Fix project setup#1043
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@frontend/entrypoint.sh`:
- Around line 15-35: The env-config generation in entrypoint.sh is splicing raw
environment values into quoted JavaScript literals, which can break
env-config.js or allow script injection. Update the env-config.js creation logic
to serialize the settings object as JSON rather than concatenating
shell-expanded strings, and keep the same keys from the current window.__env__
block so all existing VITE_* values are emitted safely.
In `@frontend/src/util/configs/environment.config.ts`:
- Line 5: The APP_CONFIG_CACHE_TTL_SECONDS assignment in environment.config.ts
exceeds the 140-character lint limit. Wrap the long Number(...) expression
across multiple lines by splitting the env.VITE_APP_CONFIG_CACHE_TTL_SECONDS
fallback chain into a readable multi-line form while keeping the same logic and
symbol name.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 83e2fb33-31e9-4385-8cb4-6102471b2f5f
📒 Files selected for processing (11)
backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationController.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationService.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/component/location/LocationService.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/repository/EntityPageDataSource.ktbackend/src/main/kotlin/hu/bme/sch/cmsch/repository/ManualRepository.ktfrontend/Dockerfilefrontend/entrypoint.shfrontend/index.htmlfrontend/public/env-config.jsfrontend/src/util/configs/environment.config.tsfrontend/src/vite-env.d.ts
💤 Files with no reviewable changes (2)
- backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationController.kt
- backend/src/main/kotlin/hu/bme/sch/cmsch/addon/nova/NovaIntegrationService.kt
| cat > "$NGINX_HTML/env-config.js" <<EOF | ||
| window.__env__ = { | ||
| VITE_API_BASE_URL: "${VITE_API_BASE_URL:-http://localhost:8080}", | ||
| VITE_CLIENT_BASE_URL: "${VITE_CLIENT_BASE_URL:-http://localhost:3000}", | ||
| VITE_NAME: "${VITE_NAME:-CMSch Web}", | ||
| VITE_DESCRIPTION: "${VITE_DESCRIPTION:-CMSch Web}", | ||
| VITE_THEME_COLOR: "${VITE_THEME_COLOR:-#ffffff}", | ||
| VITE_DISABLE_APP_CONFIG_CACHE: "${VITE_DISABLE_APP_CONFIG_CACHE:-false}", | ||
| VITE_APP_CONFIG_CACHE_TTL_SECONDS: "${VITE_APP_CONFIG_CACHE_TTL_SECONDS:-600}", | ||
| VITE_PASS_SERVER_URL: "${VITE_PASS_SERVER_URL:-https://pass.kir-dev.hu}", | ||
| VITE_PASS_TEMPLATE: "${VITE_PASS_TEMPLATE:-generic}", | ||
| VITE_OFFICIAL_LANGUAGE: "${VITE_OFFICIAL_LANGUAGE:-false}", | ||
| VITE_NEW_RIDDLE_ENDPOINTS: "${VITE_NEW_RIDDLE_ENDPOINTS:-true}", | ||
| VITE_HIDE_KIR_DEV_IN_FOOTER: "${VITE_HIDE_KIR_DEV_IN_FOOTER:-false}", | ||
| VITE_PLAUSIBLE_URL: "${VITE_PLAUSIBLE_URL:-}", | ||
| VITE_FIREBASE_PROJECT_ID: "${VITE_FIREBASE_PROJECT_ID:-}", | ||
| VITE_FIREBASE_API_KEY: "${VITE_FIREBASE_API_KEY:-}", | ||
| VITE_FIREBASE_SENDER_ID: "${VITE_FIREBASE_SENDER_ID:-}", | ||
| VITE_FIREBASE_APP_ID: "${VITE_FIREBASE_APP_ID:-}", | ||
| VITE_FIREBASE_WEB_PUSH_PUBLIC_KEY: "${VITE_FIREBASE_WEB_PUSH_PUBLIC_KEY:-}" | ||
| }; |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
Escape runtime values before emitting env-config.js.
Lines 17-34 splice raw env vars into quoted JS literals. A value containing ", \, or a newline will break the file, and a hostile config value can become script injection for every client. Please serialize this object as JSON instead of hand-building JavaScript strings.
💡 Safer pattern
-RUN apk add --no-cache gettext
+RUN apk add --no-cache gettext jqjq -n \
--arg apiBaseUrl "${VITE_API_BASE_URL:-http://localhost:8080}" \
--arg clientBaseUrl "${VITE_CLIENT_BASE_URL:-http://localhost:3000}" \
'{
VITE_API_BASE_URL: $apiBaseUrl,
VITE_CLIENT_BASE_URL: $clientBaseUrl
# ...repeat for the remaining keys...
}' \
| sed '1s/^/window.__env__ = /; $s/$/;/' > "$NGINX_HTML/env-config.js"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@frontend/entrypoint.sh` around lines 15 - 35, The env-config generation in
entrypoint.sh is splicing raw environment values into quoted JavaScript
literals, which can break env-config.js or allow script injection. Update the
env-config.js creation logic to serialize the settings object as JSON rather
than concatenating shell-expanded strings, and keep the same keys from the
current window.__env__ block so all existing VITE_* values are emitted safely.
No description provided.