Rc to metdata branch #2348
Rc to metdata branch #2348
Conversation
… and enhance model filtering
…end (see #2171) and refactored
… fixed notifcations
…IS2/Publication-Managment-Tool into BEXIS2-1-create-an-inmport-from-csv #2295
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| cookie.Domain = Request.Url.Host; // Set the domain | ||
| cookie.Path = "/"; // Set the path | ||
|
|
||
| cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day |
Check failure
Code scanning / CodeQL
Cookie security: persistent cookie High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general, to fix this type of issue you either (1) avoid making the cookie persistent (omit Expires so it becomes a session cookie held only in memory), or (2) drastically reduce the lifetime to the minimum necessary (ideally a few minutes) and ensure other security attributes (HttpOnly, Secure, SameSite) are set. For authentication tokens like JWTs, best practice is usually to keep the cookie as a session cookie and control token lifetime inside the token itself.
For this specific snippet, the minimal, behavior‑preserving fix is to stop making the JWT cookie persist for a full day. The safest change is to remove the explicit Expires assignment entirely so the cookie becomes a session cookie. If you still need a short persistence, you could set a much shorter expiry (e.g., AddMinutes(5)), but that changes user experience more; turning it into a session cookie aligns with typical login behavior and still lets the JWT control its own validity. Alongside this, we should explicitly strengthen cookie flags where possible: set HttpOnly = true and Secure = true so the token cannot be read by JavaScript and is only sent over HTTPS. These flags do not change functional behavior from the user’s perspective but significantly harden security.
Concretely, in Console/BExIS.Web.Shell/Controllers/AccountController.cs, in the block where cookieJwt is created (around line 305+), we will:
- Remove the line
cookieJwt.Expires = DateTime.Now.AddDays(1);. - Optionally adjust the comment to reflect that we’re not setting a long‑lived expiry anymore.
- Add
cookieJwt.HttpOnly = true;andcookieJwt.Secure = true;to better protect the JWT in transit and at rest. - Keep existing domain and path settings unchanged.
No new imports or external dependencies are required; HttpCookie.HttpOnly and HttpCookie.Secure are part of System.Web.
| @@ -304,13 +304,14 @@ | ||
| { | ||
| var jwt = JwtHelper.GetTokenByUser(user); | ||
|
|
||
| // Create a new cookie | ||
| // Create a new cookie to store the JWT | ||
| HttpCookie cookieJwt = new HttpCookie("jwt", jwt); | ||
|
|
||
| // Set additional properties if needed | ||
| cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day | ||
| // Set additional properties if needed (session cookie, hardened flags) | ||
| cookieJwt.Domain = Request.Url.Host; // Set the domain | ||
| cookieJwt.Path = "/"; // Set the path | ||
| cookieJwt.HttpOnly = true; // Prevent access from client-side scripts | ||
| cookieJwt.Secure = true; // Send only over HTTPS | ||
|
|
||
| // Add the cookie to the response | ||
| Response.Cookies.Add(cookieJwt); |
|
|
||
| cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day | ||
| cookieJwt.Domain = Request.Url.Host; // Set the domain | ||
| cookieJwt.Path = "/"; // Set the path |
Check failure
Code scanning / CodeQL
Cookie security: overly broad path Critical
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI about 7 hours ago
In general, to fix an overly broad cookie path, set the cookie’s Path to the actual application path (or a specific subpath that needs the cookie) instead of "/". This limits which parts of the server can receive and potentially access or manipulate that cookie.
In this specific case in Console/BExIS.Web.Shell/Controllers/AccountController.cs, update the cookie’s path assignment on line 313 so it is not hardcoded to "/". The safest, least intrusive change—without changing visible behavior for this application—is to set the path to ASP.NET’s Request.ApplicationPath, which is the root virtual path of the current application. That still allows all controllers/views within this app to receive the cookie but prevents other applications on the same domain (with different virtual roots) from accessing it. We don’t need new imports or methods; we just replace the literal "/" with Request.ApplicationPath ?? "/" to be robust if ApplicationPath is null, preserving current behavior as a fallback.
| @@ -310,7 +310,7 @@ | ||
| // Set additional properties if needed | ||
| cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day | ||
| cookieJwt.Domain = Request.Url.Host; // Set the domain | ||
| cookieJwt.Path = "/"; // Set the path | ||
| cookieJwt.Path = Request.ApplicationPath ?? "/"; // Restrict the path to the application | ||
|
|
||
| // Add the cookie to the response | ||
| Response.Cookies.Add(cookieJwt); |
| } | ||
|
|
||
| private getReadableComment(): string { | ||
| return this.comment.replace(/\\/, ''); |
Check failure
Code scanning / CodeQL
Incomplete string escaping or encoding High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fully address the escaping/encoding issue, we need to ensure that the replace call in getReadableComment() removes all backslashes, not just the first. This is done by adding the g (global) flag to the regular expression. No other files or regions need to be changed. No new imports or helper methods are required—just replace /\\/ with /\\/g on line 62. This minimizes side effects while ensuring all unwanted characters are stripped.
| @@ -59,7 +59,7 @@ | ||
| } | ||
|
|
||
| private getReadableComment(): string { | ||
| return this.comment.replace(/\\/, ''); | ||
| return this.comment.replace(/\\/g, ''); | ||
| } | ||
|
|
||
| private getCommandType(): CurationNoteCommandType { |
| // Create a new cookie | ||
| HttpCookie cookie = new HttpCookie("jwt", jwt); | ||
|
|
||
| HttpCookie cookieJwt = new HttpCookie("jwt", jwt); |
Check warning
Code scanning / CodeQL
Cookie 'Secure' attribute is not set to true Medium
| runs-on: windows-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
|
|
||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install .NET SDK | ||
| uses: actions/setup-dotnet@v3 | ||
| with: | ||
| dotnet-version: '8.x' | ||
|
|
||
| - name: Install .NET Upgrade Assistant | ||
| run: dotnet tool install -g upgrade-assistant | ||
|
|
||
| - name: Run Upgrade Assistant in analyze mode | ||
| run: | | ||
| upgrade-assistant analyze BExIS%2B%2B.sln --format json > upgrade-report.json | ||
|
|
||
| - name: Upload report artifact | ||
|
|
||
| uses: actions/upload-artifact@v4 | ||
|
|
||
| with: | ||
| name: upgrade-report | ||
| path: upgrade-report.json |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 1 day ago
To fix the problem, add an explicit permissions block that limits the GITHUB_TOKEN to the least privileges needed. This workflow only checks out code, installs tools, runs a read-only analysis, and uploads an artifact. None of these require write access to repo contents, issues, or PRs, so contents: read at either the workflow root or the job level is sufficient.
The best fix with minimal functional impact is to add permissions: contents: read at the job level for the upgrade-check job. This keeps the scope tightly bound to this job and avoids affecting other workflows. Concretely, in .github/workflows/main.yml, insert:
permissions:
contents: readbetween runs-on: windows-latest (line 10) and steps: (line 12). No additional methods, imports, or definitions are needed.
| @@ -8,6 +8,8 @@ | ||
| jobs: | ||
| upgrade-check: | ||
| runs-on: windows-latest | ||
| permissions: | ||
| contents: read | ||
|
|
||
| steps: | ||
| - name: Checkout repository |
No description provided.