fix(component): sanitized and encoded config request parameters in post-internet-header to prevent injection

[alionazherdetska]

📄 Description

Addressed a potential injection vulnerability in the Internet Header's config.json request mechanism by validating and encoding the input parameters (projectId, environment, and version).

📝 Checklist

• ✅ My code follows the style guidelines of this project
• 🛠️ I have performed a self-review of my own code
• 📄 I have made corresponding changes to the documentation
• ⚠️ My changes generate no new warnings or errors
• 🧪 I have added tests that prove my fix is effective or that my feature works
• ✔️ New and existing unit tests pass locally with my changes

[changeset-bot]

⚠️ No Changeset found

Latest commit: b918701

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[swisspost-bot]

Related Previews

• https://preview-5281--swisspost-design-system.netlify.app

[gfellerph]

Please add a test case where a "malicious" or invalid payload is trying to modify the URL of the config request where we can see that these changes are preventing the malicious request from being sent. I think it will be valuable in the future to understand the methods used to manipulate the config requests so we can react to them not only in the header, but in other places where we send requests based on properties on a web component.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate failed

Failed conditions
2 Security Hotspots

See analysis details on SonarQube Cloud

[alizedebray]

If you give a default value to the parameter of the handleEnvironmentChange function like so:

  handleEnvironmentChange(newValue = this.environment) {

You can completely reuse it in the componentWillLoad, intead of duplicating the error message:

Suggested change

	if (!this.isValidEnvironment(this.environment)) {
	throw new Error(
	`Internet Header environment "${this.environment}" is not valid. Please use one of: ${PostInternetHeader.VALID_ENVIRONMENTS.join(', ')}`
	);
	}
	this.handleEnvironmentChange();

It's usually how we do it in our components, here the example of the post-banner:
https://github.com/swisspost/design-system/blob/main/packages/components/src/components/post-banner/post-banner.tsx#L87

[gfellerph]

@alionazherdetska I think we need to quickly sync on this PR. Generally, it might be easier to validate the params just before sending the request and not in the whole lifecycle.

[gfellerph]

Solid suite of tests!

[gfellerph]

I don't think this check is effective here. The packageJson.version imported from the actual package.json file cannot be manipulated. I think the issue here is, that after the initial render with the correct version, the version is tampered with and when analytics grabs the value, it grabs the tampered value. Not really an issue for us after all and certainly not something we could fix. Should we revert the changes here to keep code simpler?

[gfellerph]

Empty constructors are not necessary. Please remove this.

Suggested change

constructor() {}

[gfellerph]

A project change requires a page reload (and is not a real scenario, since one project only ever has one project id). Throwing an error here might suggest that changing project id on the fly is supported. I'd remove this check.

[gfellerph]

Possibly not needed since we can't really validate the version at the right time.