admin/cartlog-admin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e56de816127dc8e018f3138129ae3624b72856b
cartlog-admin/QUICK_FIX_GUIDE.md

6.9 KiB
Raw Blame History

Quick Fix Guide - Critical Security Issues

🔴 CRITICAL: Fix These Immediately

1. XSS Vulnerability Fix

File: src/utils/customFunctions/TextLimit.js

Install sanitization library:

npm install isomorphic-dompurify

Replace the sanitizeAndTrustHtml function:

import DOMPurify from 'isomorphic-dompurify';

const sanitizeAndTrustHtml = (htmlString) => {
    return { __html: DOMPurify.sanitize(htmlString) };
};

2. Implement Middleware Authentication

File: src/middleware.js

Replace with:

import { NextResponse } from 'next/server';

export async function middleware(request) {
  const token = request.cookies.get('uat')?.value;
  const { pathname } = request.nextUrl;
  
  // Public routes that don't require authentication
  const publicRoutes = ['/auth/login', '/auth/register', '/auth/forgot-password'];
  const isPublicRoute = publicRoutes.some(route => pathname.includes(route));
  
  // Redirect to login if no token and not on public route
  if (!token && !isPublicRoute) {
    const loginUrl = new URL('/en/auth/login', request.url);
    return NextResponse.redirect(loginUrl);
  }
  
  // Redirect to dashboard if has token and on login page
  if (token && pathname.includes('/auth/login')) {
    const dashboardUrl = new URL('/en/dashboard', request.url);
    return NextResponse.redirect(dashboardUrl);
  }
  
  return NextResponse.next();
}

export const config = {
  matcher: [
    "/",
    "/account",
    "/attachment/:path*",
    "/attribute/:path*",
    "/auth/:path*",
    "/blog/:path*",
    "/category/:path*",
    "/checkout",
    "/commission_history",
    "/coupon/:path*",
    "/currency/:path*",
    "/dashboard",
    "/dashboard/:path*",
    "/faq/:path*",
    "/notification/:path*",
    "/order/:path*",
    "/page/:path*",
    "/payment_account/:path*",
    "/point/:path*",
    "/product/:path*",
    "/refund",
    "/review/:path*",
    "/role/",
    "/setting/:path*",
    "/shipping/:path*",
    "/store/:path*",
    "/tag/:path*",
    "/tax/:path*",
    "/theme/:path*",
    "/theme_option/:path*",
    "/user/:path*",
    "/vendore_wallet/:path*",
    "/wallet/:path*",
    "/withdraw_request/:path*",
    "/vendor_wallet/:path*",
    "/theme/denver",
    "/notifications",
    "/qna",
  ],
};

3. Update .gitignore

File: .gitignore

Replace with:

# Dependencies
node_modules/
/.pnp
.pnp.js

# Testing
/coverage

# Next.js
/.next/
/out/

# Production
/build

# Misc
.DS_Store
*.pem

# Debug
npm-debug.log*
yarn-debug.log*
yarn-error.log*

# Local env files
.env
.env*.local

# Vercel
.vercel

# TypeScript
*.tsbuildinfo
next-env.d.ts

# IDE
.vscode/
.idea/
*.swp
*.swo
*~

# OS
.DS_Store
Thumbs.db

4. Enable React Strict Mode

File: next.config.js

Change:

const nextConfig = {
  reactStrictMode: true,  // ✅ Enable this
  // ... rest of config
};

5. Fix Axios Error Handling

File: src/utils/axiosUtils/index.js

Replace the onError function:

const onError = (error) => {
  const status = error?.response?.status;
  
  // Handle specific status codes
  if (status === 401) {
    // Unauthorized - clear auth and redirect to login
    document.cookie = 'uat=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
    router?.push("/en/auth/login");
  } else if (status === 403) {
    // Forbidden
    router?.push("/en/403");
  }
  
  // Always reject the promise so calling code can handle errors
  return Promise.reject(error);
};

6. Remove Console Statements

Files to update:

  1. src/components/product/DateRangePicker.js:35

    • Remove: console.log('Date range error handled:', error.message);

  2. src/components/role/PermissionForm.js:19

    • Remove: console.log(errors[0]?.message);
    • Replace with proper error handling

  3. src/app/[lng]/layout.js:7

    • Remove: console.log("err", err)
    • Replace with proper error handling or logging service

7. Fix GetCookie Function

File: src/utils/customFunctions/GetCookie.js

Replace with:

export default function getCookie(cname) {
  if (typeof document === 'undefined') return '';
  
  const name = cname + "=";
  const decodedCookie = decodeURIComponent(document.cookie);
  const ca = decodedCookie.split(";");
  
  for (let i = 0; i < ca.length; i++) {
    let c = ca[i];
    while (c.charAt(0) === " ") {  // ✅ Use strict equality
      c = c.substring(1);
    }
    if (c.indexOf(name) === 0) {  // ✅ Use strict equality
      return c.substring(name.length, c.length);
    }
  }
  return "";
}

export function checkCookie() {
  const username = getCookie("username");
  return username !== "" && Boolean(username);  // ✅ Use strict equality
}

🔧 Automated Fix Script

Create a file scripts/fix-equality.sh:

#!/bin/bash

# This script replaces loose equality operators with strict ones
# Run with: bash scripts/fix-equality.sh

echo "Fixing loose equality operators..."

# Find all .js and .jsx files and replace == with ===
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ == / === /g' {} +
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ != / !== /g' {} +

# Fix specific patterns
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/(==/===/g' {} +
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/==)/===/g' {} +

echo "Done! Please review changes before committing."
echo "Run 'git diff' to see what changed."

Usage:

chmod +x scripts/fix-equality.sh
./scripts/fix-equality.sh

⚠️ Warning: Review all changes carefully as some comparisons might intentionally use loose equality.

📋 Verification Checklist

After applying fixes, verify:

  • XSS vulnerability fixed (test with malicious HTML input)
  • Middleware redirects unauthenticated users
  • .gitignore prevents committing sensitive files
  • React Strict Mode enabled (check for warnings)
  • Axios properly rejects errors
  • No console statements in production code
  • All equality operators are strict (===, !==)
  • Application still functions correctly
  • Run npm run lint and fix any errors
  • Test authentication flow
  • Test permission-based routing

🚀 Deployment Checklist

Before deploying to production:

  • All critical fixes applied
  • Environment variables properly configured
  • .env files not committed to git
  • Build succeeds without errors
  • No console warnings in production build
  • Security headers configured
  • HTTPS enabled
  • Rate limiting implemented
  • Error monitoring setup (Sentry, etc.)
  • Backup strategy in place

📞 Support

If you encounter issues while applying these fixes:

  1. Check the full CODE_REVIEW.md for detailed explanations
  2. Test each fix individually
  3. Use git to track changes and revert if needed
  4. Consider creating a feature branch for these fixes

Last Updated: January 2026

Reference in New Issue View Git Blame Copy Permalink