@rachel@transitory.social ran Gitlab/nodejs-scan-sast on this repo, and obtained the attached report.
I've asked for details on how to reproduce the report, but in the meantime we could look at what it says. I'm pretty sure those XSS are not real, but still.
Designs
Child items
...
Show closed items
Linked items
0
Link issues together to show that they're related or that one is blocking others.
Learn more.
"description": "Error messages with stack traces may expose sensitive information about the application.", "cve": "scripts/build-pre.js:10:generic_error_disclosure:CWE-209",
or
"location": { "file": "packages/frontend/public/mockServiceWorker.js", "start_line": 120 }, "identifiers": [{ "type": "njsscan_rule_type", "name": "node_insecure_random_generator", "value": "crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator."
Like why would those two matter considering one is just used during building of the app and the other is well just a test for the serviceworker
All of the others one otherwise are just repeats basically yet most of the components listed only take backend content and no user input and obviously the backend already fixes the mentioned issues
MkAutocomplete: the "unescaped variable" is actually filtered through sanitizeHtml, so not a problem.
MkCode: same, the html value is generated by the syntax highlighter, it's safe.
MkFormula: same, it's generated by katex
MkSignupDialog.rules: not wrong, it's splatting an element from instance.serverRules without any filtering, so an admin could inject a <script> in there. I can't quite write anything that breaks stuff, but I'll add a sanitizeHtml anyway