Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Preview/semgrep#62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
alexcoderabbitai wants to merge5 commits intomain
base:main
Choose a base branch
Loading
frompreview/semgrep
Open
Show file tree
Hide file tree
Changes fromall commits
Commits
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions.coderabbit.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
reviews:
path_filters: ["**/*","*"]
11 changes: 11 additions & 0 deletionssampleReact.jsx
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
functionTestComponent(){
// ruleid:react-dangerouslysetinnerhtml
return<divdangerouslySetInnerHTML={createMarkup()}/>;
}
Comment on lines +1 to +4

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

⚠️ Potential issue

Missing function definition.

TheTestComponent referencescreateMarkup() but this function is not defined in the file. This will cause a runtime error.

+function createMarkup() {+  return { __html: '<strong>Test markup</strong>' };+}+ function TestComponent() {     // ruleid:react-dangerouslysetinnerhtml     return <div dangerouslySetInnerHTML={createMarkup()} />; }
📝 Committable suggestion

‼️IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
functionTestComponent(){
// ruleid:react-dangerouslysetinnerhtml
return<divdangerouslySetInnerHTML={createMarkup()}/>;
}
functioncreateMarkup(){
return{__html:'<strong>Test markup</strong>'};
}
functionTestComponent(){
// ruleid:react-dangerouslysetinnerhtml
return<divdangerouslySetInnerHTML={createMarkup()}/>;
}
🧰 Tools
🪛 Biome (1.9.4)

[error] 3-3: Avoid passing content using the dangerouslySetInnerHTML prop.

Setting content using code can expose users to cross-site scripting (XSS) attacks

(lint/security/noDangerouslySetInnerHtml)

🪛 Semgrep (1.122.0)

[WARNING] 3-3: Setting HTML from code is risky because it’s easy to inadvertently expose your users to a cross-site scripting (XSS) attack.

(docs-react-dangerouslysetinnerhtml)

🤖 Prompt for AI Agents
In sampleReact.jsx around lines 1 to 4, the function createMarkup() is calledinside TestComponent but is not defined anywhere, which will cause a runtimeerror. Define the createMarkup() function in the file to return an object with a__html property containing the HTML string you want to set, for example: return{ __html: "<p>Some HTML content</p>" }. This will ensure thedangerouslySetInnerHTML prop receives the expected object and prevent runtimeerrors.


functionOkComponent(){
// OK
constdiscordClientKey='8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

⚠️ Potential issue

Remove hardcoded Discord client secret.

A potential Discord client secret is hardcoded in the code, which poses a security risk even in test files. Replace it with a placeholder or use environment variables.

-    const discordClientKey = '8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';+    const discordClientKey = process.env.DISCORD_CLIENT_KEY || 'test-key-placeholder';
📝 Committable suggestion

‼️IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
constdiscordClientKey='8dyfuiRyq=vVc3RRr_edRk-fK__JItpZ';
constdiscordClientKey=process.env.DISCORD_CLIENT_KEY||'test-key-placeholder';
🧰 Tools
🪛 Gitleaks (8.27.2)

8-8: Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.

(discord-client-secret)

🤖 Prompt for AI Agents
In sampleReact.jsx at line 8, the Discord client secret is hardcoded, which is asecurity risk. Replace the hardcoded secret with a placeholder string orretrieve it from environment variables using process.env to avoid exposingsensitive information in the codebase.

return{__html:'Первый &middot; Второй'};
}
Comment on lines +6 to +10

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

🛠️ Refactor suggestion

Clarify the purpose of OkComponent.

TheOkComponent returns a plain object rather than JSX, which suggests it's not actually a React component. If this is intended to demonstrate a safe pattern, consider showing a proper React component that safely handles HTML content.

 function OkComponent() {-    // OK-    const discordClientKey = process.env.DISCORD_CLIENT_KEY || 'test-key-placeholder';-    return {__html: 'Первый &middot; Второй'};+    // Safe pattern: using JSX instead of dangerouslySetInnerHTML+    return <div>Первый &middot; Второй</div>; }

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 Gitleaks (8.27.2)

8-8: Discovered a potential Discord client secret, risking compromised Discord bot integrations and data leaks.

(discord-client-secret)

🤖 Prompt for AI Agents
In sampleReact.jsx around lines 6 to 10, the function OkComponent returns aplain object instead of JSX, so it is not a valid React component. To fix this,refactor OkComponent to return proper JSX, for example by returning a Reactelement that uses dangerouslySetInnerHTML with the returned object to safelyrender the HTML content. This will clarify its purpose as a React componenthandling HTML safely.


14 changes: 14 additions & 0 deletionssemgrep.yml
View file
Open in desktop
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
rules:
- id: docs-react-dangerouslysetinnerhtml
languages:
- typescript
- javascript
message: >
Setting HTML from code is risky because it’s easy to inadvertently expose
your users to a cross-site scripting (XSS) attack.
pattern-either:
- pattern: |
<$X dangerouslySetInnerHTML=... />
- pattern: |
{dangerouslySetInnerHTML: ...}
severity: WARNING
[8]ページ先頭
©2009-2025 Movatter.jp