chore/enhanced rstest migration#4317
Conversation
ScriptedAlchemy
commented
Jan 23, 2026
ScriptedAlchemy
commented
- chore: update jest to vitest
- chore(task): generate stage 1 (manifest)
- chore(task): generate stage 1 (manifest)
- chore(task): generate stage 1 (manifest)
- chore: update enhanced rstest migration artifacts
- test: relax manifest-disable-assets expectations
- chore: remove jest/vitest infra and update rstest
- test: fail config cases without bundles
- chore: restore jest and vitest tooling
- test: tighten rstest harness execution checks
|
✅ Deploy Preview for module-federation-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| ); | ||
| const code = `(function(${args.join( | ||
| ', ', | ||
| )}) {${content}\n})`; |
Check warning
Code scanning / CodeQL
Improper code sanitization Medium test
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, to fix this issue you must ensure that any string data used to build executable JavaScript source code is further sanitized beyond JSON.stringify, by escaping characters that could prematurely terminate or alter the surrounding code or a <script> context (e.g. <, >, /, backslash, control characters, Unicode line/paragraph separators). You then use the sanitized string when constructing content so that even if arg is malicious, the generated JavaScript remains syntactically safe.
The best fix here is to introduce a small helper escapeUnsafeChars (and a corresponding charMap) near the top of this file and apply it to the result of JSON.stringify(\./${arg}`)when constructingcontentin theArray.isArray(module)branch. This preserves existing behavior (the runtime value of the string passed torequireremains the same) while ensuring thatcontent` no longer contains problematic characters that CodeQL flags. Concretely:
- Add
charMapandescapeUnsafeCharsdefinitions inpackages/enhanced/test/ConfigTestCases.rstest.tsafter the existing imports and before other logic. - Change the template string that currently contains
`require(${JSON.stringify(`./${arg}`)})`so that it instead callsescapeUnsafeCharson the JSON string:`require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`.
No new external dependencies are required; the helper uses String.prototype.replace and a regular expression.
| @@ -15,6 +15,25 @@ | ||
| rs, | ||
| } from '@rstest/core'; | ||
|
|
||
| const charMap: { [ch: string]: string } = { | ||
| '<': '\\u003C', | ||
| '>': '\\u003E', | ||
| '/': '\\u002F', | ||
| '\\': '\\\\', | ||
| '\b': '\\b', | ||
| '\f': '\\f', | ||
| '\n': '\\n', | ||
| '\r': '\\r', | ||
| '\t': '\\t', | ||
| '\0': '\\0', | ||
| '\u2028': '\\u2028', | ||
| '\u2029': '\\u2029', | ||
| }; | ||
|
|
||
| function escapeUnsafeChars(str: string): string { | ||
| return str.replace(/[<>/\\\b\f\n\r\t\0\u2028\u2029]/g, (x) => charMap[x] || x); | ||
| } | ||
|
|
||
| // Create a require function using __filename (available in CommonJS output mode) | ||
| const nativeRequire = createRequire(__filename); | ||
|
|
||
| @@ -759,7 +778,7 @@ | ||
| content = `module.exports = (${module | ||
| .map( | ||
| (arg: any) => | ||
| `require(${JSON.stringify(`./${arg}`)})`, | ||
| `require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`, | ||
| ) | ||
| .join(', ')});`; | ||
| } else { |
… guard - Move afterExecute() before the collected tests check, matching the Jest template flow. SystemJS test cases (e.g. module-federation) rely on afterExecute to trigger deferred module evaluation that registers it() calls. - Add a guard that fails when a config case produces no exported tests unless testConfig.noTests is explicitly set, preventing silent test coverage loss. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…-migration # Conflicts: # .gitignore # package.json # packages/enhanced/project.json # packages/enhanced/test/ConfigTestCases.template.js
|
@codex review pr |
|
To use Codex here, create a Codex account and connect to github. |
3 participants
