Task/update upstream #15
Conversation
This moves the password migration hook to
```yaml
selfservice:
methods:
password:
config:
migrate_hook:
...
```
This patch adds the new `continue_with` action `redirect_browser_to`, which contains the redirect URL the app should redirect to. It is only supported for SPA (not server-side browser apps, not native apps) flows at this point in time.
Using `OnLoadTrigger` and `OnClickTrigger` one can now map the trigger to the corresponding JavaScript function.
For example, trigger `{"on_click_trigger":"oryWebAuthnRegistration"}` should be translated to `window.oryWebAuthnRegistration()`:
```
if (attrs.onClickTrigger) {
window[attrs.onClickTrigger]()
}
```
…n and add maxlength
…4235) This fixes an issue where we would successfully import long passwords (>72 chars), but fail when the user attempts to login with the correct password because we can't rehash it. In this case, we simply issue a warning to the logs, keep the old hash intact, and continue logging in the user.
This adds a jackson provider to Kratos.
* feat: rework the OTP code submit count mechanism Unlike what the previous comment suggested, incrementing and checking the submit count inside the database transaction is not actually optimal peformance- or security-wise. We now check atomically increment and check the submit count as the first part of the operation, and abort as early as possible if we detect brute-forcing. This prevents a situation where the check works only on certain transaction isolation levels. * chore: bump dependencies
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - run: npm install | ||
| name: Install node deps | ||
| - name: Run golangci-lint | ||
| uses: golangci/golangci-lint-action@v4 | ||
| uses: golangci/golangci-lint-action@v6 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v2 | ||
| uses: docker/setup-qemu-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v2 | ||
| uses: docker/setup-buildx-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Build images | ||
| shell: bash | ||
| run: | | ||
| IMAGE_TAG="${{ env.SHA_SHORT }}" make docker | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v3 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Anchore Scanner | ||
| uses: anchore/scan-action@v3 | ||
| uses: anchore/scan-action@v5 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| - name: Dockle Linter | ||
| uses: erzz/dockle-action@v1.3.2 | ||
| uses: erzz/dockle-action@v1 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| steps: | ||
| - uses: actions/add-to-project@v0.5.0 | ||
| - uses: ory-corp/planning-automation-action@v0.1 |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| cy.contains("Continue with code").click() | ||
| it("should show second factor screen on whoami call", () => { | ||
| email = gen.email() | ||
| password = gen.password() |
Check failure
Code scanning / CodeQL
Insecure randomness High test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the problem, we need to replace the use of Math.random() with a cryptographically secure random number generator. In the browser, we can use crypto.getRandomValues to generate secure random values. We will update the password function in test/e2e/cypress/helpers/index.ts to use crypto.getRandomValues instead of Math.random().
| @@ -3,7 +3,7 @@ | ||
|
|
||
| export const email = () => Math.random().toString(36) + "@ory.sh" | ||
| export const email = () => crypto.getRandomValues(new Uint32Array(1))[0].toString(36) + "@ory.sh" | ||
| export const blockedEmail = () => | ||
| Math.random().toString(36) + "_blocked" + "@ory.sh" | ||
| crypto.getRandomValues(new Uint32Array(1))[0].toString(36) + "_blocked" + "@ory.sh" | ||
|
|
||
| export const password = () => Math.random().toString(36) | ||
| export const password = () => crypto.getRandomValues(new Uint32Array(1))[0].toString(36) | ||
|
|
| describe("when using aal1 required aal", () => { | ||
| beforeEach(() => { | ||
| email = gen.email() | ||
| password = gen.password() |
Check failure
Code scanning / CodeQL
Insecure randomness High test
| documentsLock.RUnlock() | ||
|
|
||
| if ok { | ||
| _, _ = w.Write(doc) |
Check warning
Code scanning / CodeQL
Reflected cross-site scripting Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix AI 2 months ago
To fix the reflected cross-site scripting vulnerability, we need to ensure that any user-provided data that is written to the HTTP response is properly sanitized or escaped. In this case, we can use the html.EscapeString function from the html package to escape any potentially dangerous characters in the user-provided data before writing it to the response.
- Import the
htmlpackage to use thehtml.EscapeStringfunction. - Modify the code where the
docvariable is written to the response to escape the string before writing it.
| @@ -8,2 +8,3 @@ | ||
| "fmt" | ||
| "html" | ||
| "io" | ||
| @@ -48,3 +49,3 @@ | ||
| if ok { | ||
| _, _ = w.Write(doc) | ||
| _, _ = w.Write([]byte(html.EscapeString(string(doc)))) | ||
| } else { |
Merge upstream into Fulcrum