[PR #1949] [MERGED] Fix multiple reported Security Issues #4720

New Issue

Closed

opened 2026-04-20 09:03:32 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-20 09:03:32 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/1949
Author: @marcschaeferger
Created: 11/30/2025
Status: ✅ Merged
Merged: 12/6/2025
Merged by: @oschwartz10612

Base: main ← Head: fix-security/other

---

📝 Commits (4)

• fbbab60 Potential fix for code scanning alert no. 7: Insecure randomness
• 3eab3b0 Potential fix for code scanning alert no. 8: DOM text reinterpreted as HTML
• 8df62e8 Potential fix for code scanning alert no. 19: Inefficient regular expression
• 336d31c fix(validators): restore 2+ char domain label requirement

📊 Changes

3 files changed (+5 additions, -4 deletions)

View changed files

📝 server/db/names.ts (+3 -2)
📝 server/lib/validators.ts (+1 -1)
📝 src/components/LoginForm.tsx (+1 -1)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description (generated by Copilot)

See

• https://codeql.github.com/codeql-query-help/javascript/js-insecure-randomness/
• https://codeql.github.com/codeql-query-help/javascript/js-redos/
• https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/

Code generated by Copilot

This pull request focuses on improving randomness, validation, and security in the codebase. The main changes include switching to cryptographically secure random number generation for name creation, refining URL validation logic, and ensuring safe encoding of user input in password reset links.

Randomness and security improvements:

• Switched from Math.random() to crypto.randomInt() in generateName() within server/db/names.ts, making name generation cryptographically secure. [1] [2]

Validation logic:

• Updated the domain name regex in isUrlValid() in server/lib/validators.ts to more accurately validate domain names, preventing invalid formats.

User input handling:

• Applied encodeURIComponent() to the email parameter in the password reset link in LoginForm.tsx, preventing potential issues with special characters and improving security.

How to test?

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/1949 **Author:** [@marcschaeferger](https://github.com/marcschaeferger) **Created:** 11/30/2025 **Status:** ✅ Merged **Merged:** 12/6/2025 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `main` ← **Head:** `fix-security/other` --- ### 📝 Commits (4) - [`fbbab60`](https://github.com/fosrl/pangolin/commit/fbbab60956acd77b6c336d8617d77756b220fb50) Potential fix for code scanning alert no. 7: Insecure randomness - [`3eab3b0`](https://github.com/fosrl/pangolin/commit/3eab3b0827ec159958bae0f0fec2593897ab60eb) Potential fix for code scanning alert no. 8: DOM text reinterpreted as HTML - [`8df62e8`](https://github.com/fosrl/pangolin/commit/8df62e8b6a2c577343a5c45f057228a2e8ecaae2) Potential fix for code scanning alert no. 19: Inefficient regular expression - [`336d31c`](https://github.com/fosrl/pangolin/commit/336d31ce39e96cfc21a1e966bb2953d543cf2a8b) fix(validators): restore 2+ char domain label requirement ### 📊 Changes **3 files changed** (+5 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `server/db/names.ts` (+3 -2) 📝 `server/lib/validators.ts` (+1 -1) 📝 `src/components/LoginForm.tsx` (+1 -1) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description (generated by Copilot) See - https://codeql.github.com/codeql-query-help/javascript/js-insecure-randomness/ - https://codeql.github.com/codeql-query-help/javascript/js-redos/ - https://codeql.github.com/codeql-query-help/javascript/js-xss-through-dom/ **Code generated by Copilot** This pull request focuses on improving randomness, validation, and security in the codebase. The main changes include switching to cryptographically secure random number generation for name creation, refining URL validation logic, and ensuring safe encoding of user input in password reset links. **Randomness and security improvements:** * Switched from `Math.random()` to `crypto.randomInt()` in `generateName()` within `server/db/names.ts`, making name generation cryptographically secure. [[1]](diffhunk://#diff-7cd61a1ce3acb87dc3015b30bf9be7460e404e88671d64f2232d9a85ea9689fbR4) [[2]](diffhunk://#diff-7cd61a1ce3acb87dc3015b30bf9be7460e404e88671d64f2232d9a85ea9689fbL102-R106) **Validation logic:** * Updated the domain name regex in `isUrlValid()` in `server/lib/validators.ts` to more accurately validate domain names, preventing invalid formats. **User input handling:** * Applied `encodeURIComponent()` to the email parameter in the password reset link in `LoginForm.tsx`, preventing potential issues with special characters and improving security. ## How to test? --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-20 09:03:32 -05:00

GiteaMirror closed this issue 2026-04-20 09:03:33 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/fast-uri-3.1.2

crowdin_dev

dev

s3

dependabot/npm_and_yarn/fast-xml-builder-1.2.0

dependabot/npm_and_yarn/axios-1.15.2

dependabot/npm_and_yarn/next-intl-4.9.2

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.3

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#4720