mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 21:31:34 +00:00
shankar0123
1c3a83c4ba
Closes Audit-2026-04-25 L-015 (Low) and L-019 (Low) — both
verified-already-clean at HEAD; new CI regression guards prevent
regression. Partial closures for M-009, M-010, M-026 — Bundle 8 ships
the helpers + contract tests + a soft CI budget guard, defers the
long-tail per-page migrations to a new tracker ID M-029.
What changed
- web/src/utils/safeHtml.ts (NEW) — sanitizeHtml() chokepoint for
any future code that genuinely needs dangerouslySetInnerHTML.
Bundle-8 placeholder body throws — DOMPurify dependency is the
activation procedure documented in the file header.
- web/src/components/ExternalLink.tsx (NEW) — single chokepoint for
target="_blank" anchors. Hardcodes rel="noopener noreferrer".
- web/src/hooks/useListParams.ts (NEW) — URL-state hook for filter /
sort / pagination state on list pages. Canonicalises the existing
DashboardPage useSearchParams pattern. Per-page migrations of the
~14 remaining list pages tracked as M-029.
- web/src/hooks/useTrackedMutation.ts (NEW) — useMutation wrapper
enforcing the M-009 invalidation contract via discriminated-union
type: caller MUST declare invalidates: QueryKey[] OR
invalidates: 'noop' + noopReason: string.
- 4 new Vitest test files — full unit coverage for ExternalLink
(target/rel preservation), safeHtml (placeholder throws + activation
hint), useListParams (URL contract / defaults / filter-resets-page),
useTrackedMutation (invalidate-then-onSuccess / noop variant).
- .github/workflows/ci.yml — three new regression guards:
Bundle-8 / L-015: greps for any target="_blank" outside ExternalLink
that lacks rel="noopener noreferrer"; clean at HEAD.
Bundle-8 / L-019: greps for any dangerouslySetInnerHTML outside
safeHtml.ts; clean at HEAD (0 sites).
Bundle-8 / M-009: SOFT budget guard — useMutation sites must not
exceed invalidation sites + 5. At HEAD: 61 mutations vs 82
invalidations + 5 = 87 budget. Stricter per-site enforcement
tracked as M-029.
Verification at HEAD
- web/src/ target=_blank sites: 3 (all in OnboardingWizard.tsx)
— all three already carry rel="noopener noreferrer". L-015 closed.
- web/src/ dangerouslySetInnerHTML sites: 0. L-019 closed.
- useMutation sites: 61 / invalidateQueries: 82 (M-009 budget healthy)
Per-finding mapping
- L-015 closed (CWE-1022) — verified-already-clean + ExternalLink
component + CI grep guard.
- L-019 closed (CWE-79) — verified-already-clean + safeHtml chokepoint
+ CI grep guard.
- M-009 partial — useTrackedMutation wrapper authored; soft CI budget
guard. Migrating the 56 existing useMutation sites to the wrapper
tracked as M-029.
- M-010 partial — useListParams hook authored + tested. Per-page
migration of the ~14 list pages tracked as M-029.
- M-026 partial — bundle-prompt called for XSS-hardening tests on the
T-1 deferred allowlist of 14 pages. Bundle 8 ships the testing
pattern via the new helpers but does NOT execute the per-page
migrations — tracked as M-029.
NOT addressed in this bundle (deferred to M-029)
- Migrating existing 56 useMutation sites to useTrackedMutation
- Migrating ~14 list pages from local useState to useListParams
- Adding XSS-hardening tests to the 14 T-1-deferred pages
Verification
- npx tsc --noEmit → clean
- npx vitest run on the 4 new Bundle-8 test files → 15/15 pass
- L-015 grep guard simulation → clean
- L-019 grep guard simulation → clean
- M-009 budget simulation → 61 ≤ 87 (clean)
- go vet ./... → clean (no backend changes)
- python3 yaml.safe_load(api/openapi.yaml) → clean
- python3 yaml.safe_load(.github/workflows/ci.yml) → clean
Backwards compatibility
- All 4 new helper files are additive; no existing call sites were
modified. Existing list pages keep their useState pagination until
M-029 ships per-page migrations.
Bundle 8 of the 2026-04-25 comprehensive audit. Per-page migration
backlog tracked as new audit finding M-029.
49 lines
1.7 KiB
TypeScript
49 lines
1.7 KiB
TypeScript
// Bundle-8 / Audit L-015 / CWE-1022 (Use of Web Link to Untrusted Target
|
|
// with window.opener Access) / Reverse-tabnabbing:
|
|
//
|
|
// Single chokepoint for any anchor that opens in a new tab. Forces the
|
|
// `rel="noopener noreferrer"` pair so a malicious page at the target URL
|
|
// cannot navigate the opener window via `window.opener.location =
|
|
// 'https://evil.example/'`.
|
|
//
|
|
// At Bundle-8 time the codebase has 3 `target="_blank"` sites (all in
|
|
// OnboardingWizard.tsx, all already correct). This component exists so
|
|
// future external-link additions route through one path and the CI
|
|
// regression guard at `.github/workflows/ci.yml` ("Bundle-8 / L-015
|
|
// target=_blank guard") can grep-fail any new bare `target="_blank"`
|
|
// outside this component.
|
|
//
|
|
// Usage:
|
|
//
|
|
// <ExternalLink href="https://docs.example.com/setup">Setup guide</ExternalLink>
|
|
//
|
|
// The component renders the same `<a>` element + className conventions
|
|
// as the existing OnboardingWizard sites so retrofits are mechanical.
|
|
|
|
import type { AnchorHTMLAttributes, ReactNode } from 'react';
|
|
|
|
interface ExternalLinkProps
|
|
extends Omit<AnchorHTMLAttributes<HTMLAnchorElement>, 'rel' | 'target'> {
|
|
/** The external URL to open in a new tab. Required. */
|
|
href: string;
|
|
/** Anchor body. Typically the link text. */
|
|
children: ReactNode;
|
|
}
|
|
|
|
export function ExternalLink({ href, children, className, ...rest }: ExternalLinkProps) {
|
|
return (
|
|
<a
|
|
{...rest}
|
|
href={href}
|
|
target="_blank"
|
|
// Bundle-8 / L-015: NEVER drop the rel value. The CI regression
|
|
// guard greps for any `target="_blank"` outside this component
|
|
// and fails the build if it finds one without `noopener`.
|
|
rel="noopener noreferrer"
|
|
className={className}
|
|
>
|
|
{children}
|
|
</a>
|
|
);
|
|
}
|