Kodiak-flagged security issues in firefly repo

[kunwarsaluja]

From @thedoc31

All,

Earlier in the year, I enabled Kodiak security scanning on all GitHub repositories under adobecom. Firefly is one of the repositories under there, and all of you appear to have Writer or Admin access on the repo.

I have 10 JIRA tickets detailing potential security issues that were flagged after the most recent Kodiak scan [1]. Can one of you please reassign these for triage?

Ongoing, who is the correct assignee, and what is the correct project for this repository?

Thanks!

[1]

• [x] https://jira.corp.adobe.com/browse/MWPW-154289
• [x] https://jira.corp.adobe.com/browse/MWPW-154288
• [x] https://jira.corp.adobe.com/browse/MWPW-154287
• [x] https://jira.corp.adobe.com/browse/MWPW-154286
• [x] https://jira.corp.adobe.com/browse/MWPW-154285
• [x] https://jira.corp.adobe.com/browse/MWPW-154284
• [x] https://jira.corp.adobe.com/browse/MWPW-154283
• [x] https://jira.corp.adobe.com/browse/MWPW-154282
• [x] https://jira.corp.adobe.com/browse/MWPW-154281
• [x] https://jira.corp.adobe.com/browse/MWPW-154280

[kunwarsaluja]

@thedoc31 I understand a couple of them where these flagged issues make sense like MWPW-154289, MWPW-154285, MWPW-154285 but other flagged issues which are suspected of an XSS, are these false positives ? The markup is coming from the franklin content bus or content source which in this case is sharepoint and no user input is introduced in any of these.

I did try fix a few them with https://github.com/adobecom/firefly/pull/101 (still testing) but wanted your opinion on this

[kunwarsaluja]

Checked and all issues except a couple XSS issues are open but are false positives as the sharepoint is a trusted source for providing content so ill mark all these as closed

[1] : https://dashboard.kodiak.corp.adobe.com/#/findings/github.com/adobecom/firefly