[Autofic] Security Patch 2025-07-22#7
Open
eunsol1530 wants to merge 3 commits intoHalngYao:masterfrom
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔧 About This Pull Request
This patch was automatically created by AutoFiC,
an open-source framework that combines static analysis tools with AI-driven remediation.
Using Semgrep, CodeQL, and Snyk Code, AutoFiC detected potential security flaws and applied verified fixes.
Each patch includes contextual explanations powered by a large language model to support review and decision-making.
🔐 Summary of Security Fixes
Overview
App_Code/MicroAuthHelper.csApp_Code/MicroUserHelper.csViews/Default.aspxViews/Forms/Forms.aspx.csViews/Forms/HR/OnDutyFormList.aspx.csViews/Forms/HR/OvertimeFormList.aspx.csViews/Forms/MicroFormList.aspx.csViews/Forms/SysFormList.aspx.csViews/Info/GlobalTips.aspx.csViews/Set/HR/Users.aspx.csViews/Set/Navigation.aspx.csViews/Stats/Attendance/UserOnDuty.aspx.csViews/Stats/Attendance/UserOvertime.aspx.csViews/UserCenter/Users.aspx.csViews/Stats/Attendance/Js/UserOnDuty.jslayuiadmin/lib/extend/micro.jsViews/Forms/HR/Js/LeaveForm.jsResource/fullcalendar/examples/google-calendar.htmlResource/Js/Admin.jsScripts/WebForms/SmartNav.jsApp_Code/MicroApprovalHelper.csApp_Code/MicroFormHelper.csApp_Code/MicroWorkFlowHelper.csViews/Info/Detail.aspx.csViews/Info/List.aspx.csApp_Code/MicroDTHelper.csApp_Code/MicroHRHelper.csApp_Code/MicroLdapHelper.csApp_Code/MicroPrivateHelper.csViews/Default.aspx.csViews/Forms/MicroFormApproval.aspx.csViews/Home/Console.aspx.csViews/Home/PendingMyApproval.aspx.csViews/Stats/General.aspx.cs1.
App_Code/MicroAuthHelper.cs🧩 SAST Analysis Summary
2.
App_Code/MicroUserHelper.cs🧩 SAST Analysis Summary
3.
Views/Default.aspx🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a potential XSS vulnerability due to unsanitized input being directly written to the HTTP response. This can occur when user-controlled data is not properly sanitized before being rendered on the page.
🔸 Recommended Fix
Sanitize the input before rendering it on the page to prevent XSS attacks. Use encoding functions to ensure that any user input is safely displayed.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode theNoticevariable before rendering it on the page. This ensures that any potentially harmful scripts are neutralized by converting them to a safe HTML representation.4.
Views/Forms/Forms.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly inserts data retrieved from the database into the HTML response without sanitization, which can lead to Cross-Site Scripting (XSS) vulnerabilities.
🔸 Recommended Fix
Sanitize the data before inserting it into the HTML response to prevent XSS attacks. This can be done by encoding the data to neutralize any potentially harmful scripts.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to sanitize the HTML content before it is inserted into thedivScript.InnerHtml. This ensures that any potentially harmful scripts are neutralized, thus mitigating the risk of XSS attacks.5.
Views/Forms/HR/OnDutyFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly assigns data retrieved from the database (
getFormAttr.FormNameandgetFormAttr.Description) tospanTitle.InnerHtmlwithout any sanitization. This can lead to Cross-Site Scripting (XSS) vulnerabilities if the data contains malicious scripts.🔸 Recommended Fix
Sanitize the data before assigning it to
InnerHtmlto ensure that any potentially harmful scripts are neutralized.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which prevents the execution of any embedded scripts by converting special characters to their respective HTML entities.6.
Views/Forms/HR/OvertimeFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodeensures that any HTML special characters are encoded, preventing XSS attacks.7.
Views/Forms/MicroFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code retrieves data from a database and directly assigns it to an HTML attribute without proper sanitization, which can lead to Cross-Site Scripting (XSS) vulnerabilities.
🔸 Recommended Fix
Sanitize the data before assigning it to the HTML attribute to prevent the execution of any injected scripts.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode theLinkAddressstring before assigning it to thetxtLinkAddress.Value. This ensures that any potentially harmful scripts are encoded and not executed in the browser.8.
Views/Forms/SysFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to Cross-Site Scripting (XSS) because it directly assigns unsanitized data from the database to
divScript.InnerHtml. This can allow an attacker to inject malicious scripts into the web page.🔸 Recommended Fix
Sanitize the data before assigning it to
divScript.InnerHtmlto ensure that any potentially harmful scripts are neutralized.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which helps prevent XSS by converting characters like<,>, and&into their respective HTML entities. This ensures that any scripts included in the data are not executed by the browser.9.
Views/Info/GlobalTips.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to Cross-Site Scripting (XSS) because it directly uses data from the database to construct HTML content without sanitization. Specifically, the
InfoClassName,InfoID, andTitlefields are inserted into the HTML response without any encoding or sanitization.🔸 Recommended Fix
Use HTML encoding to sanitize the output before embedding it into the HTML response. This can be achieved using
HttpUtility.HtmlEncodeto ensure that any HTML tags are properly encoded and not executed by the browser.🔸 Additional Notes
It's important to ensure that any user-generated content or data retrieved from a database is properly sanitized before being included in an HTML response. This helps prevent XSS and other injection attacks.
10.
Views/Set/HR/Users.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection and Cross-Site Scripting (XSS) vulnerabilities due to unsanitized inputs being used directly in SQL queries and HTML responses.
🔸 Recommended Fix
🔸 Additional Notes
The code now uses
HttpUtility.HtmlEncodeto prevent XSS by encoding user input before it is inserted into HTML. Additionally, parameterized queries are used to prevent SQL injection by safely including user input in SQL statements. Ensure thatMicroDBHelper.MsSQLDbHelper.Querysupports parameterized queries.11.
Views/Set/Navigation.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly assigns HTML content to
divScript.InnerHtmlusing data retrieved from the database without proper sanitization. This can lead to a Cross-Site Scripting (XSS) vulnerability.🔸 Recommended Fix
Sanitize the data before assigning it to
divScript.InnerHtmlto ensure that any potentially harmful scripts are neutralized.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which helps prevent XSS by converting special characters to their HTML-encoded equivalents. This ensures that any scripts included in the database content are not executed in the browser.12.
Views/Stats/Attendance/UserOnDuty.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodeensures that any data inserted into the HTML is properly encoded to prevent XSS.13.
Views/Stats/Attendance/UserOvertime.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodehelps in mitigating XSS by encoding special characters in the output.14.
Views/UserCenter/Users.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to Cross-Site Scripting (XSS) because it directly outputs data retrieved from the database into the HTML without proper sanitization or encoding. This can allow attackers to inject malicious scripts into the web page.
🔸 Recommended Fix
Sanitize or encode the output to ensure that any special characters are properly escaped, preventing the execution of injected scripts.
🔸 Additional Notes
The use of
HttpUtility.HtmlEncodeensures that any special characters in the output are properly encoded, mitigating the risk of XSS by preventing the execution of injected scripts.15.
Views/Stats/Attendance/Js/UserOnDuty.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a vulnerability where unsanitized input is passed to the
evalfunction. This can lead to a Code Injection vulnerability, as arbitrary JavaScript code could be executed.🔸 Recommended Fix
Avoid using
evalto execute code. Instead, parse the JSON data safely usingJSON.parse.🔸 Additional Notes
The use of
JSON.parseensures that the input is parsed as JSON data rather than executed as JavaScript code, mitigating the risk of code injection.16.
layuiadmin/lib/extend/micro.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a potential code injection vulnerability due to the use of
eval()on data received from an AJAX request. This can lead to executing arbitrary JavaScript code if the data is not properly sanitized.🔸 Recommended Fix
Avoid using
eval()to execute JavaScript code from external sources. Instead, use safer alternatives such asJSON.parse()for parsing JSON data or other methods that do not execute code.🔸 Additional Notes
The
eval()function was replaced withJSON.parse()to safely parse JSON data. Ensure that the server returns valid JSON data to prevent parsing errors.17.
Views/Forms/HR/Js/LeaveForm.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The vulnerability is a DOM-based Cross-Site Scripting (DOMXSS) issue. Unsanitized input from a remote resource is being directly inserted into the HTML using
$('#divShowLeave').html(data.Tips);, which can lead to execution of malicious scripts if the input is not properly sanitized.🔸 Recommended Fix
Sanitize the input before inserting it into the HTML to ensure that any potentially harmful scripts are neutralized. This can be done using a library like DOMPurify to clean the HTML content.
🔸 Additional Notes
The
DOMPurifylibrary is used to sanitize the HTML content before inserting it into the DOM. Ensure that the library is included in your project to avoid any runtime errors.18.
Resource/fullcalendar/examples/google-calendar.html🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a hardcoded Google API key, which is a sensitive piece of information that should not be exposed in the source code. Hardcoding such secrets can lead to unauthorized use of the API key if the code is accessed by unauthorized users.
🔸 Recommended Fix
Remove the hardcoded API key from the source code and instead load it from a secure environment variable or configuration file that is not exposed to the client-side.
🔸 Additional Notes
Ensure that the environment variable
GOOGLE_CALENDAR_API_KEYis securely set on the server-side and not exposed to the client-side. This change assumes that the JavaScript code is being served in a way that allows server-side environment variables to be injected into the client-side script, which may require a build step or server-side rendering setup.19.
Resource/Js/Admin.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an Open Redirect vulnerability. Unsanitized input from
window.document.location.hrefis used directly inwindow.location.replace, which can be exploited to redirect users to malicious sites.🔸 Recommended Fix
Validate and sanitize the URL before using it in the redirection logic. Ensure that the URL is within an expected domain or path.
🔸 Additional Notes
The fix ensures that the redirection only occurs if the current URL starts with the allowed domain, mitigating the risk of Open Redirect attacks.
20.
Scripts/WebForms/SmartNav.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an Open Redirect vulnerability. Unsanitized input from the document location is used directly to set
window.location, which can be exploited to redirect users to malicious sites.🔸 Recommended Fix
Sanitize the URL before using it to set
window.location. This can be done by ensuring that the URL is within the expected domain or path.🔸 Additional Notes
The fix ensures that redirection only occurs if the URL is within the same origin as the current document, preventing potential open redirect attacks.
21.
App_Code/MicroApprovalHelper.cs🧩 SAST Analysis Summary
22.
App_Code/MicroFormHelper.cs🧩 SAST Analysis Summary
23.
App_Code/MicroWorkFlowHelper.cs🧩 SAST Analysis Summary
24.
Views/Info/Detail.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a SQL Injection vulnerability due to unsanitized input being directly used in SQL queries. Specifically, the query for fetching user roles, job titles, and departments uses string concatenation with the
UIDvariable, which can be manipulated to inject malicious SQL code.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL statements, preventing SQL injection attacks.
🔸 Additional Notes
The use of parameterized queries ensures that user input is treated as data rather than executable code, effectively mitigating the risk of SQL injection.
25.
Views/Info/List.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
SqlParameterclass is used to safely include user input in SQL queries.26.
App_Code/MicroDTHelper.cs🧩 SAST Analysis Summary
27.
App_Code/MicroHRHelper.cs🧩 SAST Analysis Summary
28.
App_Code/MicroLdapHelper.cs🧩 SAST Analysis Summary
29.
App_Code/MicroPrivateHelper.cs🧩 SAST Analysis Summary
30.
Views/Default.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an SQL Injection vulnerability due to the construction of an SQL query using unsanitized input from the variable
UID. The query is built using string concatenation, which can be exploited by an attacker to inject malicious SQL code.🔸 Recommended Fix
Use parameterized queries to safely pass the
UIDvalue to the SQL query, ensuring that it is treated as a parameter rather than executable code.🔸 Additional Notes
The SQL queries have been modified to use parameterized queries, which help prevent SQL injection attacks by ensuring that user input is treated as data rather than executable code.
31.
Views/Forms/MicroFormApproval.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to SQL Injection due to unsanitized input being used directly in SQL queries. Specifically, the
FormsIDsvariable is concatenated directly into the SQL query string, which can be exploited if an attacker can manipulate theFormsIDsinput.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL statements. This prevents SQL Injection by ensuring that user input is treated as data rather than executable code.
🔸 Additional Notes
The code now uses the
STRING_SPLITfunction to safely handle theFormsIDsinput as a parameterized query, mitigating the risk of SQL Injection. This approach ensures that each ID is treated as a separate entity within the SQL query.32.
Views/Home/Console.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being directly concatenated into SQL queries. The
UIDparameter is directly inserted into SQL strings without any sanitization or parameterization, making it susceptible to SQL Injection attacks.🔸 Recommended Fix
Use parameterized queries to prevent SQL Injection. This involves replacing direct string concatenation with parameter placeholders and passing the actual values separately to the query execution method.
🔸 Additional Notes
The changes involve replacing direct string concatenation with parameterized queries using
SqlParameter. This approach helps in mitigating SQL Injection risks by ensuring that user inputs are properly sanitized before being executed in SQL queries.33.
Views/Home/PendingMyApproval.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a SQL Injection vulnerability due to unsanitized input being directly concatenated into SQL queries. This occurs when user input or data from the database is used to construct SQL queries without proper validation or parameterization.
🔸 Recommended Fix
Use parameterized queries to prevent SQL Injection. This involves using SQL parameters instead of directly concatenating user input or data into SQL query strings.
🔸 Additional Notes
The changes involve using parameterized queries to safely handle the input values for
FCID,UID, andFormID. This approach helps to prevent SQL Injection by ensuring that inputs are treated as parameters rather than executable code.34.
Views/Stats/General.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL queries that are constructed using string concatenation with unsanitized inputs. This can lead to SQL Injection vulnerabilities if an attacker can control the input values.
🔸 Recommended Fix
Use parameterized queries to safely include user inputs in SQL statements, which prevents SQL injection by separating SQL code from data.
🔸 Additional Notes
The changes focus on using parameterized queries to prevent SQL injection. The
SqlParameterclass is used to safely pass parameters to the SQL queries, ensuring that user inputs are properly handled and not directly concatenated into the SQL strings.🛠 Fix Summary
All identified vulnerabilities have been remediated following security best practices such as parameterized queries and proper input validation. Please refer to the diff tab for detailed code changes.
If you have questions or feedback regarding this automated patch, feel free to reach out via AutoFiC GitHub.