Bellese Code Review Feedback and Remediation Super-ticket #42
Description
Issue Report
Bellese Code Review of MCT Repo (9-1-23).pdf
Expected behavior
Our friends over at Bellese have conducted another code review of the MCT codebase, and identified a few issues that they would like the project to address.
Attached is that review above for future reference.
As I see it, highest priority should be resolved pre-release, lower priority can be resolved post-release. If y'all think these priorities should be shifted, please comment here with updated lists.
Highest Priority:
- Path Traversal Vulnerability in MctConfig.java #32
- Backend: Version Bumping #43
- Unvalidated/Unsanitized user input in src/store/reducers/data.js #36
- .env committed to repo #40
Lower Priority:
- Google Fonts Dependency (unticketed)
- lodash dependency swap? #41
- Front-end: Examine Select-all Behavior in FacilitiesMultiSelect.js #33
- Missing Route-based access control? #34
- Missing 404, and other Error Pages? #35
- Hardcoded values in src/store/reducers/filter.js #37
- Missing Security Headers? #38
- DOCKERFILE Improvements #39