⚡
AI Fix Prompts for Ourbigbook
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
21
Total Prompts
20
Critical (P0)
1
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
CRITICAL
⚡ quick-fix
#1
Remove hard-coded sast: [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/api/min.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data)
**File**: web/api/min.js
**Line**: 18
**Severity**: CRITICAL
**Current code around the issue:**
```
13 | try {
14 | let query
15 | const q = req.query.q
16 | if (q) {
17 | try {
>>> 18 | query = JSON.parse(q)
19 | } catch(error) {
20 | throw new lib.ValidationError(['Invalid query JSON'], 403)
21 | }
22 | } else {
23 | query = {}
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility · code-quality intelligence platform · https://repobility.com
CRITICAL
⚡ quick-fix
#2
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/front/EditorPage.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: web/front/EditorPage.tsx
**Line**: 383
**Severity**: CRITICAL
**Current code around the issue:**
```
378 | openLinksOnNewTabs: true,
379 | },
380 | read_include: read_include_web(cachedIdExists),
381 | ref_prefix: `${ourbigbook.AT_MENTION_CHAR}${ownerUsername}`,
382 | }, convertOptions)
>>> 383 | finalConvertOptions.automaticTopicLinksMaxWords = 0
384 | finalConvertOptions.x_external_prefix = '../'.repeat(window.location.pathname.match(/\//g).length - 1)
385 | editor = new OurbigbookEditor(
386 | ourbigbookEditorElem.current,
387 | bodySource,
388 | monaco,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#3
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 27
**Severity**: CRITICAL
**Current code around the issue:**
```
22 | if (!('modifyEditorInput' in options)) {
23 | options.modifyEditorInput = (old) => { return { offset: 0, new: old } }
24 | }
25 | this.modifyEditorInput = options.modifyEditorInput
26 | if (!('onDidChangeModelContentCallback' in options)) {
>>> 27 | options.onDidChangeModelContentCallback = (editor, event) => {}
28 | }
29 | if (!('postBuildCallback' in options)) {
30 | options.postBuildCallback = (extra_returns) => {}
31 | }
32 | if (!('scrollPreviewToSourceLineCallback' in options)) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#4
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
vscode/src/extension.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: vscode/src/extension.ts
**Line**: 703
**Severity**: CRITICAL
**Current code around the issue:**
```
698 | }
699 | return ret
700 | }
701 | }
702 | context.subscriptions.push(
>>> 703 | vscode.languages.registerDefinitionProvider(
704 | { scheme: 'file', language: OURBIGBOOK_LANGUAGE_ID },
705 | new OurbigbookDefinitionProvider(),
706 | )
707 | )
708 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#5
Remove hard-coded sast: [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/api/min.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data)
**File**: web/api/min.js
**Line**: 45
**Severity**: CRITICAL
**Current code around the issue:**
```
40 | // TODO need to think about and test privacy issues with this, e.g. email leaking.
41 | //router.get(routes.home(), auth.required, async function(req, res, next) {
42 | // try {
43 | // let query
44 | // try {
>>> 45 | // query = JSON.parse(req.query.query)
46 | // } catch(error) {
47 | // throw new lib.ValidationError(['Invalid query JSON'], 403)
48 | // }
49 | // const ret = {}
50 | // if (query.articleIds) {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#6
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/bin/rerender-articles.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: web/bin/rerender-articles.js
**Line**: 28
**Severity**: CRITICAL
**Current code around the issue:**
```
23 | const sequelize = models.getSequelize(path.dirname(__dirname));
24 | (async () => {
25 | await sequelize.models.Article.rerender({
26 | log: true,
27 | convertOptionsExtra: {
>>> 28 | automaticTopicLinksMaxWords: opts.automaticTopicLinksMaxWords,
29 | katex_macros: back_js.preloadKatex(),
30 | },
31 | authors: opts.author,
32 | descendants: opts.descendants,
33 | ignoreErrors: opts.ignoreErrors,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#7
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 181
**Severity**: CRITICAL
**Current code around the issue:**
```
176 | }
177 | editor.addCommand(monaco.KeyMod.CtrlCmd | monaco.KeyCode.Enter, () => {
178 | this.handleSubmit()
179 | })
180 | editor.onDidChangeModelContent(async (e) => {
>>> 181 | options.onDidChangeModelContentCallback(editor, e)
182 | this.modified = true
183 | await this.convertInput()
184 | });
185 | editor.onDidScrollChange(e => {
186 | const range = editor.getVisibleRanges()[0];
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#8
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 33
**Severity**: CRITICAL
**Current code around the issue:**
```
28 | }
29 | if (!('postBuildCallback' in options)) {
30 | options.postBuildCallback = (extra_returns) => {}
31 | }
32 | if (!('scrollPreviewToSourceLineCallback' in options)) {
>>> 33 | options.scrollPreviewToSourceLineCallback = (opts) => {}
34 | }
35 | if (!('titleSource' in options)) {
36 | options.titleSource = undefined
37 | }
38 | this.options = options
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#9
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 191
**Severity**: CRITICAL
**Current code around the issue:**
```
186 | const range = editor.getVisibleRanges()[0];
187 | const lineNumber = range.startLineNumber
188 | // So that the title bar will show on dynamic website
189 | // when user scrolls to line 1.
190 | const block = lineNumber === 1 ? 'center' : 'start'
>>> 191 | this.scrollPreviewToSourceLine(lineNumber, block);
192 | });
193 | editor.onDidChangeCursorPosition(e => {
194 | this.scrollPreviewToSourceLine(e.position.lineNumber, 'center');
195 | });
196 | this.convertInput();
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Repobility's GitHub App fixes findings like these · https://github.com/apps/repobility-bot
CRITICAL
⚡ quick-fix
#10
Remove hard-coded password: Database URL with Password
security credentials password
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
nodejs_webpack_safe.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded password found (Database URL with Password)
**File**: nodejs_webpack_safe.js
**Line**: 731
**Severity**: CRITICAL
**Current code around the issue:**
```
726 | if (ourbigbook_nodejs_front.postgres) {
727 | Object.assign(
728 | db_options,
729 | ourbigbook_nodejs_front.sequelize_postgres_opts,
730 | )
>>> 731 | sequelize = new Sequelize('postgres://ourbigbook_user:a@localhost:5432/ourbigbook_cli', db_options)
732 | } else {
733 | if (storage !== SQLITE_MAGIC_MEMORY_NAME) {
734 | const db_dir = path.dirname(storage);
735 | if (!fs.existsSync(db_dir)) {
736 | fs.mkdirSync(db_dir, { recursive: true });
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('PASSWORD_KEY')` (Python) or `process.env.PASSWORD_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#11
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 194
**Severity**: CRITICAL
**Current code around the issue:**
```
189 | // when user scrolls to line 1.
190 | const block = lineNumber === 1 ? 'center' : 'start'
191 | this.scrollPreviewToSourceLine(lineNumber, block);
192 | });
193 | editor.onDidChangeCursorPosition(e => {
>>> 194 | this.scrollPreviewToSourceLine(e.position.lineNumber, 'center');
195 | });
196 | this.convertInput();
197 | this.ourbigbook_runtime(this.output_elem)
198 |
199 | // https://github.com/cirosantilli/cirosantilli.github.io/issues/200
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#12
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 61
**Severity**: CRITICAL
**Current code around the issue:**
```
56 | root_elem.appendChild(errors_elem);
57 |
58 | monaco.languages.register({ id: 'ourbigbook' });
59 | // TODO replace with our own tokenizer output:
60 | // https://github.com/ourbigbook/ourbigbook/issues/106
>>> 61 | monaco.languages.setMonarchTokensProvider('ourbigbook', {
62 | macroName: /[a-zA-Z0-9_]+/,
63 | tokenizer: {
64 | root: [
65 | [/\\@macroName/, 'macro'],
66 | [/\\./, 'escape'],
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#13
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
editor.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: editor.js
**Line**: 372
**Severity**: CRITICAL
**Current code around the issue:**
```
367 | } else {
368 | console.error(`could not find ID for line ${line_number}: ${id}`);
369 | }
370 | };
371 | }
>>> 372 | this.options.scrollPreviewToSourceLineCallback({ ourbigbook_editor: this, line_number, line_number_orig })
373 | }
374 |
375 | async setTitleSource(titleSource) {
376 | this.titleSource = titleSource
377 | await this.convertInput()
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#14
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/back/IssuePage.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: web/back/IssuePage.ts
**Line**: 74
**Severity**: CRITICAL
**Current code around the issue:**
```
69 | issueArticle: articleJson,
70 | issuesCount,
71 | }
72 | if (loggedInUser) {
73 | props.loggedInUser = loggedInUserJson
>>> 74 | props.commentCountByLoggedInUser = commentCountByLoggedInUser
75 | }
76 | return { props }
77 | } else {
78 | return { notFound: true }
79 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#15
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
todo.bigbPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: todo.bigb
**Line**: 85
**Severity**: CRITICAL
**Current code around the issue:**
```
80 | throw new ValidationError(`the parent choice "${newParentId}" would create an infinite loop`)
81 | ^
82 |
83 | ValidationError
84 | at /app/web/convert.js:459:15
>>> 85 | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
86 | at async /app/web/node_modules/sequelize/dist/lib/sequelize.js:463:24
87 | at async Object.convertArticle (/app/web/convert.js:176:3)
88 | at async /app/web/models/article.js:844:9
89 | at async /app/web/node_modules/sequelize/dist/lib/sequelize.js:463:24
90 | at async Article.rerender (/app/web/models/article.js:842:5)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#16
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
todo.bigbPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: todo.bigb
**Line**: 106
**Severity**: CRITICAL
**Current code around the issue:**
```
101 | ``
102 | failed with:
103 | ``
104 | AssertionError [ERR_ASSERTION]: nested-set: (slug, nestedSetIndex, nestedSetNextSibling, depth): actual: (cirosantilli/natural-science, 419, 3414, 2) !== expected: (@cirosantilli/natural-science, 419, 3411, 2)
105 | at Object.normalize (/app/web/models/index.js:400:20)
>>> 106 | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
107 | at async /app/web/bin/normalize:28:3 {
108 | generatedMessage: false,
109 | code: 'ERR_ASSERTION',
110 | actual: 3414,
111 | expected: 3411,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#17
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
vscode/src/extension.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: vscode/src/extension.ts
**Line**: 365
**Severity**: CRITICAL
**Current code around the issue:**
```
360 | )
361 | }))
362 | }
363 | }
364 | }
>>> 365 | context.subscriptions.push(vscode.languages.registerWorkspaceSymbolProvider(new OurbigbookWorkspaceSymbolProvider()))
366 |
367 | /* Ctrl + Shift + O and
368 | * Ctrl + 3: outline: https://stackoverflow.com/questions/55846146/make-vs-code-parse-and-display-the-structure-of-a-new-language-to-the-outline-re
369 | **/
370 | class OurbigbooDocumentSymbolProvider implements vscode.DocumentSymbolProvider {
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Powered by Repobility — scan your code at https://repobility.com
CRITICAL
⚡ quick-fix
#18
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
vscode/src/extension.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: vscode/src/extension.ts
**Line**: 541
**Severity**: CRITICAL
**Current code around the issue:**
```
536 | return ret
537 | }
538 | return []
539 | }
540 | }
>>> 541 | context.subscriptions.push(vscode.languages.registerDocumentSymbolProvider(
542 | { scheme: 'file', language: OURBIGBOOK_LANGUAGE_ID },
543 | new OurbigbooDocumentSymbolProvider()
544 | ))
545 |
546 | /* Autocomplete */
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#19
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
vscode/src/extension.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: vscode/src/extension.ts
**Line**: 636
**Severity**: CRITICAL
**Current code around the issue:**
```
631 | }
632 | return []
633 | }
634 | }
635 | context.subscriptions.push(
>>> 636 | vscode.languages.registerCompletionItemProvider(
637 | { scheme: 'file', language: OURBIGBOOK_LANGUAGE_ID },
638 | new OurbigbookCompletionItemProvider(),
639 | // TODO what does this give us?
640 | '<',
641 | )
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
CRITICAL
⚡ quick-fix
#20
Remove hard-coded api_key: Vault Token
security credentials api_key
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
web/models/site.jsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'ourbigbook__ourbigbook'.
**Issue**: Hard-coded api_key found (Vault Token)
**File**: web/models/site.js
**Line**: 22
**Severity**: CRITICAL
**Current code around the issue:**
```
17 |
18 | Site.prototype.toJson = async function(loggedInUser, opts={}) {
19 | const { transaction } = opts
20 | const pinnedArticle = this.pinnedArticle ? this.pinnedArticle : await this.getPinnedArticle({ transaction })
21 | const ret = {
>>> 22 | automaticTopicLinksMaxWords: this.automaticTopicLinksMaxWords,
23 | }
24 | if (pinnedArticle) {
25 | ret.pinnedArticle = pinnedArticle?.slug
26 | }
27 | return ret
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('API_KEY_KEY')` (Python) or `process.env.API_KEY_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚙ moderate
#21
Fix 19 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
web/api/min.js, web/api/users.js, ourbigbook_runtime.js, nodejs_webpack_safe.js, web/front/Article.tsxPrompt (copy this into your AI assistant)
Static analysis found 19 security issues in 'ourbigbook__ourbigbook': - [CRITICAL] [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data at web/api/min.js:18 - [CRITICAL] [sast:aljefra/taint-deserialization] Insecure Deserialization of Tainted Data at web/api/min.js:45 - [HIGH] [sast:aljefra/xss-innerhtml] XSS via innerHTML Assignment at editor.js:292 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at nodejs_webpack_safe.js:415 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at nodejs_webpack_safe.js:428 - [HIGH] [sast:aljefra/xss-innerhtml] XSS via innerHTML Assignment at ourbigbook_runtime.js:410 - [HIGH] [sast:aljefra/xss-innerhtml] XSS via innerHTML Assignment at ourbigbook_runtime.js:416 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at web/api/users.js:261 - [HIGH] [sast:aljefra/xss-innerhtml] XSS via innerHTML Assignment at web/front/Article.tsx:906 - [HIGH] [sast:aljefra/xss-innerhtml] XSS via innerHTML Assignment at web/front/Article.tsx:916 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule