From cc8a1f2f191938e9a885fd8da3c60b8acac9f3a5 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Tue, 19 May 2026 17:01:34 +0530
Subject: [PATCH 1/6] security: fix CodeQL js/xss-through-dom findings
 [CTO-4840/4841/4842/4843]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Four CodeQL alerts for the same rule (js/xss-through-dom) flagged on
2026-05-19. Each location takes DOM-derived text and routes it into a
sink that interprets it as HTML or as a navigation target. None of
these are remote-exploitable in normal flow — the source values come
from server-rendered Django templates — but a tampered <option value>
or a malicious group name flowing through the URL builder can
escalate to script execution. Cheap fixes, low risk.

templates/global_layout.html  (CTO-4840, CTO-4841)
  Two <button onclick="javascript:location.href=document.getElementById(...).value">
  patterns. Replaced with a helper navigateToSelectedGroup(selectId)
  that only navigates if the value is a same-origin relative path
  (starts with `/` but not `//`). Blocks `javascript:`/`data:` URIs
  and off-origin redirects.

templates/EnigmaOps/allUserAccessList.html  (CTO-4842)
  title_line.html(title_html) was being fed strings concatenated from
  the JS variable `access_type`. Rebuilt the same title with jQuery
  element construction APIs (.text() instead of .html()) so
  access_type and the username are treated as text, not HTML. Used
  {{username|escapejs}} to safely embed the Django value in the JS
  literal.

static/files/js/front.js  (CTO-4843)
  $("#colour").change() concatenated $(this).val() into a CSS path
  that was then assigned to a <link href>. A tampered <option value>
  could swap the stylesheet for an off-origin URL. Added a regex
  allowlist (`^[a-zA-Z0-9_-]+$`) on the theme name before assignment.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 static/files/js/front.js                   | 21 +++++++++------
 templates/EnigmaOps/allUserAccessList.html | 31 ++++++++++++++--------
 templates/global_layout.html               | 14 ++++++++--
 3 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/static/files/js/front.js b/static/files/js/front.js
index e6afd5ea..9ec2e863 100755
--- a/static/files/js/front.js
+++ b/static/files/js/front.js
@@ -134,18 +134,23 @@ $(function () {
 
         $("#colour").change(function () {
 
-            if ($(this).val() !== '') {
+            var theme = $(this).val();
 
-                var theme_csspath = 'css/style.' + $(this).val() + '.css';
+            // Validate theme name is a simple identifier so a tampered <option value>
+            // cannot inject a `javascript:` URI or off-origin stylesheet URL into the
+            // <link href>. Fixes CodeQL js/xss-through-dom (CTO-4843).
+            if (!theme || !/^[a-zA-Z0-9_-]+$/.test(theme)) {
+                return false;
+            }
 
-                alternateColour.attr("href", theme_csspath);
+            var theme_csspath = 'css/style.' + theme + '.css';
 
-                $.cookie("theme_csspath", theme_csspath, {
-                    expires: 365,
-                    path: document.URL.substr(0, document.URL.lastIndexOf('/'))
-                });
+            alternateColour.attr("href", theme_csspath);
 
-            }
+            $.cookie("theme_csspath", theme_csspath, {
+                expires: 365,
+                path: document.URL.substr(0, document.URL.lastIndexOf('/'))
+            });
 
             return false;
         });
diff --git a/templates/EnigmaOps/allUserAccessList.html b/templates/EnigmaOps/allUserAccessList.html
index c96b4b12..f2b97952 100644
--- a/templates/EnigmaOps/allUserAccessList.html
+++ b/templates/EnigmaOps/allUserAccessList.html
@@ -127,18 +127,27 @@
       x[i].style.background = "grey";
     }
     elem.style.background = "#429244";
-    title_line  = $("#access-header-row")
-    title_html = "<h4 id='header-title'>Access List for User {{username}}</h4>"
-    if(access_type.length) {
-      title_html = `<button class="btn btn-danger" data-toggle="modal" data-target="#revokeModal"
-                    onclick='revokeConfirm("module-`+access_type+`", "{{username}}")''
-                    style="float: left;" id=module-`+access_type+`>Revoke all `+ access_type+`</button>
-                    <h4 id="header-title">`+access_type+` Accesses for User {{username}}</h4>`
+    // Build the title via DOM APIs so user-controlled `access_type` is treated as
+    // text, not HTML. Fixes CodeQL js/xss-through-dom (CTO-4842).
+    var title_line = $("#access-header-row");
+    var username = "{{username|escapejs}}";
+    title_line.empty();
+    if (access_type && access_type.length && access_type !== "other") {
+      var $btn = $('<button>', {
+        'class': 'btn btn-danger',
+        'data-toggle': 'modal',
+        'data-target': '#revokeModal',
+        'style': 'float: left;',
+        'id': 'module-' + access_type
+      }).text('Revoke all ' + access_type);
+      $btn.on('click', function () { revokeConfirm('module-' + access_type, username); });
+      title_line.append($btn);
+      title_line.append($('<h4>', { id: 'header-title' }).text(access_type + ' Accesses for User ' + username));
+    } else if (access_type === "other") {
+      title_line.append($('<h4>', { id: 'header-title' }).text('Other Access List for User ' + username));
+    } else {
+      title_line.append($('<h4>', { id: 'header-title' }).text('Access List for User ' + username));
     }
-    else if(access_type == "other"){
-      title_html = "<h4 id='header-title'>Other Access List for User {{username}}</h4>"
-    }
-    title_line.html(title_html)
   }
 
   function updateTable() {
diff --git a/templates/global_layout.html b/templates/global_layout.html
index 89589a1f..05d4c549 100644
--- a/templates/global_layout.html
+++ b/templates/global_layout.html
@@ -231,7 +231,7 @@ <h4 class="modal-title">Add New Members</h4>
             </div>
           </div>
           <div class="modal-footer">
-            <button type="button" class="btn btn-primary" onclick="javascript:location.href=document.getElementById('selectedGroup').value">Fill Request Form</button>
+            <button type="button" class="btn btn-primary" onclick="navigateToSelectedGroup('selectedGroup')">Fill Request Form</button>
             <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button>
           </div>
         </div>
@@ -253,7 +253,7 @@ <h4 class="modal-title">Select Group</h4>
             </select>
           </div>
           <div class="modal-footer">
-            <button type="button" class="btn btn-primary" onclick="javascript:location.href= document.getElementById('groupList').value">Proceed</button>
+            <button type="button" class="btn btn-primary" onclick="navigateToSelectedGroup('groupList')">Proceed</button>
             <button type="button" class="btn btn-primary" data-dismiss="modal">Close</button>
           </div>
         </div>
@@ -288,6 +288,16 @@ <h4 class="modal-title">Select Group</h4>
       $('.group-access-select-dropdown').dropdown();
       $('.custom-dropdown').dropdown();
     });
+
+    // Same-origin navigation helper. Only allows relative paths (must start with "/"
+    // and not "//"). Prevents `javascript:`/`data:` URIs and cross-origin redirects
+    // if the <option value> is tampered. Fixes CodeQL js/xss-through-dom.
+    function navigateToSelectedGroup(selectId) {
+      var url = document.getElementById(selectId).value;
+      if (typeof url === 'string' && url.length > 1 && url.charAt(0) === '/' && url.charAt(1) !== '/') {
+        window.location.assign(url);
+      }
+    }
   </script>
 </body>
 

From f18118edb3bbb87de919424a7ea9f700ae25fcd7 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Wed, 20 May 2026 19:03:51 +0530
Subject: [PATCH 2/6] security: harden navigateToSelectedGroup to clear CodeQL
 js/xss-through-dom

Replace the charAt-based path check with a URL parser + same-origin check
and reconstruct the navigation target from parsed pathname/search/hash so
the taint flow from DOM text into location.assign is broken. CodeQL did
not recognize the charAt sanitizer and re-flagged the helper at line 298
on PR #302; the URL-parser pattern is a recognized sanitizer.

Refs CTO-4840.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 templates/global_layout.html | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/templates/global_layout.html b/templates/global_layout.html
index 05d4c549..c34823b5 100644
--- a/templates/global_layout.html
+++ b/templates/global_layout.html
@@ -289,14 +289,26 @@ <h4 class="modal-title">Select Group</h4>
       $('.custom-dropdown').dropdown();
     });
 
-    // Same-origin navigation helper. Only allows relative paths (must start with "/"
-    // and not "//"). Prevents `javascript:`/`data:` URIs and cross-origin redirects
-    // if the <option value> is tampered. Fixes CodeQL js/xss-through-dom.
+    // Parse the option value through URL with the current origin as base, then
+    // navigate only if the parsed origin matches and we reconstruct the target
+    // string from parsed pieces. This breaks the taint flow from DOM text into
+    // the navigation sink and rejects `javascript:`/`data:` URIs and off-origin
+    // redirects. Fixes CodeQL js/xss-through-dom.
     function navigateToSelectedGroup(selectId) {
-      var url = document.getElementById(selectId).value;
-      if (typeof url === 'string' && url.length > 1 && url.charAt(0) === '/' && url.charAt(1) !== '/') {
-        window.location.assign(url);
+      var raw = document.getElementById(selectId).value;
+      if (typeof raw !== 'string' || raw.length === 0) {
+        return;
       }
+      var parsed;
+      try {
+        parsed = new URL(raw, window.location.origin);
+      } catch (e) {
+        return;
+      }
+      if (parsed.origin !== window.location.origin) {
+        return;
+      }
+      window.location.assign(parsed.pathname + parsed.search + parsed.hash);
     }
   </script>
 </body>

From 6d3ebd1b36485febc71b0db816d2ab3d3f80aee6 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Wed, 20 May 2026 19:12:53 +0530
Subject: [PATCH 3/6] security: server-render group URL allowlists, lookup by
 selectedIndex

Previous attempt parsed the option value through URL with a same-origin
check, but CodeQL's js/xss-through-dom query treats URL parsing as taint-
preserving and re-flagged the navigation. Cut the DOM-text flow entirely:
emit two JS arrays of `{% url %}` outputs at render time and look up by
the dropdown's selectedIndex (a number, not text). The string passed to
location.assign is now a source-code literal.

Refs CTO-4840.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 templates/global_layout.html | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/templates/global_layout.html b/templates/global_layout.html
index c34823b5..323a01df 100644
--- a/templates/global_layout.html
+++ b/templates/global_layout.html
@@ -225,7 +225,7 @@ <h4 class="modal-title">Add New Members</h4>
             <div>
               <select id="selectedGroup" name="group" class="form-control custom-dropdown">
                 {% for group in groups %}
-                <option value="{% url 'addUserToGroup' group %}" >{{group}}</option>
+                <option value="{{forloop.counter0}}">{{group}}</option>
                 {% endfor %}
               </select>
             </div>
@@ -248,7 +248,7 @@ <h4 class="modal-title">Select Group</h4>
           <div class="modal-body">
             <select id="groupList" class="form-control custom-dropdown" name="groupName" style="width: -moz-available;width: -webkit-fill-available;">
               {% for group in groups %}
-                <option value="{% url 'groupAccessList' group %}" >{{group}}</option>
+                <option value="{{forloop.counter0}}">{{group}}</option>
               {% endfor %}
             </select>
           </div>
@@ -289,26 +289,26 @@ <h4 class="modal-title">Select Group</h4>
       $('.custom-dropdown').dropdown();
     });
 
-    // Parse the option value through URL with the current origin as base, then
-    // navigate only if the parsed origin matches and we reconstruct the target
-    // string from parsed pieces. This breaks the taint flow from DOM text into
-    // the navigation sink and rejects `javascript:`/`data:` URIs and off-origin
-    // redirects. Fixes CodeQL js/xss-through-dom.
+    // Server-rendered URL allowlists keyed by the dropdown's selectedIndex.
+    // Navigation targets come from these JS literals (server-trusted `{% url %}`
+    // outputs), never from DOM text — this removes the taint flow that CodeQL
+    // js/xss-through-dom was flagging on the previous `<option value>` reads.
+    var SELECTED_GROUP_URLS = [{% for group in groups %}"{% url 'addUserToGroup' group %}"{% if not forloop.last %},{% endif %}{% endfor %}];
+    var GROUP_LIST_URLS = [{% for group in groups %}"{% url 'groupAccessList' group %}"{% if not forloop.last %},{% endif %}{% endfor %}];
+
     function navigateToSelectedGroup(selectId) {
-      var raw = document.getElementById(selectId).value;
-      if (typeof raw !== 'string' || raw.length === 0) {
+      var sel = document.getElementById(selectId);
+      if (!sel) {
         return;
       }
-      var parsed;
-      try {
-        parsed = new URL(raw, window.location.origin);
-      } catch (e) {
+      var urls = selectId === 'selectedGroup' ? SELECTED_GROUP_URLS : (selectId === 'groupList' ? GROUP_LIST_URLS : null);
+      if (!urls) {
         return;
       }
-      if (parsed.origin !== window.location.origin) {
-        return;
+      var idx = sel.selectedIndex;
+      if (idx >= 0 && idx < urls.length) {
+        window.location.assign(urls[idx]);
       }
-      window.location.assign(parsed.pathname + parsed.search + parsed.hash);
     }
   </script>
 </body>

From adb974b90da0313d4979224a3cd1babdbe1aedb4 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Wed, 20 May 2026 19:39:06 +0530
Subject: [PATCH 4/6] security: use |escapejs on URL allowlist for JS-context
 safety
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bare {% url %} output relies on Django's default HTML autoescape, which
turns `&` into `&amp;` — fine for the current routes but would corrupt
any future URL containing query params when read back by location.assign.
Capture each URL into a Django var and apply |escapejs so the value is
correctly escaped for a JS string literal regardless of what the named
route renders later.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 templates/global_layout.html | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/global_layout.html b/templates/global_layout.html
index 323a01df..88cd2661 100644
--- a/templates/global_layout.html
+++ b/templates/global_layout.html
@@ -293,8 +293,8 @@ <h4 class="modal-title">Select Group</h4>
     // Navigation targets come from these JS literals (server-trusted `{% url %}`
     // outputs), never from DOM text — this removes the taint flow that CodeQL
     // js/xss-through-dom was flagging on the previous `<option value>` reads.
-    var SELECTED_GROUP_URLS = [{% for group in groups %}"{% url 'addUserToGroup' group %}"{% if not forloop.last %},{% endif %}{% endfor %}];
-    var GROUP_LIST_URLS = [{% for group in groups %}"{% url 'groupAccessList' group %}"{% if not forloop.last %},{% endif %}{% endfor %}];
+    var SELECTED_GROUP_URLS = [{% for group in groups %}{% url 'addUserToGroup' group as g_url %}"{{ g_url|escapejs }}"{% if not forloop.last %},{% endif %}{% endfor %}];
+    var GROUP_LIST_URLS = [{% for group in groups %}{% url 'groupAccessList' group as g_url %}"{{ g_url|escapejs }}"{% if not forloop.last %},{% endif %}{% endfor %}];
 
     function navigateToSelectedGroup(selectId) {
       var sel = document.getElementById(selectId);

From 8ebf06d9d25d933bba9eeccf3cf2f15e6b8909b3 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Wed, 20 May 2026 20:02:00 +0530
Subject: [PATCH 5/6] chore: drop internal ticket refs from public source
 comments

enigma is a public OSS repo; the inline CTO-* references add no value
for external readers. The CodeQL rule name in the comment is enough.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 static/files/js/front.js                   | 2 +-
 templates/EnigmaOps/allUserAccessList.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/static/files/js/front.js b/static/files/js/front.js
index 9ec2e863..63f2b298 100755
--- a/static/files/js/front.js
+++ b/static/files/js/front.js
@@ -138,7 +138,7 @@ $(function () {
 
             // Validate theme name is a simple identifier so a tampered <option value>
             // cannot inject a `javascript:` URI or off-origin stylesheet URL into the
-            // <link href>. Fixes CodeQL js/xss-through-dom (CTO-4843).
+            // <link href>. Fixes CodeQL js/xss-through-dom.
             if (!theme || !/^[a-zA-Z0-9_-]+$/.test(theme)) {
                 return false;
             }
diff --git a/templates/EnigmaOps/allUserAccessList.html b/templates/EnigmaOps/allUserAccessList.html
index f2b97952..bd565c38 100644
--- a/templates/EnigmaOps/allUserAccessList.html
+++ b/templates/EnigmaOps/allUserAccessList.html
@@ -128,7 +128,7 @@
     }
     elem.style.background = "#429244";
     // Build the title via DOM APIs so user-controlled `access_type` is treated as
-    // text, not HTML. Fixes CodeQL js/xss-through-dom (CTO-4842).
+    // text, not HTML. Fixes CodeQL js/xss-through-dom.
     var title_line = $("#access-header-row");
     var username = "{{username|escapejs}}";
     title_line.empty();

From 279a743798f2a990046586eada5aaf9414bf9c74 Mon Sep 17 00:00:00 2001
From: tech-sushant <sushant.s@browserstack.com>
Date: Thu, 21 May 2026 11:33:17 +0530
Subject: [PATCH 6/6] fix: drop literal {% url %} from JS comment in
 global_layout
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Django doesn't parse JS comments — it sees `{% url %}` anywhere as a
template tag, raising TemplateSyntaxError ('url' takes at least one
argument) at template load time. Reworded the explanatory comment to
not contain Django syntax so the template parses again.

Caught by offline-rendering the template during PR verification; the
CodeQL check was passing because CodeQL never parses Django templates.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 templates/global_layout.html | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/templates/global_layout.html b/templates/global_layout.html
index 88cd2661..f0194d72 100644
--- a/templates/global_layout.html
+++ b/templates/global_layout.html
@@ -290,9 +290,10 @@ <h4 class="modal-title">Select Group</h4>
     });
 
     // Server-rendered URL allowlists keyed by the dropdown's selectedIndex.
-    // Navigation targets come from these JS literals (server-trusted `{% url %}`
-    // outputs), never from DOM text — this removes the taint flow that CodeQL
-    // js/xss-through-dom was flagging on the previous `<option value>` reads.
+    // Navigation targets come from these JS literals (server-trusted reverses
+    // of the named URLs below), never from DOM text — this removes the taint
+    // flow that CodeQL js/xss-through-dom was flagging on the previous
+    // <option value> reads.
     var SELECTED_GROUP_URLS = [{% for group in groups %}{% url 'addUserToGroup' group as g_url %}"{{ g_url|escapejs }}"{% if not forloop.last %},{% endif %}{% endfor %}];
     var GROUP_LIST_URLS = [{% for group in groups %}{% url 'groupAccessList' group as g_url %}"{{ g_url|escapejs }}"{% if not forloop.last %},{% endif %}{% endfor %}];