fix(condo): DOMA-6871 fix code for semgrep alerts (#3733)

* feat(condo): DOMA-6871 run-semgrep.sh argument propagation in order to use different script output

* fix(condo): DOMA-6871 fix code for semgrep csrf attacks rule

* fix(condo): DOMA-6871 fix code for semgrep not proper regexp replace usages

* fix(condo): DOMA-6871 fix code for semgrep path vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep md5 vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep ReDoS issue vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep paths vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep inject html insecure vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep not sanitized where statement vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep console log formatters vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep default ruleset vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep default ruleset vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep default ruleset vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep rest of condo vulnerabilities

* fix(condo): DOMA-6871 fix code for semgrep rest of condo vulnerabilities

* fix(condo): DOMA-6871 add semgrep documentation

* fix(condo): DOMA-6871 add semgrep documentation

* fix(condo): DOMA-6871 fix semgrep address-service vulnerabilities

* fix(condo): DOMA-6871 fix semgrep dev-portal vulnerabilities

* fix(condo): DOMA-6871 fix semgrep miniaps vulnerabilities

* fix(condo): DOMA-6871 fix semgrep docs

* fix(condo): DOMA-6871 use getEscaped util for escape string

* fix(condo): DOMA-6871 remove not proper comments for bridge/ui packages

* fix(condo): DOMA-6871 adopt run-semgrep to support running on submodules

.env.example

@@ -7,12 +7,13 @@ PORT=3000
 SERVER_URL=http://localhost:3000
 DEFAULT_LOCALE=ru
 FILE_FIELD_ADAPTER=local
-GOOGLE_RECAPTCHA_CONFIG='{"SITE_KEY":"6LcPRvQaAAAAAJRyxsFIB4rP5VH036pFOkNH8lgh", "SERVER_KEY":"6LcPRvQaAAAAADn_h1440Es7fXIGD0E4lpXR_FyF"}'
+# nosemgrep: generic.secrets.gitleaks.generic-api-key.generic-api-key
+GOOGLE_RECAPTCHA_CONFIG='{"SITE_KEY":"<SITE_KEY>", "SERVER_KEY":"<SERVER_KEY>"}'
 HELP_REQUISITES='{ "support_email": "[email protected]", "support_email_mobile": "[email protected]", "bot_email": "[email protected]", "support_phone": "+1 301 000-00-00" }'
 
 # Cache settings
-ADAPTER_CACHE_CONFIG = '{ "enabled": true, "excludedLists":[], "logging":0, "maxCacheSize":1000, "logStatsEachSecs": 60 }'
-REQUEST_CACHE_CONFIG = '{ "enabled": true, "logging":0, "logStatsEachSecs": 60 }'
+ADAPTER_CACHE_CONFIG='{ "enabled": true, "excludedLists":[], "logging":0, "maxCacheSize":1000, "logStatsEachSecs": 60 }'
+REQUEST_CACHE_CONFIG='{ "enabled": true, "logging":0, "logStatsEachSecs": 60 }'
 
 #OIDC_CONDO_CLIENT_CONFIG='{"serverUrl":"http://localhost:3000", "clientId":"<client id>", "clientSecret":"<client secret>"}'
 
@@ -24,10 +25,11 @@ FEATURE_TOGGLE_CONFIG='{"url":null,"apiKey":null,"static":{}}'
 BANK_ACCOUNT_REQUEST_EMAIL_TARGET=[email protected]
 
 # FIREBASE_CONFIG_JSON contents can be retrieved from https://console.firebase.google.com/project/<PROJECT_ID>/settings/serviceaccounts/adminsdk
+# nosemgrep: generic.secrets.security.detected-google-gcm-service-account.detected-google-gcm-service-account
 # FIREBASE_CONFIG_JSON='{"type": "service_account", "project_id": "<PROJECT_ID>", "private_key_id": "<PRIVATE_KEY_ID", "private_key": "<PRIVATE_KEY>", "client_email": "<FIREBASE_ADMIN_SDK_EMAIL> at .gserviceaccount.com", "client_id": "<CLIENT_ID>", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/<CLIENT_EMAIL_VALUE>"}'
 
 # real Firebase push token for testing real push notification delivery to device, would be used only if provided
-# FIREBASE_PUSH_TOKEN_TEST=flt0weSOS8eROf6OEZAmHp:APA91bG0I-QBvGjCL5jblzDoOuVV6bZ1x4dyRmyPqr2iZBYyFbDJcqtKw0vvzo4MH-PaLiVQJbLfAGCoryYXykdqCKXdx2QqYAk6vE4pmxrKk6RHe33-mVNHNTB0HxYI9KUsb21CHfPp
+# FIREBASE_PUSH_TOKEN_TEST=<TOKEN>
 
 # HMS - Huawei Messaging System
 # HMS_CONFIG_JSON contents can be retrieved from ..., there should be separate section for each app receiving push notifications via HMS

.github/workflows/nodejs.condo.code.analysis.yml

@@ -23,9 +23,10 @@ jobs:
     steps:
       # Fetch project source with GitHub Actions Checkout.
       - uses: actions/checkout@v3
-      - run: ./bin/run-semgrep.sh
+      - run: ./bin/run-semgrep.sh -s
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: semgrep.sarif
+          sarif_file: ./semgrep_results
+        if: always()

.gitignore

@@ -59,4 +59,5 @@ apps/condo/public/ui
 .turbo
 
 # semgrep
-semgrep.sarif
+semgrep.sarif
+semgrep_results/*

.semgrepignore

@@ -21,3 +21,7 @@
 yarn-error.log
 npm-debug.*
 ignore.*
+
+# not a source code files
+docker-compose.yml
+packages/codegen/*

apps/address-service/domains/common/oidc.js

@@ -58,6 +58,8 @@ class OIDCHelper {
 
 class OIDCKeystoneApp {
     prepareMiddleware ({ keystone, distDir, dev }) {
+        // this route can not be used for csrf attack (use oidc-client library to handle auth flows properly)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
         const oidcSessionKey = 'oidc'
         const helper = new OIDCHelper()

apps/address-service/domains/common/utils/services/search/SearchKeystoneApp.js

@@ -48,6 +48,8 @@ class SearchKeystoneApp {
 
         let keystoneContext
 
+        // this route can not be used for csrf attack (because no cookies and tokens are used in a public route)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
         const addressParser = new AddressFromStringParser()
 

apps/address-service/domains/common/utils/services/search/searchServiceUtils.js

@@ -1,8 +1,7 @@
-const { createHash } = require('crypto')
-
 const { isEmpty, isObject } = require('lodash')
 
 const { AddressSource } = require('@address-service/domains/address/utils/serverSchema')
+const { md5 } = require('@condo/domains/common/utils/crypto')
 
 /**
  * @param context Keystone context
@@ -114,8 +113,7 @@ function sortObject (obj) {
 function hashJSON (obj) {
     const sortedObj = sortObject(obj)
     const jsonStr = JSON.stringify(sortedObj)
-    const hash = createHash('md5')
-    return hash.update(jsonStr).digest('hex')
+    return md5(jsonStr)
 }
 
 /**

apps/address-service/domains/common/utils/services/suggest/SuggestionKeystoneApp.js

@@ -46,6 +46,8 @@ class SuggestionKeystoneApp {
      * @returns {Express}
      */
     prepareMiddleware (params) {
+        // this route can not be used for csrf attack (a public route)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
 
         function setNoCache (req, res, next) {

apps/address-service/index.js

@@ -104,6 +104,9 @@ module.exports = {
         const requestIdHeaderName = 'X-Request-Id'
         app.use(function reqId (req, res, next) {
             const reqId = req.headers[requestIdHeaderName.toLowerCase()] || v4()
+            // we are expecting to receive reqId from client in order to have fully traced logs end to end
+            // also, property name are constant name, not a dynamic user input
+            // nosemgrep: javascript.express.security.audit.remote-property-injection.remote-property-injection
             req['id'] = req.headers[requestIdHeaderName.toLowerCase()] = reqId
             res.setHeader(requestIdHeaderName, reqId)
             next()

apps/address-service/initialData.js

@@ -8,6 +8,8 @@ module.exports = [
                     email: '[email protected]',
                     isAdmin: true,
                     isSupport: true,
+                    // this is development only data
+                    // nosemgrep: generic.secrets.gitleaks.generic-api-key.generic-api-key
                     password: '3a74b3f07978',
                     dv: 1,
                     sender: {
@@ -22,6 +24,8 @@ module.exports = [
                     email: '[email protected]',
                     isAdmin: false,
                     isSupport: false,
+                    // this is development only data
+                    // nosemgrep: generic.secrets.gitleaks.generic-api-key.generic-api-key
                     password: '1a92b3a07c78',
                     dv: 1,
                     sender: {

apps/condo/domains/acquiring/PaymentLinkMiddleware.js

@@ -5,6 +5,8 @@ const { PaymentLinkRouter } = require('@condo/domains/acquiring/routes/paymentLi
 
 class PaymentLinkMiddleware {
     async prepareMiddleware () {
+        // this route can not be used for csrf attack (because no cookies and tokens are used in a public route)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
 
         const router = new PaymentLinkRouter()

apps/condo/domains/banking/constants.js

@@ -4,6 +4,8 @@
 
 const BANK_INTEGRATION_IDS = {
     SBBOL: 'd94743b0-e5d5-4d06-a244-ea4b2edb8633',
+    // not a credential
+    // nosemgrep: generic.secrets.gitleaks.generic-api-key.generic-api-key
     '1CClientBankExchange': '61e3d767-bd62-40e3-a503-f885b242d262',
 }
 

apps/condo/domains/billing/gql.js

@@ -34,14 +34,14 @@ const BillingRecipient = generateGqlQueries('BillingRecipient', BILLING_RECIPIEN
 const BILLING_CATEGORY_FIELDS = `{ name nameNonLocalized ${COMMON_FIELDS} }`
 const BillingCategory = generateGqlQueries('BillingCategory', BILLING_CATEGORY_FIELDS)
 
-const BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS = 'toPayDetails { charge formula balance recalculation privilege penalty paid }'
-const BILLING_RECEIPT_SERVICE_TO_PAY_DETAILS_FIELDS = BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS.replace('}', 'volume tariff measure }')
+const BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS = 'charge formula balance recalculation privilege penalty paid'
+const BILLING_RECEIPT_SERVICE_TO_PAY_DETAILS_FIELDS = `toPayDetails { ${BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS} volume tariff measure }`
 const BILLING_RECEIPT_SERVICE_FIELDS = `services { id name toPay ${BILLING_RECEIPT_SERVICE_TO_PAY_DETAILS_FIELDS} }`
 const BILLING_RECEIPT_RECIPIENT_FIELDS = 'recipient { tin iec bic bankAccount }'
-const BILLING_RECEIPT_FIELDS = `{ context ${BILLING_INTEGRATION_ORGANIZATION_CONTEXT_FIELDS} importId property { id, address } account { id, number, unitType, unitName, fullName } period toPay printableNumber ${BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS} ${BILLING_RECEIPT_SERVICE_FIELDS} charge formula balance recalculation privilege penalty paid receiver { id tin iec bic bankAccount isApproved } ${BILLING_RECEIPT_RECIPIENT_FIELDS} ${COMMON_FIELDS} category ${BILLING_CATEGORY_FIELDS} invalidServicesError file { id sensitiveDataFile { id filename originalFilename publicUrl mimetype } publicDataFile { id filename originalFilename publicUrl mimetype } controlSum } }`
+const BILLING_RECEIPT_FIELDS = `{ context ${BILLING_INTEGRATION_ORGANIZATION_CONTEXT_FIELDS} importId property { id, address } account { id, number, unitType, unitName, fullName } period toPay printableNumber toPayDetails { ${BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS} } ${BILLING_RECEIPT_SERVICE_FIELDS} charge formula balance recalculation privilege penalty paid receiver { id tin iec bic bankAccount isApproved } ${BILLING_RECEIPT_RECIPIENT_FIELDS} ${COMMON_FIELDS} category ${BILLING_CATEGORY_FIELDS} invalidServicesError file { id sensitiveDataFile { id filename originalFilename publicUrl mimetype } publicDataFile { id filename originalFilename publicUrl mimetype } controlSum } }`
 const BillingReceipt = generateGqlQueries('BillingReceipt', BILLING_RECEIPT_FIELDS)
 
-const RESIDENT_BILLING_RECEIPTS_FIELDS = `{ id ${BILLING_RECEIPT_RECIPIENT_FIELDS} period toPay paid ${BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS} ${BILLING_RECEIPT_SERVICE_FIELDS} printableNumber serviceConsumer { id paymentCategory } currencyCode category { id name } isPayable file { file { id originalFilename publicUrl mimetype } controlSum } }`
+const RESIDENT_BILLING_RECEIPTS_FIELDS = `{ id ${BILLING_RECEIPT_RECIPIENT_FIELDS} period toPay paid toPayDetails { ${BILLING_RECEIPT_TO_PAY_DETAILS_FIELDS} } ${BILLING_RECEIPT_SERVICE_FIELDS} printableNumber serviceConsumer { id paymentCategory } currencyCode category { id name } isPayable file { file { id originalFilename publicUrl mimetype } controlSum } }`
 const ResidentBillingReceipt = generateGqlQueries('ResidentBillingReceipt', RESIDENT_BILLING_RECEIPTS_FIELDS)
 
 const BILLING_RECEIPT_FILE_FIELDS = `{ file { id originalFilename publicUrl mimetype } context { id } receipt { id } controlSum ${COMMON_FIELDS} }`

apps/condo/domains/common/components/CountDownTimer.tsx

@@ -24,6 +24,8 @@ const getCountDownDateFromCookies = (countDownId) => {
     }
 
     if (cookie.match(countDownId)){
+        // not a ReDoS issue: running on end user browser
+        // nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
         const coundownRegexp = new RegExp(`(?:(?:^|.*;\\s*)COUNTDOWN_${countDownId}\\s*=\\s*([^;]*).*$)|^.*$`)
 
         const countDownFromCookie = document

apps/condo/domains/common/components/MenuItem.tsx

@@ -12,6 +12,7 @@ import { colors } from '@open-condo/ui/dist/colors'
 import { Tooltip } from '@condo/domains/common/components/Tooltip'
 import { transitions } from '@condo/domains/common/constants/style'
 import { renderLink } from '@condo/domains/common/utils/Renders'
+import { getEscaped } from '@condo/domains/common/utils/string.utils'
 import { INoOrganizationToolTipWrapper } from '@condo/domains/onboarding/hooks/useNoOrganizationToolTip'
 
 import { ClientRenderedIcon } from './icons/ClientRenderedIcon'
@@ -120,7 +121,9 @@ export const MenuItem: React.FC<IMenuItemProps> = (props) => {
     const [isActive, setIsActive] = useState(false)
 
     useDeepCompareEffect(() => {
-        const escapedPath = path ? path.replace(/[.*+?^${}()|[\]\\]/g, '\\$&') : undefined
+        const escapedPath = path ? getEscaped(path) : undefined
+        // not a ReDoS issue: running on end user browser
+        // nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
         const regex = new RegExp(`^${escapedPath}`)
         setIsActive(path === '/'
             ? asPath === path

apps/condo/domains/common/components/TextHighlighter.tsx

@@ -30,6 +30,8 @@ export const TextHighlighter: React.FC<TTextHighlighterProps> = (props) => {
     if (isEmpty(text)) return null
 
     let result
+    // not a ReDoS issue: running on end user browser
+    // nosemgrep: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
     const searchRegexp = new RegExp(`(${getEscaped(search)})`, 'ig') // NOSONAR
 
     if (isEmpty(search) || !searchRegexp.test(text)) {

apps/condo/domains/common/components/containers/BehaviorRecorder.tsx

@@ -31,6 +31,9 @@ const BehaviorRecorder = ({ engine }: Props) => {
 
     return (
         <div dangerouslySetInnerHTML={{
+            // this is injection of prepared engine rely html (see bellow)
+            // not a user input
+            // nosemgrep: typescript.react.security.audit.react-dangerouslysetinnerhtml.react-dangerouslysetinnerhtml
             __html: htmlFor[engine](params),
         }}>
         </div>

apps/condo/domains/common/components/containers/FormTableBlocks.tsx

@@ -208,6 +208,9 @@ function toGQLWhere (filters) {
     Object.keys(filters).forEach((key) => {
         const v = filters[key]
         if (v && v.length === 1) {
+            // where statement going to be sanitized by backend
+            // and going to use for read requests only
+            // nosemgrep: javascript.lang.security.insecure-object-assign.insecure-object-assign
             Object.assign(where, JSON.parse(v[0]))
         } else if (v && v.length >= 1) {
             if (where.OR) {

apps/condo/domains/common/hooks/useExportTaskUIInterface.tsx

@@ -63,6 +63,9 @@ export const useExportTaskUIInterface = <T extends ExportTaskTypes> ({
         if (publicUrl && filename) {
             await downloadFile({ url: publicUrl, name: filename })
         } else {
+            // this log entry for development & support purposes on end user browser
+            // no important logs can be hided by injected external console.log formatters
+            // nosemgrep: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
             console.error(`File is missing in ${schemaName}`, taskRecord)
         }
     }, [downloadFile, schemaName])

apps/condo/domains/common/utils/VersioningMiddleware.js

@@ -4,6 +4,8 @@ const { get } = require('lodash')
 
 class VersioningMiddleware {
     async prepareMiddleware () {
+        // this route can not be used for csrf attack (because no cookies and tokens are used in a public route)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
         app.use('/api/version', (req, res) => {
             res.status(200).json({

apps/condo/domains/common/utils/createExportFile.js

@@ -7,8 +7,6 @@ const { v4: uuid } = require('uuid')
 
 const FileAdapter = require('./fileAdapter')
 
-
-
 const EXCEL_FILE_META = {
     mimetype: 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
     encoding: 'UTF-8',
@@ -28,8 +26,11 @@ const render = (pathToTemplate, replaces, options = {}) => new Promise((resolve,
 // It makes unable to save data to `File` field server-side
 // @deprecated use `buildExportFile` like in `apps/condo/domains/ticket/tasks/exportTicketsTask.js`
 async function createExportFile ({ fileName, templatePath, replaces, meta }) {
-    const ExportFileAdapter = new FileAdapter('export')
+    // templatePath is a configured template path - not a user input
+    // all results of export file generation will be accessible only for authorized end users
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const fileContent = await render(path.resolve(templatePath), replaces)
+    const ExportFileAdapter = new FileAdapter('export')
     const buffer = new Duplex()
     buffer.push(fileContent)
     buffer.push(null)
@@ -57,6 +58,8 @@ async function createExportFile ({ fileName, templatePath, replaces, meta }) {
  * @return {Promise<{ stream }>}
  */
 async function buildExportFile ({ templatePath, replaces, options }) {
+    // all results of export file generation will be accessible only for authorized end users
+    // nosemgrep: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
     const content = await render(path.resolve(templatePath), replaces, options)
     const stream = Readable.from(content)
     return { stream }

apps/condo/domains/common/utils/crypto.js

@@ -1,10 +1,11 @@
 const crypto = require('crypto')
 
 /**
- * Converts value to MD5 hash
+ * Converts value to MD5 hash. Do not ise this for hashing sensitive data!
  * @param value
  * @returns {string}
  */
+// nosemgrep: contrib.nodejsscan.crypto_node.node_md5
 const md5 = (value) => crypto.createHash('md5').update(value).digest('hex')
 
 module.exports = {

apps/condo/domains/common/utils/fileAdapter.js

@@ -40,6 +40,9 @@ class LocalFilesMiddleware {
     }
 
     prepareMiddleware () {
+        // this route serve a static file to the user browser and does not have any operation for csrf attacking
+        // also, it used for development purposes only (see conf.FILE_FIELD_ADAPTER configuration)
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
         app.use(this._path, express.static(this._src))
         return app

apps/condo/domains/common/utils/sberCloudFileAdapter.js

@@ -251,6 +251,9 @@ const obsRouterHandler = ({ keystone }) => {
 
 class OBSFilesMiddleware {
     prepareMiddleware ({ keystone }) {
+        // this route does not have any system change operation and used only for serving files to end user browser
+        // this mean no csrf attacking possible - since no data change operation going to be made by opening a link
+        // nosemgrep: javascript.express.security.audit.express-check-csurf-middleware-usage.express-check-csurf-middleware-usage
         const app = express()
         app.use('/api/files/:file(*)', obsRouterHandler({ keystone }))
         return app

apps/condo/domains/news/tasks/exportRecipients.js

@@ -1,5 +1,3 @@
-const { createHash } = require('crypto')
-
 const dayjs = require('dayjs')
 const compact = require('lodash/compact')
 const filter = require('lodash/filter')
@@ -18,6 +16,7 @@ const { i18n } = require('@open-condo/locales/loader')
 const { ERROR, COMPLETED } = require('@condo/domains/common/constants/export')
 const { TASK_WORKER_FINGERPRINT } = require('@condo/domains/common/constants/tasks')
 const { buildExportFile: buildExportExcelFile, EXCEL_FILE_META } = require('@condo/domains/common/utils/createExportFile')
+const { md5 } = require('@condo/domains/common/utils/crypto')
 const { getHeadersTranslations, EXPORT_TYPE_NEWS_RECIPIENTS } = require('@condo/domains/common/utils/exportToExcel')
 const { loadListByChunks } = require('@condo/domains/common/utils/serverSchema')
 const { buildUploadInputFrom } = require('@condo/domains/common/utils/serverSchema/export')
@@ -59,7 +58,7 @@ const buildExportFile = async ({ rows, locale }) => {
         encoding: EXCEL_FILE_META.encoding,
         meta: {
             listkey: 'NewsRecipients',
-            id: createHash('md5').update(JSON.stringify(rows)).digest('hex'),
+            id: md5(JSON.stringify(rows)),
         },
     }
 }

apps/condo/domains/notification/adapters/apple/AppleJSONWebToken.spec.js

@@ -8,6 +8,7 @@ const APPLE_CONFIG = {
     kid: faker.random.alphaNumeric(10),
     iss: faker.random.alphaNumeric(10),
     // ES256 key generated by https://8gwifi.org/jwsgen.jsp
+    // nosemgrep: generic.secrets.gitleaks.private-key.private-key
     privateKey: '-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIERzC9YnAZv6dTmLPY72gQqLvihwlesD5odf5mx/NNQLoAoGCCqGSM49 AwEHoUQDQgAEvX/e71XLG847HzKpTozogE5pwgaxVN29UkZoNmjP9ZnHcRs7gsBeTGuKwLv0um/C65mb73oy2QeDQCe8R20JAA==\n-----END EC PRIVATE KEY-----', //NOSONAR
 }
 

apps/condo/domains/notification/adapters/firebaseAdapter.js

@@ -42,6 +42,8 @@ class FirebaseAdapter {
         }
 
         this.projectId = get(config, 'project_id', null)
+        // not an user input. No ReDoS regexp expected
+        // nosemreg: javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
         this.messageIdPrefixRegexp = new RegExp(`projects/${this.projectId}/messages`)
     }