From b0f184d31f1044d69b57b1cba041c46214decb67 Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Mon, 21 Jul 2025 07:58:24 +0900
Subject: [PATCH 1/3] [Autofic] Create package.json and CI workflow

---
 .github/workflows/pr_notify.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)
 create mode 100644 .github/workflows/pr_notify.yml

diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml
new file mode 100644
index 0000000000..2b34036d06
--- /dev/null
+++ b/.github/workflows/pr_notify.yml
@@ -0,0 +1,20 @@
+name: PR Notifier
+
+on:
+  pull_request:
+    types: [opened, reopened, closed]
+
+jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Notify Discord
+        env:
+          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
+        run: |
+          curl -H "Content-Type: application/json"           -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $DISCORD_WEBHOOK_URL
+      - name: Notify Slack
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        run: |
+          curl -H "Content-Type: application/json"           -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $SLACK_WEBHOOK_URL

From 5766d9b3e8f321045bde68166a8084c026d1ee4c Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Mon, 21 Jul 2025 07:58:25 +0900
Subject: [PATCH 2/3] [Autofic] 3 malicious code detected!!

---
 app/routes/contributions.js |  6 +++---
 app/routes/index.js         | 10 ++++++++--
 server.js                   | 14 ++++++--------
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/app/routes/contributions.js b/app/routes/contributions.js
index 7f68170b94..ead0071e11 100644
--- a/app/routes/contributions.js
+++ b/app/routes/contributions.js
@@ -29,9 +29,9 @@ function ContributionsHandler(db) {
 
         /*jslint evil: true */
         // Insecure use of eval() to parse inputs
-        const preTax = eval(req.body.preTax);
-        const afterTax = eval(req.body.afterTax);
-        const roth = eval(req.body.roth);
+        const preTax = parseFloat(req.body.preTax);
+        const afterTax = parseFloat(req.body.afterTax);
+        const roth = parseFloat(req.body.roth);
 
         /*
         //Fix for A1 -1 SSJS Injection attacks - uses alternate method to eval
diff --git a/app/routes/index.js b/app/routes/index.js
index a9e55426bf..cf2c312cf6 100644
--- a/app/routes/index.js
+++ b/app/routes/index.js
@@ -68,8 +68,14 @@ const index = (app, db) => {
 
     // Handle redirect for learning resources link
     app.get("/learn", isLoggedIn, (req, res) => {
-        // Insecure way to handle redirects by taking redirect url from query string
-        return res.redirect(req.query.url);
+        // Securely handle redirects by using an allow-list of trusted URLs
+        const allowedUrls = ["https://trustedsite.com/resource1", "https://trustedsite.com/resource2"];
+        const redirectUrl = req.query.url;
+        if (allowedUrls.includes(redirectUrl)) {
+            return res.redirect(redirectUrl);
+        } else {
+            return res.status(400).send("Invalid redirect URL");
+        }
     });
 
     // Research Page
diff --git a/server.js b/server.js
index d6bb500a2d..567e473952 100644
--- a/server.js
+++ b/server.js
@@ -82,22 +82,20 @@ MongoClient.connect(db, (err, db) => {
         secret: cookieSecret,
         // Both mandatory in Express v4
         saveUninitialized: true,
-        resave: true
-        /*
+        resave: true,
         // Fix for A5 - Security MisConfig
         // Use generic cookie name
         key: "sessionId",
-        */
 
-        /*
         // Fix for A3 - XSS
         // TODO: Add "maxAge"
         cookie: {
-            httpOnly: true
-            // Remember to start an HTTPS server to get this working
-            // secure: true
+            httpOnly: true,
+            secure: true, // Remember to start an HTTPS server to get this working
+            domain: 'example.com', // Set your domain
+            path: '/',
+            expires: new Date(Date.now() + 60 * 60 * 1000) // 1 hour
         }
-        */
 
     }));
 

From 17288599fa6e609131c0a7c7282a66b966d6a1a0 Mon Sep 17 00:00:00 2001
From: seoonju <tjswn9477@gmail.com>
Date: Mon, 21 Jul 2025 07:58:41 +0900
Subject: [PATCH 3/3] chore: remove CI workflow before upstream PR

---
 .github/workflows/pr_notify.yml | 20 --------------------
 1 file changed, 20 deletions(-)
 delete mode 100644 .github/workflows/pr_notify.yml

diff --git a/.github/workflows/pr_notify.yml b/.github/workflows/pr_notify.yml
deleted file mode 100644
index 2b34036d06..0000000000
--- a/.github/workflows/pr_notify.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: PR Notifier
-
-on:
-  pull_request:
-    types: [opened, reopened, closed]
-
-jobs:
-  notify:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Notify Discord
-        env:
-          DISCORD_WEBHOOK_URL: ${{ secrets.DISCORD_WEBHOOK_URL }}
-        run: |
-          curl -H "Content-Type: application/json"           -d '{"content": "🔔 Pull Request [${{ github.event.pull_request.title }}](${{ github.event.pull_request.html_url }}) by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $DISCORD_WEBHOOK_URL
-      - name: Notify Slack
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        run: |
-          curl -H "Content-Type: application/json"           -d '{"text": ":bell: Pull Request <${{ github.event.pull_request.html_url }}|${{ github.event.pull_request.title }}> by ${{ github.event.pull_request.user.login }} - ${{ github.event.action }}"}'           $SLACK_WEBHOOK_URL