Skip to content

DOCS: Fixing security scan issue #2576

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
travjenkins wants to merge 5 commits into
base: master
Choose a base branch
from
Open

DOCS: Fixing security scan issue #2576

travjenkins wants to merge 5 commits into from

Conversation

@travjenkins
Copy link
Member

@travjenkins travjenkins commented Dec 19, 2025

https://github.com/estuary/flow/security/code-scanning/8

Description:

Escaping the tenant name

Workflow steps:

This will impact how Azure gets setup. This still needs tested

Documentation links affected:

Notes for reviewers:

(anything that might help someone review this PR)

@travjenkins
Refactoring a bit to more hard coded values out
73b4749 
Adding in 'state' to help with CSRF a bit
Some clean up to ensure the params are escaped
@travjenkins
renaming param
18230b3
travjenkins
travjenkins commented Dec 19, 2025
View reviewed changes
site/docs/getting-started/azureAuthorize.jsx
Comment on lines +13 to +14
const state = crypto.randomUUID()
sessionStorage.setItem(SETTINGS.storageKey, state);
Copy link
Member Author

@travjenkins travjenkins Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the MAJOR update here. We need to store this off and validate it down below.

@github-actions
Copy link

github-actions bot commented Dec 19, 2025
edited
Loading

PR Preview Action v1.6.3

🚀 View preview at
https://estuary.github.io/flow/pr-preview/pr-2576/

Built to branch gh-pages at 2025-12-22 16:03 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

travjenkins
travjenkins commented Dec 19, 2025
View reviewed changes
site/docs/getting-started/azureAuthorize.jsx
Comment on lines +16 to +22
const params = new URLSearchParams({
client_id: SETTINGS.appId,
redirect_uri: SETTINGS.redirectUri,
resource_id: SETTINGS.resourceId,
response_type: SETTINGS.responseType,
[SETTINGS.stateKey]: state,
});
Copy link
Member Author

@travjenkins travjenkins Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting up the params in this way should handle escaping for us.

travjenkins
travjenkins commented Dec 19, 2025
View reviewed changes
site/docs/getting-started/azureAuthorize.jsx
Comment on lines 51 to 57
if (authCode === "error") {
return (
<span style={{ color: "red" }}>
We were unable to verify this worked. Please contact support.
</span>
);
}
Copy link
Member Author

@travjenkins travjenkins Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is where things get weird. Normally in an oAuth situation we might consume this code and do something with it. However, here we are just seeing that things are setup. So I think this is the best we could do here 🤷 .

Like if this happens either their browser messed up or possibly someone messed with their stuff and they just setup something wrong.

mdibaiee
mdibaiee approved these changes Dec 21, 2025
View reviewed changes
Copy link
Member

@mdibaiee mdibaiee left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, let me know if you need help testing this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdibaiee mdibaiee mdibaiee approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@travjenkins @mdibaiee