enhance security checks

Author: VREMSoftwareDevelopment

.gitignore

@@ -16,6 +16,8 @@ build
 .env.production.local
 .idea
 .eslintcache
+.copilot
+plan.md
 
 # Compiled source
 *.com
@@ -48,5 +50,3 @@ Thumbs.db
 *.log
 *.sql
 *.sqlite
-
-**/COPILOT.md

.vscode/settings.json

@@ -42,5 +42,6 @@
                 "<<projectname>>"
             ]
         }
-    ]
+    ],
+    "terminal.integrated.cwd": "react"
 }

react/eslint.config.mjs

@@ -5,6 +5,7 @@ import _import from 'eslint-plugin-import';
 import jsxA11Y from 'eslint-plugin-jsx-a11y';
 import jest from 'eslint-plugin-jest';
 import prettier from 'eslint-plugin-prettier';
+import security from 'eslint-plugin-security';
 import globals from 'globals';
 import path from 'node:path';
 import { fileURLToPath } from 'node:url';
@@ -36,6 +37,7 @@ export default [
             'jsx-a11y': fixupPluginRules(jsxA11Y),
             jest,
             prettier: fixupPluginRules(prettier),
+            security: fixupPluginRules(security),
         },
         languageOptions: {
             globals: {
@@ -72,6 +74,11 @@ export default [
                     caughtErrorsIgnorePattern: '^_',
                 },
             ],
+            'security/detect-object-injection': 'warn',
+            'security/detect-unsafe-regex': 'warn',
+            'security/detect-eval-with-expression': 'warn',
+            'security/detect-non-literal-fs-filename': 'warn',
+            'security/detect-non-literal-require': 'warn',
         },
     },
 ];

react/package-lock.json

@@ -52,7 +52,7 @@
         "babel-jest": "^30.0.5",
         "babel-preset-vite": "^1.1.3",
         "better-npm-audit": "^3.11.0",
-        "eslint": "^9.33.0",
+        "eslint": "^9.34.0",
         "eslint-config-prettier": "^10.1.8",
         "eslint-plugin-import": "^2.32.0",
         "eslint-plugin-jest": "^29.0.1",

react/package.json

@@ -15,7 +15,7 @@ const isLocalhost = Boolean(
         // [::1] is the IPv6 localhost address.
         window.location.hostname === '[::1]' ||
         // 127.0.0.0/8 are considered localhost for IPv4.
-        window.location.hostname.match(/^127(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}$/)
+        window.location.hostname.startsWith('127.')
 );
 
 export function register(config) {

react/src/serviceWorker.js

@@ -91,7 +91,10 @@ describe('Usage', () => {
         fetch.mockResponseOnce(response);
         const data = await usage.request('xyz');
         expect(data.length).toEqual(expected.length);
-        expected.forEach((item, index) => expect(data[index]).toEqual(item));
+        expected.forEach((item, index) => {
+            // eslint-disable-next-line security/detect-object-injection
+            expect(data[index]).toEqual(item);
+        });
         expect(fetch).toHaveBeenCalled();
         expect(fetch).toHaveBeenCalledWith('xyz/usage.db');
     });

react/src/services/Usage.test.js

@@ -19,13 +19,22 @@
 const isAscending = (orderBy, property, ascending) => (orderBy === property ? !ascending : false);
 
 const comparator = (isAscending, orderBy) => {
+    const isSafeKey = (key, obj) =>
+        typeof key === 'string' && /^[a-zA-Z0-9_$]+$/.test(key) && Object.prototype.hasOwnProperty.call(obj, key);
+
     const ascending = (a, b, orderBy) => {
+        if (!isSafeKey(orderBy, a) || !isSafeKey(orderBy, b)) return 0;
+        // eslint-disable-next-line security/detect-object-injection
         if (a[orderBy] < b[orderBy]) return -1;
+        // eslint-disable-next-line security/detect-object-injection
         if (a[orderBy] > b[orderBy]) return 1;
         return 0;
     };
     const descending = (a, b, orderBy) => {
+        if (!isSafeKey(orderBy, a) || !isSafeKey(orderBy, b)) return 0;
+        // eslint-disable-next-line security/detect-object-injection
         if (a[orderBy] > b[orderBy]) return -1;
+        // eslint-disable-next-line security/detect-object-injection
         if (a[orderBy] < b[orderBy]) return 1;
         return 0;
     };