in 3.31s • All 48 CI guards pass • origin/master ground-truthed via GitHub API (4909691) BEFORE commit per the operating rule Falsifiable proof: CodeQL re-scan on push should auto-close #36 (rule no longer has a matching pattern at multi-page-flows.test.tsx:161).