Test internal PR - XSS vulnerability #28
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| - name: Run Promptfoo Code Scan | ||
| uses: promptfoo/code-scan-action@v0 | ||
| uses: promptfoo/code-scan-action@staging |
Check warning
Code scanning / CodeQL
Unpinned tag for a non-immutable Action in workflow Medium
| app.get('/search', (req, res) => { | ||
| const term = req.query.q; | ||
| // XSS vulnerability - rendering unsanitized input | ||
| res.send(`<h1>Results for: ${term}</h1>`); |
Check failure
Code scanning / CodeQL
Reflected cross-site scripting High
![promptfoo-scanner-staging[bot]](https://avatars.githubusercontent.com/in/2441516?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 All Clear
I reviewed this PR for LLM security vulnerabilities across the six defined classes (Prompt Injection, Data Exfiltration, PII/Secrets in Prompts, Insecure Output Handling, Excessive Agency, and Jailbreak Risks). The changes include a GitHub Actions workflow version update and a test file with an Express.js route handler. No LLM-related code or data flows were identified in this PR.
Minimum severity threshold for this scan: 🟡 Medium | Learn more
|
@promptfoo-scanner-staging |
1 similar comment
|
@promptfoo-scanner-staging |
There was a problem hiding this comment.
👍 All Clear
I reviewed this PR for LLM-specific security vulnerabilities. The changes include a GitHub Actions workflow version update and a test file with a traditional XSS vulnerability. No LLM security issues were identified.
Minimum severity threshold for this scan: 🟡 Medium | Learn more
Testing internal PR scanning flow with staging action