328 lines
6.9 KiB
Markdown
328 lines
6.9 KiB
Markdown
# Quick Fix Guide - Critical Security Issues
|
|
|
|
## 🔴 CRITICAL: Fix These Immediately
|
|
|
|
### 1. XSS Vulnerability Fix
|
|
|
|
**File:** `src/utils/customFunctions/TextLimit.js`
|
|
|
|
**Install sanitization library:**
|
|
```bash
|
|
npm install isomorphic-dompurify
|
|
```
|
|
|
|
**Replace the sanitizeAndTrustHtml function:**
|
|
```javascript
|
|
import DOMPurify from 'isomorphic-dompurify';
|
|
|
|
const sanitizeAndTrustHtml = (htmlString) => {
|
|
return { __html: DOMPurify.sanitize(htmlString) };
|
|
};
|
|
```
|
|
|
|
---
|
|
|
|
### 2. Implement Middleware Authentication
|
|
|
|
**File:** `src/middleware.js`
|
|
|
|
**Replace with:**
|
|
```javascript
|
|
import { NextResponse } from 'next/server';
|
|
|
|
export async function middleware(request) {
|
|
const token = request.cookies.get('uat')?.value;
|
|
const { pathname } = request.nextUrl;
|
|
|
|
// Public routes that don't require authentication
|
|
const publicRoutes = ['/auth/login', '/auth/register', '/auth/forgot-password'];
|
|
const isPublicRoute = publicRoutes.some(route => pathname.includes(route));
|
|
|
|
// Redirect to login if no token and not on public route
|
|
if (!token && !isPublicRoute) {
|
|
const loginUrl = new URL('/en/auth/login', request.url);
|
|
return NextResponse.redirect(loginUrl);
|
|
}
|
|
|
|
// Redirect to dashboard if has token and on login page
|
|
if (token && pathname.includes('/auth/login')) {
|
|
const dashboardUrl = new URL('/en/dashboard', request.url);
|
|
return NextResponse.redirect(dashboardUrl);
|
|
}
|
|
|
|
return NextResponse.next();
|
|
}
|
|
|
|
export const config = {
|
|
matcher: [
|
|
"/",
|
|
"/account",
|
|
"/attachment/:path*",
|
|
"/attribute/:path*",
|
|
"/auth/:path*",
|
|
"/blog/:path*",
|
|
"/category/:path*",
|
|
"/checkout",
|
|
"/commission_history",
|
|
"/coupon/:path*",
|
|
"/currency/:path*",
|
|
"/dashboard",
|
|
"/dashboard/:path*",
|
|
"/faq/:path*",
|
|
"/notification/:path*",
|
|
"/order/:path*",
|
|
"/page/:path*",
|
|
"/payment_account/:path*",
|
|
"/point/:path*",
|
|
"/product/:path*",
|
|
"/refund",
|
|
"/review/:path*",
|
|
"/role/",
|
|
"/setting/:path*",
|
|
"/shipping/:path*",
|
|
"/store/:path*",
|
|
"/tag/:path*",
|
|
"/tax/:path*",
|
|
"/theme/:path*",
|
|
"/theme_option/:path*",
|
|
"/user/:path*",
|
|
"/vendore_wallet/:path*",
|
|
"/wallet/:path*",
|
|
"/withdraw_request/:path*",
|
|
"/vendor_wallet/:path*",
|
|
"/theme/denver",
|
|
"/notifications",
|
|
"/qna",
|
|
],
|
|
};
|
|
```
|
|
|
|
---
|
|
|
|
### 3. Update .gitignore
|
|
|
|
**File:** `.gitignore`
|
|
|
|
**Replace with:**
|
|
```gitignore
|
|
# Dependencies
|
|
node_modules/
|
|
/.pnp
|
|
.pnp.js
|
|
|
|
# Testing
|
|
/coverage
|
|
|
|
# Next.js
|
|
/.next/
|
|
/out/
|
|
|
|
# Production
|
|
/build
|
|
|
|
# Misc
|
|
.DS_Store
|
|
*.pem
|
|
|
|
# Debug
|
|
npm-debug.log*
|
|
yarn-debug.log*
|
|
yarn-error.log*
|
|
|
|
# Local env files
|
|
.env
|
|
.env*.local
|
|
|
|
# Vercel
|
|
.vercel
|
|
|
|
# TypeScript
|
|
*.tsbuildinfo
|
|
next-env.d.ts
|
|
|
|
# IDE
|
|
.vscode/
|
|
.idea/
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
|
|
# OS
|
|
.DS_Store
|
|
Thumbs.db
|
|
```
|
|
|
|
---
|
|
|
|
### 4. Enable React Strict Mode
|
|
|
|
**File:** `next.config.js`
|
|
|
|
**Change:**
|
|
```javascript
|
|
const nextConfig = {
|
|
reactStrictMode: true, // ✅ Enable this
|
|
// ... rest of config
|
|
};
|
|
```
|
|
|
|
---
|
|
|
|
### 5. Fix Axios Error Handling
|
|
|
|
**File:** `src/utils/axiosUtils/index.js`
|
|
|
|
**Replace the onError function:**
|
|
```javascript
|
|
const onError = (error) => {
|
|
const status = error?.response?.status;
|
|
|
|
// Handle specific status codes
|
|
if (status === 401) {
|
|
// Unauthorized - clear auth and redirect to login
|
|
document.cookie = 'uat=; expires=Thu, 01 Jan 1970 00:00:00 UTC; path=/;';
|
|
router?.push("/en/auth/login");
|
|
} else if (status === 403) {
|
|
// Forbidden
|
|
router?.push("/en/403");
|
|
}
|
|
|
|
// Always reject the promise so calling code can handle errors
|
|
return Promise.reject(error);
|
|
};
|
|
```
|
|
|
|
---
|
|
|
|
### 6. Remove Console Statements
|
|
|
|
**Files to update:**
|
|
|
|
1. `src/components/product/DateRangePicker.js:35`
|
|
- Remove: `console.log('Date range error handled:', error.message);`
|
|
|
|
2. `src/components/role/PermissionForm.js:19`
|
|
- Remove: `console.log(errors[0]?.message);`
|
|
- Replace with proper error handling
|
|
|
|
3. `src/app/[lng]/layout.js:7`
|
|
- Remove: `console.log("err", err)`
|
|
- Replace with proper error handling or logging service
|
|
|
|
---
|
|
|
|
### 7. Fix GetCookie Function
|
|
|
|
**File:** `src/utils/customFunctions/GetCookie.js`
|
|
|
|
**Replace with:**
|
|
```javascript
|
|
export default function getCookie(cname) {
|
|
if (typeof document === 'undefined') return '';
|
|
|
|
const name = cname + "=";
|
|
const decodedCookie = decodeURIComponent(document.cookie);
|
|
const ca = decodedCookie.split(";");
|
|
|
|
for (let i = 0; i < ca.length; i++) {
|
|
let c = ca[i];
|
|
while (c.charAt(0) === " ") { // ✅ Use strict equality
|
|
c = c.substring(1);
|
|
}
|
|
if (c.indexOf(name) === 0) { // ✅ Use strict equality
|
|
return c.substring(name.length, c.length);
|
|
}
|
|
}
|
|
return "";
|
|
}
|
|
|
|
export function checkCookie() {
|
|
const username = getCookie("username");
|
|
return username !== "" && Boolean(username); // ✅ Use strict equality
|
|
}
|
|
```
|
|
|
|
---
|
|
|
|
## 🔧 Automated Fix Script
|
|
|
|
Create a file `scripts/fix-equality.sh`:
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
|
|
# This script replaces loose equality operators with strict ones
|
|
# Run with: bash scripts/fix-equality.sh
|
|
|
|
echo "Fixing loose equality operators..."
|
|
|
|
# Find all .js and .jsx files and replace == with ===
|
|
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ == / === /g' {} +
|
|
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/ != / !== /g' {} +
|
|
|
|
# Fix specific patterns
|
|
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/(==/===/g' {} +
|
|
find src -type f \( -name "*.js" -o -name "*.jsx" \) -exec sed -i 's/==)/===/g' {} +
|
|
|
|
echo "Done! Please review changes before committing."
|
|
echo "Run 'git diff' to see what changed."
|
|
```
|
|
|
|
**Usage:**
|
|
```bash
|
|
chmod +x scripts/fix-equality.sh
|
|
./scripts/fix-equality.sh
|
|
```
|
|
|
|
**⚠️ Warning:** Review all changes carefully as some comparisons might intentionally use loose equality.
|
|
|
|
---
|
|
|
|
## 📋 Verification Checklist
|
|
|
|
After applying fixes, verify:
|
|
|
|
- [ ] XSS vulnerability fixed (test with malicious HTML input)
|
|
- [ ] Middleware redirects unauthenticated users
|
|
- [ ] .gitignore prevents committing sensitive files
|
|
- [ ] React Strict Mode enabled (check for warnings)
|
|
- [ ] Axios properly rejects errors
|
|
- [ ] No console statements in production code
|
|
- [ ] All equality operators are strict (===, !==)
|
|
- [ ] Application still functions correctly
|
|
- [ ] Run `npm run lint` and fix any errors
|
|
- [ ] Test authentication flow
|
|
- [ ] Test permission-based routing
|
|
|
|
---
|
|
|
|
## 🚀 Deployment Checklist
|
|
|
|
Before deploying to production:
|
|
|
|
- [ ] All critical fixes applied
|
|
- [ ] Environment variables properly configured
|
|
- [ ] .env files not committed to git
|
|
- [ ] Build succeeds without errors
|
|
- [ ] No console warnings in production build
|
|
- [ ] Security headers configured
|
|
- [ ] HTTPS enabled
|
|
- [ ] Rate limiting implemented
|
|
- [ ] Error monitoring setup (Sentry, etc.)
|
|
- [ ] Backup strategy in place
|
|
|
|
---
|
|
|
|
## 📞 Support
|
|
|
|
If you encounter issues while applying these fixes:
|
|
|
|
1. Check the full CODE_REVIEW.md for detailed explanations
|
|
2. Test each fix individually
|
|
3. Use git to track changes and revert if needed
|
|
4. Consider creating a feature branch for these fixes
|
|
|
|
---
|
|
|
|
**Last Updated:** January 2026
|