[Autofic] Security Patch 2025-07-18#3
Open
eunsol1530 wants to merge 3 commits intoHalngYao:masterfrom
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔧 About This Pull Request
This patch was automatically created by AutoFiC,
an open-source framework that combines static analysis tools with AI-driven remediation.
Using Semgrep, CodeQL, and Snyk Code, AutoFiC detected potential security flaws and applied verified fixes.
Each patch includes contextual explanations powered by a large language model to support review and decision-making.
🔐 Summary of Security Fixes
Overview
App_Code/MicroAuthHelper.csApp_Code/MicroUserHelper.csViews/Default.aspxViews/Forms/Forms.aspx.csViews/Forms/HR/OnDutyFormList.aspx.csViews/Forms/HR/OvertimeFormList.aspx.csViews/Forms/MicroFormList.aspx.csViews/Forms/SysFormList.aspx.csViews/Info/GlobalTips.aspx.csViews/Set/HR/Users.aspx.csViews/Set/Navigation.aspx.csViews/Stats/Attendance/UserOnDuty.aspx.csViews/Stats/Attendance/UserOvertime.aspx.csViews/UserCenter/Users.aspx.csViews/Stats/Attendance/Js/UserOnDuty.jslayuiadmin/lib/extend/micro.jsViews/Forms/HR/Js/LeaveForm.jsResource/fullcalendar/examples/google-calendar.htmlResource/Js/Admin.jsScripts/WebForms/SmartNav.jsApp_Code/MicroApprovalHelper.csApp_Code/MicroFormHelper.csApp_Code/MicroWorkFlowHelper.csViews/Info/Detail.aspx.csViews/Info/List.aspx.csApp_Code/MicroDTHelper.csApp_Code/MicroHRHelper.csApp_Code/MicroLdapHelper.csApp_Code/MicroPrivateHelper.csViews/Default.aspx.csViews/Forms/MicroFormApproval.aspx.csViews/Home/Console.aspx.csViews/Home/PendingMyApproval.aspx.csViews/Stats/General.aspx.cs1.
App_Code/MicroAuthHelper.cs🧩 SAST Analysis Summary
2.
App_Code/MicroUserHelper.cs🧩 SAST Analysis Summary
3.
Views/Default.aspx🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a potential XSS vulnerability due to unsanitized input from a session value being directly written to the HTTP response using
Response.Write.🔸 Recommended Fix
Sanitize the session value before writing it to the HTTP response to prevent XSS attacks.
🔸 Additional Notes
The
HttpUtility.HtmlEncodefunction is used to sanitize theNoticevariable before it is rendered on the page, which helps prevent XSS attacks by encoding potentially dangerous characters.4.
Views/Forms/Forms.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to Cross-Site Scripting (XSS) because it directly inserts data from the database into the HTML response without proper sanitization. This can allow an attacker to inject malicious scripts into the web page.
🔸 Recommended Fix
Sanitize the data retrieved from the database before inserting it into the HTML response to prevent XSS attacks.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which helps prevent XSS by ensuring that any HTML tags or scripts are treated as plain text rather than executable code.5.
Views/Forms/HR/OnDutyFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly assigns data retrieved from the database to
spanTitle.InnerHtmlwithout sanitization. This can lead to Cross-Site Scripting (XSS) if the data contains malicious scripts.🔸 Recommended Fix
Sanitize the data before assigning it to
InnerHtmlto prevent the execution of any injected scripts.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, preventing any scripts from being executed. This ensures that any potentially malicious content is rendered as text rather than executed as code.6.
Views/Forms/HR/OvertimeFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
UIDvalue is concatenated directly into the SQL string.🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodeensures that any HTML special characters are encoded, preventing XSS attacks.SqlParameterprevents SQL Injection by treating user inputs as data rather than executable code.7.
Views/Forms/MicroFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code retrieves data from the database and directly assigns it to an HTML property (
lay-tips) without proper sanitization. This can lead to Cross-Site Scripting (XSS) vulnerabilities if the data contains malicious scripts.🔸 Recommended Fix
Sanitize the data retrieved from the database before assigning it to the HTML property to prevent execution of any embedded scripts.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to ensure that any potentially harmful characters in theQueryBaseDescriptionare encoded, thereby preventing script execution.8.
Views/Forms/SysFormList.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly assigns HTML content to
divScript.InnerHtmlusing data retrieved from the database without sanitization, which can lead to Cross-Site Scripting (XSS) vulnerabilities.🔸 Recommended Fix
Sanitize the HTML content before assigning it to
divScript.InnerHtmlto prevent any malicious scripts from being executed.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which helps prevent XSS by converting special characters to their HTML-encoded equivalents. This ensures that any potentially harmful scripts are not executed in the user's browser.9.
Views/Info/GlobalTips.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to Cross-Site Scripting (XSS) because it directly inserts data from the database into the HTML response without proper sanitization. Specifically, the
InfoClassName,InfoID, andTitlefields are directly embedded into the HTML.🔸 Recommended Fix
Properly encode the output before embedding it into the HTML to prevent XSS attacks. This can be done using
HttpUtility.HtmlEncodeto ensure that any HTML tags are rendered harmless.🔸 Additional Notes
The use of
HttpUtility.HtmlEncodeensures that any potentially malicious HTML or script content is safely encoded, preventing it from being executed in the browser. This is a crucial step in mitigating XSS vulnerabilities.10.
Views/Set/HR/Users.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being directly used in SQL queries. Additionally, there is a potential XSS vulnerability as unsanitized data from the database is used in HTML content.
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodehelps prevent XSS by encoding potentially dangerous characters before they are rendered in the HTML.SqlParameterprevents SQL Injection by ensuring that user inputs are treated as data rather than executable code.11.
Views/Set/Navigation.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code directly assigns HTML content to
divScript.InnerHtmlusing data from a database without sanitization. This can lead to Cross-Site Scripting (XSS) if the data contains malicious scripts.🔸 Recommended Fix
Sanitize the HTML content before assigning it to
divScript.InnerHtmlto prevent the execution of any embedded scripts.🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to encode the HTML content, which converts characters that have special meanings in HTML into their corresponding HTML entities, thus preventing the execution of any embedded scripts.12.
Views/Stats/Attendance/UserOnDuty.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodeensures that any data being output to HTML is properly encoded, mitigating XSS risks.13.
Views/Stats/Attendance/UserOvertime.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
🔸 Recommended Fix
🔸 Additional Notes
HttpUtility.HtmlEncodeto sanitize data before embedding it into HTML, preventing XSS.MicroDBHelper.MsSQLDbHelper.Querymethod supports parameterized queries. If not, consider using a different method or library that does.14.
Views/UserCenter/Users.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code retrieves data from the database and directly injects it into the HTML response without proper sanitization. This can lead to Cross-Site Scripting (XSS) vulnerabilities if the data contains malicious scripts.
🔸 Recommended Fix
Implement proper output encoding or sanitization for any data that is inserted into the HTML response to prevent XSS attacks.
🔸 Additional Notes
The
HttpUtility.HtmlEncodemethod is used to ensure that any potentially dangerous characters are encoded before being inserted into the HTML response, thus mitigating the risk of XSS attacks.15.
Views/Stats/Attendance/Js/UserOnDuty.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code uses
eval()to execute a string as JavaScript code. This can lead to code injection if the string contains untrusted data.🔸 Recommended Fix
Avoid using
eval()and instead use safer alternatives such as JSON parsing or other structured data handling methods.🔸 Additional Notes
The use of
eval()was replaced with direct object handling to prevent the execution of arbitrary code. This change ensures that the code is safer and less prone to injection attacks.16.
layuiadmin/lib/extend/micro.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a potential code injection vulnerability due to the use of
eval()on data received from an AJAX request. Theeval()function executes the string as JavaScript code, which can be exploited if the data is manipulated by an attacker.🔸 Recommended Fix
Avoid using
eval()to execute code from untrusted sources. Instead, use safer alternatives likeJSON.parse()for parsing JSON data or refactor the logic to avoid the need for dynamic code execution.🔸 Additional Notes
The use of
new Function(data)()is a safer alternative toeval()as it creates a new function and executes it in a local scope, reducing the risk of unintended code execution. However, it is still recommended to avoid executing dynamically generated code when possible.17.
Views/Forms/HR/Js/LeaveForm.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to a DOM-based Cross-Site Scripting (DOMXSS) attack because it directly inserts unsanitized data from a remote resource into the HTML using jQuery's
.html()method.🔸 Recommended Fix
Sanitize the data before inserting it into the HTML to prevent the execution of any malicious scripts. This can be done by escaping HTML special characters.
🔸 Additional Notes
The
escapeHtmlfunction is added to sanitize the data before inserting it into the HTML. This function escapes HTML special characters to prevent the execution of any injected scripts.18.
Resource/fullcalendar/examples/google-calendar.html🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains a hardcoded Google API key, which is a sensitive piece of information that should not be exposed in the source code.
🔸 Recommended Fix
Remove the hardcoded API key from the source code and retrieve it securely from an environment variable or a secure configuration file.
🔸 Additional Notes
Ensure that the environment variable
GOOGLE_CALENDAR_API_KEYis set in the environment where this code is running. This change assumes that the environment supports server-side rendering or a build process that can inject environment variables into the client-side code.19.
Resource/Js/Admin.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an Open Redirect vulnerability due to unsanitized input from
window.document.location.hrefbeing used directly inwindow.location.replace(). This can allow attackers to redirect users to malicious sites.🔸 Recommended Fix
Validate and sanitize the URL before using it in
window.location.replace(). Ensure that only URLs within the same domain or a whitelist of domains are allowed.🔸 Additional Notes
The fix ensures that the redirection only occurs if the current URL starts with the root path, preventing redirection to external sites. This is a basic validation and can be further enhanced by implementing a more comprehensive whitelist of allowed domains if necessary.
20.
Scripts/WebForms/SmartNav.js🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an Open Redirect vulnerability where unsanitized input from
document.location.hrefis used to setwindow.location, potentially allowing an attacker to redirect users to malicious sites.🔸 Recommended Fix
Validate and sanitize the URL before using it to set
window.location.🔸 Additional Notes
The fix involves creating a new URL object to ensure that the URL is properly formatted and originates from the same origin as the current document, mitigating the risk of open redirects.
21.
App_Code/MicroApprovalHelper.cs🧩 SAST Analysis Summary
22.
App_Code/MicroFormHelper.cs🧩 SAST Analysis Summary
23.
App_Code/MicroWorkFlowHelper.cs🧩 SAST Analysis Summary
24.
Views/Info/Detail.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains an SQL Injection vulnerability due to the construction of SQL queries using unsanitized input. The specific issue is with the SQL query that retrieves user roles, job titles, and departments using the
UIDdirectly in the query string without parameterization.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL statements. This involves using
SqlParameterobjects to pass theUIDvalue to the SQL query, preventing SQL injection attacks.🔸 Additional Notes
It's crucial to consistently use parameterized queries throughout the application to prevent SQL injection vulnerabilities. This change ensures that user input is safely handled, reducing the risk of SQL injection attacks.
25.
Views/Info/List.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being directly used in SQL queries. This can allow attackers to manipulate the queries by injecting malicious SQL code.
🔸 Recommended Fix
Use parameterized queries to prevent SQL injection by ensuring that user inputs are properly sanitized before being included in SQL statements.
🔸 Additional Notes
The code now uses parameterized queries to prevent SQL injection vulnerabilities. This ensures that user inputs are properly sanitized before being included in SQL statements.
26.
App_Code/MicroDTHelper.cs🧩 SAST Analysis Summary
27.
App_Code/MicroHRHelper.cs🧩 SAST Analysis Summary
28.
App_Code/MicroLdapHelper.cs🧩 SAST Analysis Summary
29.
App_Code/MicroPrivateHelper.cs🧩 SAST Analysis Summary
30.
Views/Default.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code constructs an SQL query by directly concatenating the
UIDvariable into the query string. This can lead to SQL Injection if theUIDis manipulated by an attacker.🔸 Recommended Fix
Use parameterized queries to safely pass the
UIDvariable to the SQL query, ensuring that it is treated as a parameter rather than part of the SQL command.🔸 Additional Notes
The changes ensure that the
UIDis passed as a parameter in the SQL query, which mitigates the risk of SQL Injection. This approach should be consistently applied to all dynamic SQL queries within the application.31.
Views/Forms/MicroFormApproval.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being used directly in SQL queries. Specifically, the
FormsIDsvariable is being concatenated into the SQL query string without proper sanitization or parameterization.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL statements. This approach prevents SQL injection by separating SQL code from data.
🔸 Additional Notes
The code has been modified to use parameterized queries for the SQL statements that involve user input. This change helps mitigate the risk of SQL injection attacks by ensuring that user input is treated as data rather than executable code.
32.
Views/Home/Console.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being directly concatenated into SQL queries. This occurs when user input, such as the
UIDvariable, is directly used in SQL statements without proper sanitization or parameterization.🔸 Recommended Fix
Use parameterized queries to prevent SQL Injection. This involves using SQL parameters instead of directly concatenating user input into the SQL query strings.
🔸 Additional Notes
The changes made involve replacing direct concatenation of the
UIDvariable into SQL queries with parameterized queries usingSqlParameter. This approach helps prevent SQL Injection attacks by treating user input as data rather than executable code.33.
Views/Home/PendingMyApproval.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code is vulnerable to SQL Injection due to unsanitized input being directly concatenated into SQL queries. Specifically, the
FCIDandFormIDparameters are concatenated into SQL statements without proper sanitization or parameterization.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL statements. This prevents SQL injection by separating SQL code from data.
🔸 Additional Notes
The use of parameterized queries helps protect against SQL injection by ensuring that user input is treated as data rather than executable code. This is a critical security measure for any application that interacts with a database.
34.
Views/Stats/General.aspx.cs🧩 SAST Analysis Summary
📝 LLM Analysis
🔸 Vulnerability Description
The code contains SQL Injection vulnerabilities due to unsanitized input being used directly in SQL queries. Specifically, the
ShiftTypeIDandOvertimeMealIDare concatenated directly into SQL strings without proper sanitization or parameterization.🔸 Recommended Fix
Use parameterized queries to safely include user input in SQL commands. This involves replacing direct string concatenation with SQL parameters.
🔸 Additional Notes
The changes involve using SQL parameters to safely include
OvertimeMealIDandShiftTypeIDin the SQL queries, thereby mitigating the risk of SQL Injection.🛠 Fix Summary
All identified vulnerabilities have been remediated following security best practices such as parameterized queries and proper input validation. Please refer to the diff tab for detailed code changes.
If you have questions or feedback regarding this automated patch, feel free to reach out via AutoFiC GitHub.