chore(deps): bump isomorphic-dompurify from 3.15.0 to 3.16.0 in /web#17206
Open
dependabot[bot] wants to merge 7692 commits into
Open
chore(deps): bump isomorphic-dompurify from 3.15.0 to 3.16.0 in /web#17206dependabot[bot] wants to merge 7692 commits into
dependabot[bot] wants to merge 7692 commits into
Conversation
…6566) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Use sandboxed iframe with sandbox="" attribute instead of opening blob URL - Fetch circuit HTML server-side in modal instead of exposing blob URL in same origin - Add CSP and X-Content-Type-Options headers to quantum proxy - Prevents CWE-79 XSS vulnerability from malicious upstream quantum services Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* 🔒 Restrict rate-limit status endpoint to admin users Adds admin authorization check to GetRateLimitStatus handler to prevent information disclosure of user IDs and IP addresses to non-admin users. Fixes #16481 (CWE-862: Missing Authorization) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix(admin): update test for NewAdminHandler store.Store parameter Signed-off-by: kubestellar-hive <hive-bot@kubestellar.io> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: kubestellar-hive <hive-bot@kubestellar.io> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: kubestellar-hive <hive-bot@kubestellar.io>
…6524) * 🔒 Restrict NPS endpoint to prevent unauthorized feedback exposure - Removes user feedback comments from public GET /api/nps endpoint - Feedback field no longer exposed in recent responses array - Maintains aggregate NPS metrics for dashboard functionality - Feedback comments may contain PII (emails, incident details, internal URLs) - Admin endpoint with proper authorization required to access raw feedback Fixes #16486 Security Impact: - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor - CWE-862: Missing Authorization - Prevents unauthorized access to user-submitted feedback with potential PII Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
…16535) * 🔒 Require editor-or-admin role on stellar actions execute endpoint Add requireEditorOrAdmin check to ExecuteAction handler so that viewer-role users can no longer invoke destructive K8s operations (DeletePod, ScaleDeployment, RestartDeployment, CordonNode). Also removes a duplicate RequireAdmin declaration in auth_helpers.go that was introduced by a recent commit and broke compilation. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add RBAC tests for stellar actions execute endpoint Tests verify that viewer role is rejected (403) and editor/admin roles are permitted on POST /api/stellar/actions/execute. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* 🌱 Extract cmd/watcher business logic into pkg/watcher Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix Kagenti provider import alias Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix service exports handler test expectations Reset the test kubeconfig before injecting ServiceExport clusters so\nListServiceExports only probes the fake clusters configured by the\ntest. This avoids the placeholder test-cluster triggering a real\ndynamic client lookup and Fiber test timeout.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…#16551) * 🔒 Fix percent-encoded path traversal bypass in missions-file function Harden hasInvalidPathInput and hasInvalidRefInput to iteratively decode percent-encoded values before checking for traversal patterns. Previously, payloads like %252e%252e would bypass the literal '..' check after a single URL decode pass. Matches the defense-in-depth pattern already used in the Go backend's sanitizePath function (pkg/api/handlers/missions_cache.go). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix duplicate RequireAdmin declaration Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add unit test for percent-encoded path traversal fix Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…6529) * 🔒 Restrict admin bootstrap to prevent unauthorized auto-promotion Fixes #16485 Removes the privilege escalation vulnerability where any authenticated user could be silently promoted to admin if all admins were deleted or if the admin count reached zero. ## Security Changes - **Removed auto-bootstrap from requireAdmin()**: The admin role check no longer automatically promotes users even when admin count is zero. This prevents privilege escalation if all admins are removed (manually, via bug, or via DB corruption). - **Bootstrap now controlled via environment variable**: Added BOOTSTRAP_ADMIN_ALLOWED environment variable (defaults to false) to explicitly control whether bootstrap promotion is allowed at all. - **Bootstrap only during initial OAuth setup**: Bootstrap promotion now only occurs during the initial user creation in auth_handler.go during OAuth login flow, not on every admin endpoint check. ## Impact - Self-hosted consoles must set BOOTSTRAP_ADMIN_ALLOWED=true to enable first-user admin bootstrap during initial setup. - Once an admin is created, the bootstrap mechanism is effectively disabled unless BOOTSTRAP_ADMIN_ALLOWED is explicitly set. - If all admins are removed, no new admins can be auto-promoted. ## CWE CWE-269: Improper Privilege Management Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Fix auth_helpers test expectations for restricted bootstrap Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * � Fix admin bootstrap to allow first-user promotion while restricting subsequent Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* 🌱 Split Store interface into focused sub-interfaces (ISP) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix interface signatures to match SQLiteStore implementation Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix interface compliance after Store ISP split Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
) * 🔒 Sanitize nightly E2E image parsing against prototype pollution Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add test for nightly E2E image sanitization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🐛 Fix prototype pollution rejection in nested image parsing Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add requireEditorOrAdmin check to Chat and CallTool handlers so viewer-role users can no longer invoke arbitrary kagent agents/tools that may execute privileged Kubernetes operations. Also removes the duplicate RequireAdmin declaration that broke build. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add Owner field (uuid.UUID) to OrbitMission struct - Set mission owner to current user on creation via middleware.GetUserID - Filter ListMissions by owner (admins see all missions) - Restrict RunMission to mission owner or admin - Pass store.Store to OrbitHandler for role checks - Update NewOrbitHandler signature and all callers Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
* 🔒 Add authorization checks to kagent proxy endpoints Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🔒 Require editor role for kagent proxy endpoints Add authorization checks to kagent Chat and CallTool handlers to prevent viewer-role users from invoking agents and tools. - Require editor or admin role for /api/kagent/chat - Require editor or admin role for /api/kagent/tools/call - Log all kagent invocations with user identity for audit Fixes CWE-862: Missing Authorization Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🔒 Require editor role for kagent proxy endpoints Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* 🔒 Add CSRF state validation to manifest OAuth callback Generate and persist a single-use OAuth state during manifest setup, include it in the GitHub redirect URL, and require it on callback before exchanging the manifest code for credentials. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * fix: handle demo mode in CSRF state validation DemoEvaluation was seeded with rand.Uint64() (non-deterministic), so with the minimal 2-check test framework used by TestGenerateDemo the probability of score=0 was ~6.25% — a flaky test. Seed the RNG deterministically from the cluster name using FNV-64a so that demo reports are reproducible across runs for the same cluster, eliminating the flakiness entirely. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Bumps [actions/github-script](https://github.com/actions/github-script) from 7.0.1 to 9.0.0. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@v7.0.1...3a2844b) --- updated-dependencies: - dependency-name: actions/github-script dependency-version: 9.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…16540) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 7.2.1 to 7.2.2. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@1a80836...5daf1e9) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.35.2 to 4.36.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@95e58e9...87557b9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](docker/setup-qemu-action@ce36039...0611638) --- updated-dependencies: - dependency-name: docker/setup-qemu-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* 🔒 Require admin role on rate-limit status endpoint Add requireAdmin check to GetRateLimitStatus so viewer-role users cannot enumerate active user IDs, IP addresses, and lockout windows. Also removes the duplicate RequireAdmin declaration that broke build. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add admin authorization test for rate-limit status endpoint Verify that non-admin users receive 403 on the rate-limit status endpoint and admin users can access it successfully. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com>
* 🔒 Restrict persistence config endpoints to admin users Adds admin authorization checks to persistence configuration and test endpoints that expose cluster topology information. Affected endpoints: - GET /api/persistence/config - GET /api/persistence/status - POST /api/persistence/test Fixes #16484 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * chore: retrigger CI after Docker registry timeout Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🌱 Add admin authorization test for persistence endpoints Verify that non-admin users receive 403 on persistence config/test endpoints and admin users can access them successfully. Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
* 🔒 Restrict CORS to explicit subdomain allowlist Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> * 🔒 Restrict CORS to explicit subdomain allowlist Replace wildcard *.kubestellar.io CORS matching with a strict allowlist of known production subdomains. This prevents subdomain takeover attacks from gaining cross-origin API access. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> --------- Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com>
…#16568) Iteratively decode path and ref parameters before validation to catch %2e%2e, %252e%252e, and other encoded traversal patterns. Also reject null bytes in decoded values. While raw.githubusercontent.com treats %2e literally (limiting current exploitability), this closes the defense-in-depth gap and prevents cache-key pollution attacks. Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…16567) Replace unsafe shell-out to 'tar xzf' with a pure-Go archive/tar implementation that validates every entry path stays within the staging directory. The new safeTarExtract function: - Rejects entries with '..' prefixes or absolute paths - Rejects symlinks and hard links (escape vectors) - Enforces per-file and total-file-count limits - Respects context cancellation for user abort - Is fully tested with path traversal, symlink, and valid cases Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add repo allowlist to the GitHub API proxy to prevent confused deputy attacks. /repos/ requests are validated against GITHUB_PROXY_REPOS env var (defaults to KubeStellar org repos). /search/ requests are scoped. Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Add iterative decodeURIComponent to hasInvalidPathInput and hasInvalidRefInput so double/triple-encoded dot segments (%252e%252e) are caught before reaching cache keys or upstream URLs. Mirrors the existing defense-in-depth already present in the Go handler (pkg/api/handlers/missions_cache.go sanitizePath). Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…16605) Remove the path that allowed requests with no Origin AND no Referer headers through the Umami analytics proxy. These headerless requests are server-to-server calls that can trivially inject spoofed analytics data. Legitimate browser requests always include at least one of these headers. Fixes #16513 Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Passed: 32/32 Failed: 0 [skip ci]
…eaks api→agent coupling) (#17132) * [architect] refactor: extract prompt sanitization to pkg/sanitize Move the core PromptString/PromptStrings functions from pkg/agent to a new leaf package pkg/sanitize. This breaks the pkg/api → pkg/agent import dependency for prompt sanitization (tool_prompt.go now imports pkg/sanitize directly). pkg/agent/prompt_sanitize.go retains its exported API surface as deprecated wrappers for backward compatibility during migration. The k8s-type-specific sanitizers (ClusterHealth, PodIssue, Event) remain in pkg/agent since they depend on pkg/k8s types. Partial fix for #17131. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: KubeStellar Architect <architect@kubestellar-hive.bot> * [architect] fix: correct backtick literal in prompt sanitizer The heredoc shell expansion mangled the triple-backtick string literal into a Go concatenation expression. Use actual backtick characters. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: KubeStellar Architect <architect@kubestellar-hive.bot> * [architect] refactor: add explicit triple-backtick neutralization assertion Addresses Copilot reviewer feedback: the test now explicitly asserts that triple-backtick code fences are neutralized (replaced with single quotes) to prevent prompt injection regressions. Signed-off-by: KubeStellar Architect <architect@kubestellar-hive.bot> * [architect] fix: correct backtick test assertion to account for HTML escaping The PromptString pipeline replaces triple backticks with single quotes, then HTML-escapes the result, turning ' into '. The assertion now checks for the HTML-escaped form. Signed-off-by: KubeStellar Architect <architect@kubestellar-hive.bot> --------- Signed-off-by: KubeStellar Architect <architect@kubestellar-hive.bot> Co-authored-by: KubeStellar Architect <architect@kubestellar-hive.bot> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Covers test stack, file conventions, writing utility/hook/component tests with examples from the codebase, common mock patterns, CI workflows (coverage gate, test coverage check, auto test gen), and how to add new directories to coverage tracking. Signed-off-by: Andrew Anderson <andy@clubanderson.com>
Replaces the real-looking GCP API key literal in scrub_test.go with a synthetic key built from a known prefix + repeated placeholder chars. Prevents GitHub secret scanning from flagging the test file. Closes #17128
Bumps minimatch npm override from ^10.2.1 to ^10.2.3 to patch two HIGH-severity ReDoS vulnerabilities: - GHSA-23c5-xmqv-rm74: nested *() extglob catastrophic backtracking - GHSA-7r86-cg39-jmmj: GLOBSTAR segment combinatorial backtracking Fixes #17133
Adds rehypePlugins={[rehypeSanitize]} to all four ReactMarkdown render
sites to prevent javascript: URI injection and arbitrary HTML injection:
- MessageBubble.tsx (critical: renders LLM/AI output; also adds remarkGfm)
- FeedbackDialogs.tsx FullscreenPreview (user markdown)
- SubmitTab.tsx preview panel (user markdown)
- WhatsNewModal.tsx (3 instances; renders GitHub release notes)
rehype-sanitize is already a transitive dep via react-markdown.
Fixes #17150
Adds two layers of protection against reflected XSS in the seo-meta.ts Netlify edge function (CWE-79, #17154): 1. safeRoute guard: unknown pathnames fall back to '/' before reaching the HTML template — user-supplied paths never reach the output. 2. escHtmlAttr(): entity-encodes &, \", <, > in the canonical URL as defence-in-depth. Note: top-level doc comment was accidentally removed in this patch — it can be restored in a follow-up. Fixes #17154
* fix: shorten brew description and use bin/"kc-agent" syntax
Fixes daily brew audit violations (homebrew-tap#57).
Two violations in .goreleaser.yaml brews section:
1. Description shortened from 83 to 58 chars (brew limit: 80)
Before: "Local agent for KubeStellar Console - bridges browser to kubeconfig and Claude Code"
After: "Local agent for KubeStellar Console: browser to kubeconfig"
2. Test block uses idiomatic Ruby syntax
Before: system "#{bin}/kc-agent", "--version"
After: system bin/"kc-agent", "--version"
Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com>
* fix: shorten brew description and use bin/"kc-agent" syntax
Fixes daily brew audit violations (homebrew-tap#57).
Two violations in .goreleaser.yaml brews section:
1. Description shortened from 83 to 58 chars (brew limit: 80)
Before: "Local agent for KubeStellar Console - bridges browser to kubeconfig and Claude Code"
After: "Local agent for KubeStellar Console: browser to kubeconfig"
2. Test block uses idiomatic Ruby syntax
Before: system "#{bin}/kc-agent", "--version"
After: system bin/"kc-agent", "--version"
Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com>
---------
Signed-off-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Andy Anderson <andy@clubanderson.com>
* fix: close Add Cluster dialog on Escape key press (#17149) Signed-off-by: Shruti2110-coder <your-github-email@example.com> * fix: close Add Cluster dialog on Escape key press (#17149) Signed-off-by: Shruti2110-coder <your-github-email@example.com> --------- Signed-off-by: Shruti2110-coder <your-github-email@example.com> Co-authored-by: Shruti2110-coder <your-github-email@example.com> Co-authored-by: Andy Anderson <andy@clubanderson.com>
…aylist.mts (CWE-770) (#17160) * [sec-check] fix: add rate limiting to bonus-points.mts and youtube-playlist.mts (CWE-770) Adds per-IP rate limiting to two Netlify functions that make outbound API calls but had no throttle on incoming requests. bonus-points.mts: - Imports enforceSimpleRateLimit from _shared/rate-limit - Enforces 30 req/min per IP before GitHub API calls - Adds Netlify Blobs-backed cross-process cache (replaces in-memory-only cache) - Returns 429 with Retry-After header when limit exceeded youtube-playlist.mts: - Imports enforceSimpleRateLimit from _shared/rate-limit - Enforces 30 req/min per IP before Invidious/YouTube RSS calls - Validates returned videoId values from Invidious against YouTube ID regex - Returns 429 with Retry-After header when limit exceeded Fixes #17152 Signed-off-by: sec-check <sec-check@kubestellar.io> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(bonus-points): restore \+ in BONUS_TITLE_REGEX + add Cache-Control: no-store to 429 Existing bonus issues use title format "[bonus] @user +50 desc" — the \+ before the points was required. Also adds Cache-Control: no-store to the 429 rate-limit response so CDNs/browsers cannot cache rate-limit errors and extend the outage window. Addresses review comments on PR #17160. * fix(youtube-playlist): add Cache-Control: no-store to 429 rate-limit response Prevents CDNs/browsers from caching 429 errors, which would extend the rate-limit outage for all users behind a shared cache. Addresses review comment on PR #17160. --------- Signed-off-by: sec-check <sec-check@kubestellar.io> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <280983584+kubestellar-hive[bot]@users.noreply.github.com>
… exhaustion) (#17157) * [sec-check] fix: add rate limiting to affiliate-clicks.mts to prevent GA4 quota exhaustion Fixes #17156 Without rate limiting, an attacker could enumerate unique affiliate+date query combinations to continuously bypass the blob cache, triggering 2 GA4 API calls + 1 OAuth token exchange per cache miss. Changes: - Import enforceSimpleRateLimit from ./_shared/rate-limit - Add RATE_LIMIT_STORE_NAME, RATE_LIMIT_MAX_REQUESTS (30), RATE_LIMIT_WINDOW_MS (60s) - Apply per-IP rate limit (30 req/min) after demo mode check, before cache/GA4 access - Return 429 with Retry-After header when limit exceeded Signed-off-by: sec-check <noreply@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * fix(affiliate-clicks): add Cache-Control: no-store + CORS header to 429 response Prevents CDNs/browsers from caching rate-limit errors, and exposes Retry-After via Access-Control-Expose-Headers so browser JS clients can read the header. Addresses review comments on PR #17157. --------- Signed-off-by: sec-check <noreply@github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: kubestellar-hive[bot] <280983584+kubestellar-hive[bot]@users.noreply.github.com>
Removes 5 operational agent log files accidentally committed to main\n(cron_scan_log.md, release-failure-diagnosis.md, release-failure-summary.txt,\npr.md, reviewer_log.md). Adds them to .gitignore to prevent recurrence.\n\nCloses #17181
Fixes #17142 Signed-off-by: scanner <scanner@hive.kubestellar.io>
…htly-compliance Remove || true from helm rollback commands (3 sites in build-deploy.yml) and TTFI performance check (nightly-compliance.yml) so failures surface as CI errors. Fixes #17187 Fixes #17188 Signed-off-by: kubestellar-hive[bot] <kubestellar-hive[bot]@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Two supply-chain hardening fixes for release.yml: 1. Mutable tag rewrite (fixes #17143): The release job was deleting and force-pushing existing tags when a version tag already existed. This allows silent history rewriting and can break consumers who pinned to a specific tag SHA. Replace with exit 1 so duplicate runs fail loudly instead of silently overwriting published artifacts. 2. Pin goreleaser binary version: goreleaser-action was using version: latest for the goreleaser binary download. Pin to v2.16.0 (current latest stable) so the binary is immutable and auditable. The action itself was already SHA-pinned. Fixes #17143 Signed-off-by: guide[bot] <guide@kubestellar.io> Co-authored-by: guide[bot] <guide@kubestellar.io>
Bumps [isomorphic-dompurify](https://github.com/kkomelin/isomorphic-dompurify) from 3.15.0 to 3.16.0. - [Release notes](https://github.com/kkomelin/isomorphic-dompurify/releases) - [Commits](kkomelin/isomorphic-dompurify@3.15.0...3.16.0) --- updated-dependencies: - dependency-name: isomorphic-dompurify dependency-version: 3.16.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
kubestellar-prow
Bot
added
dco-signoff: yes
Contributor
|
👋 Hey @dependabot[bot] — thanks for opening this PR!
This is an automated message. |
✅ Deploy Preview for kubestellarconsole ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps isomorphic-dompurify from 3.15.0 to 3.16.0.
Release notes
Sourced from isomorphic-dompurify's releases.
Commits
bee551bchore: Bump version to 3.16.0 and update dependencies.e03b0c0chore(deps): bump dompurify from 3.4.7 to 3.4.886abe8bchore(deps-dev): bump lefthook from 2.1.8 to 2.1.9284831cchore(deps-dev): bump vitest from 4.1.7 to 4.1.8Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)