From 95449ec8c668ed21ca123204179f011ac0a2a93b Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 3 Aug 2025 21:22:24 +0000 Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow --- .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml new file mode 100644 index 0000000..2b34036 --- /dev/null +++ b/.github/workflows/pr_notify.yml @@ -0,0 +1,20 @@ +name: PR Notifier + +on: + pull_request: + types: [opened, reopened, closed] + +jobs: + notify: + runs-on: ubuntu-latest + steps: + - name: Notify Discord + env: + DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL + - name: Notify Slack + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL From a89261542cf0bb3cb6cf95d368c728e88182a592 Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 3 Aug 2025 21:22:25 +0000 Subject: [PATCH 2/3] [Autofic] 2 malicious code detected!! --- server/app.js | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/server/app.js b/server/app.js index d502887..3624f14 100644 --- a/server/app.js +++ b/server/app.js @@ -60,7 +60,10 @@ app.use(session({ secret: process.env.COOKIE_SECRET, cookie: { httpOnly: true, - secure: false, + secure: process.env.NODE_ENV === 'production', // Use secure cookies in production + domain: 'example.com', // Set your domain + path: '/', // Set path to root + expires: new Date(Date.now() + 60 * 60 * 1000), // Set expiration to 1 hour }, name: 'session-cookie', })); @@ -127,6 +130,12 @@ const fs = require('fs'); app.get('/:page', (req, res) => { const page = req.params.page; + const allowedPages = ['home', 'about', 'contact']; // Allow list for pages + + if (!allowedPages.includes(page)) { + return res.status(403).send('Forbidden'); + } + const filePath = path.join(__dirname, 'views', `${page}.html`); fs.access(filePath, fs.constants.F_OK, (err) => { From d0162be4f4f0639b4913a6a0880d93a608b421a5 Mon Sep 17 00:00:00 2001 From: github-actions Date: Sun, 3 Aug 2025 21:22:37 +0000 Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR --- .github/workflows/pr_notify.yml | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 .github/workflows/pr_notify.yml diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml deleted file mode 100644 index 2b34036..0000000 --- a/.github/workflows/pr_notify.yml +++ /dev/null @@ -1,20 +0,0 @@ -name: PR Notifier - -on: - pull_request: - types: [opened, reopened, closed] - -jobs: - notify: - runs-on: ubuntu-latest - steps: - - name: Notify Discord - env: - DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $DISCORD_WEBHOOK_URL - - name: Notify Slack - env: - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - run: | - curl -H "Content-Type: application/json" -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}' $SLACK_WEBHOOK_URL