⚡
AI Fix Prompts for Oracle Ics Frontend
Copy any prompt below into Claude, ChatGPT, or your AI coding assistant to automatically fix the issue. Each prompt includes full context, code location, and step-by-step fix instructions.
16
Total Prompts
0
Critical (P0)
16
High (P1)
0
Medium (P2)
0
Low (P3)
Download All (Markdown)
Download All (JSON)
Feed these prompts to any AI coder: Claude Code, Cursor, Copilot, GPT, Ollama
HIGH
⚡ quick-fix
#1
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 23
**Severity**: HIGH
**Current code around the issue:**
```
18 |
19 | /**
20 | * Fetch all active cloud packages (public, no auth required)
21 | */
22 | export async function getActiveCloudPackages(): Promise<CloudPackage[]> {
>>> 23 | const res = await fetch(`${API_URL}/cloud-packages/active`, {
24 | cache: 'no-store',
25 | })
26 | if (!res.ok) throw new Error('Failed to fetch cloud packages')
27 | return res.json()
28 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Want this analysis on your repo? https://repobility.com/scan/
HIGH
⚡ quick-fix
#2
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 34
**Severity**: HIGH
**Current code around the issue:**
```
29 |
30 | /**
31 | * Fetch all cloud packages (admin)
32 | */
33 | export async function getAllCloudPackages(token: string): Promise<CloudPackage[]> {
>>> 34 | const res = await fetch(`${API_URL}/cloud-packages`, {
35 | headers: { Authorization: `Bearer ${token}` },
36 | cache: 'no-store',
37 | })
38 | if (!res.ok) throw new Error('Failed to fetch cloud packages')
39 | return res.json()
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#3
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 43
**Severity**: HIGH
**Current code around the issue:**
```
38 | if (!res.ok) throw new Error('Failed to fetch cloud packages')
39 | return res.json()
40 | }
41 |
42 | export async function createCloudPackage(token: string, data: Partial<CloudPackage>): Promise<CloudPackage> {
>>> 43 | const res = await fetch(`${API_URL}/cloud-packages`, {
44 | method: 'POST',
45 | headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
46 | body: JSON.stringify(data),
47 | })
48 | if (!res.ok) throw new Error('Failed to create cloud package')
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#4
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 53
**Severity**: HIGH
**Current code around the issue:**
```
48 | if (!res.ok) throw new Error('Failed to create cloud package')
49 | return res.json()
50 | }
51 |
52 | export async function updateCloudPackage(token: string, id: number, data: Partial<CloudPackage>): Promise<CloudPackage> {
>>> 53 | const res = await fetch(`${API_URL}/cloud-packages/${id}`, {
54 | method: 'PATCH',
55 | headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
56 | body: JSON.stringify(data),
57 | })
58 | if (!res.ok) throw new Error('Failed to update cloud package')
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#5
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 63
**Severity**: HIGH
**Current code around the issue:**
```
58 | if (!res.ok) throw new Error('Failed to update cloud package')
59 | return res.json()
60 | }
61 |
62 | export async function deleteCloudPackage(token: string, id: number): Promise<void> {
>>> 63 | const res = await fetch(`${API_URL}/cloud-packages/${id}`, {
64 | method: 'DELETE',
65 | headers: { Authorization: `Bearer ${token}` },
66 | })
67 | if (!res.ok) throw new Error('Failed to delete cloud package')
68 | }
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#6
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/cloud-package.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/cloud-package.api.ts
**Line**: 71
**Severity**: HIGH
**Current code around the issue:**
```
66 | })
67 | if (!res.ok) throw new Error('Failed to delete cloud package')
68 | }
69 |
70 | export async function deactivateCloudPackage(token: string, id: number): Promise<CloudPackage> {
>>> 71 | const res = await fetch(`${API_URL}/cloud-packages/${id}/deactivate`, {
72 | method: 'PATCH',
73 | headers: { Authorization: `Bearer ${token}` },
74 | })
75 | if (!res.ok) throw new Error('Failed to deactivate cloud package')
76 | return res.json()
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#7
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
api/terms.api.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: api/terms.api.ts
**Line**: 49
**Severity**: HIGH
**Current code around the issue:**
```
44 | function getApiBase(): string {
45 | return API_URL.replace(/\/$/, '')
46 | }
47 |
48 | export async function getPublicTermsSections(language: string): Promise<PublicTermsSection[]> {
>>> 49 | const res = await fetch(`${getApiBase()}/terms/public`, {
50 | method: 'GET',
51 | cache: 'no-store',
52 | headers: {
53 | 'Content-Type': 'application/json',
54 | 'Accept-Language': language,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#8
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-deleted/custom-registration/page.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: app/admin-deleted/custom-registration/page.tsx
**Line**: 86
**Severity**: HIGH
**Current code around the issue:**
```
81 | }
82 | useEffect(() => {
83 | const fetchData = async () => {
84 | try {
85 | const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3003'
>>> 86 | const res = await axios.get(`${API_URL}/custom-package-registrations`)
87 | setData(res.data)
88 | setFilteredData(res.data)
89 | } catch (err) {
90 | setData([])
91 | setFilteredData([])
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#9
Remove hard-coded sast: [sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-deleted/custom-registration/page.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data)
**File**: app/admin-deleted/custom-registration/page.tsx
**Line**: 40
**Severity**: HIGH
**Current code around the issue:**
```
35 | const [filterProcessed, setFilterProcessed] = useState<'all' | 'processed' | 'unprocessed'>('all')
36 | const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3003'
37 |
38 | const handleProcessedChange = async (id: number, value: boolean) => {
39 | try {
>>> 40 | await axios.patch(`${API_URL}/custom-package-registrations/${id}`, { processed: value })
41 | setData((prev) => prev.map(item => item.id === id ? { ...item, processed: value } : item))
42 | } catch {}
43 | }
44 |
45 | // Hàm xuất Excel
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
Same scanner, your repo: https://repobility.com — Repobility
HIGH
⚡ quick-fix
#10
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-deleted/users/page.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: app/admin-deleted/users/page.tsx
**Line**: 223
**Severity**: HIGH
**Current code around the issue:**
```
218 | const executeDeleteUser = async () => {
219 | if (pendingDeleteUserId === null) return
220 | const userId = pendingDeleteUserId
221 | setPendingDeleteUserId(null)
222 | try {
>>> 223 | await axios.delete(`${API_URL}/users/${userId}`)
224 | toast({ title: t('admin.users.toast.deleteSuccess') })
225 | fetchUsers(page, debouncedSearch, sortBy, sortOrder)
226 | } catch (error) {
227 | console.error('Error deleting user:', error)
228 | toast({ title: t('common.error'), description: t('admin.users.toast.deleteError'), variant: 'destructive' })
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#11
Remove hard-coded sast: [sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-deleted/users/page.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data)
**File**: app/admin-deleted/users/page.tsx
**Line**: 177
**Severity**: HIGH
**Current code around the issue:**
```
172 |
173 | const saveEditUser = async () => {
174 | if (!editingUser) return
175 | setEditSaving(true)
176 | try {
>>> 177 | await axios.patch(`${API_URL}/users/${editingUser.id}`, {
178 | firstName: editForm.firstName,
179 | lastName: editForm.lastName,
180 | email: editForm.email,
181 | phoneNumber: editForm.phoneNumber || null,
182 | company: editForm.company || null,
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#12
Remove hard-coded sast: [sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/admin-deleted/users/page.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data)
**File**: app/admin-deleted/users/page.tsx
**Line**: 204
**Severity**: HIGH
**Current code around the issue:**
```
199 | }
200 |
201 | // Toggle user active status
202 | const toggleUserStatus = async (userId: number, currentStatus: boolean) => {
203 | try {
>>> 204 | await axios.patch(`${API_URL}/users/${userId}`, { isActive: !currentStatus })
205 | setUsers(prev => prev.map(user =>
206 | user.id === userId ? { ...user, isActive: !currentStatus } : user
207 | ))
208 | } catch (error) {
209 | console.error('Error updating user status:', error)
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#13
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/api/auth/resend-otp/route.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: app/api/auth/resend-otp/route.ts
**Line**: 28
**Severity**: HIGH
**Current code around the issue:**
```
23 | { status: 400 }
24 | );
25 | }
26 |
27 | // Forward request to backend
>>> 28 | const response = await fetch(`${API_BASE_URL}/auth/resend-otp`, {
29 | method: 'POST',
30 | headers: {
31 | 'Content-Type': 'application/json',
32 | },
33 | body: JSON.stringify({ email }),
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#14
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
app/api/auth/verify-otp/route.tsPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: app/api/auth/verify-otp/route.ts
**Line**: 26
**Severity**: HIGH
**Current code around the issue:**
```
21 | { status: 400 }
22 | );
23 | }
24 |
25 | // Forward request to backend
>>> 26 | const response = await fetch(`${API_BASE_URL}/auth/verify-otp`, {
27 | method: 'POST',
28 | headers: {
29 | 'Content-Type': 'application/json',
30 | },
31 | body: JSON.stringify({ email, otp }),
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚡ quick-fix
#15
Remove hard-coded sast: [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL
security credentials sast
Expected outcome: Secret moved to environment variable, no hardcoded credentials in source
Files to modify:
components/homepage/customRegistrationForm.tsxPrompt (copy this into your AI assistant)
Fix a hardcoded credential in repository 'trandinhnamuet__oracle-ics-frontend'.
**Issue**: Hard-coded sast found ([sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL)
**File**: components/homepage/customRegistrationForm.tsx
**Line**: 113
**Severity**: HIGH
**Current code around the issue:**
```
108 | detail: JSON.stringify(detail),
109 | createdBy: values.userName,
110 | }
111 |
112 | const API_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3003'
>>> 113 | await axios.post(`${API_URL}/custom-package-registrations`, payload)
114 |
115 | toast({
116 | title: t('homepage.form.customRegistration.success.title'),
117 | description: t('homepage.form.customRegistration.success.description'),
118 | variant: 'success',
```
**Required fix:**
1. Remove the hardcoded credential from the source code
2. Replace it with an environment variable read: `os.environ.get('SAST_KEY')` (Python) or `process.env.SAST_KEY` (JS)
3. Add the variable name to a `.env.example` file with a placeholder value
4. Ensure `.env` is in `.gitignore`
5. If this credential was ever committed to git, it should be considered compromised and rotated
**Do NOT:**
- Move the secret to a config file that gets committed
- Use a default fallback value that is a real credential
- Leave the old credential in a comment
HIGH
⚙ moderate
#16
Fix 15 SAST/security code findings
sast security code-fix
Expected outcome: All SAST findings resolved
Files to modify:
api/terms.api.ts, app/admin-deleted/users/page.tsx, api/cloud-package.api.ts, app/admin-deleted/custom-registration/page.tsxPrompt (copy this into your AI assistant)
Static analysis found 15 security issues in 'trandinhnamuet__oracle-ics-frontend': - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:23 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:34 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:43 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:53 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:63 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/cloud-package.api.ts:71 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at api/terms.api.ts:49 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/admin-deleted/custom-registration/page.tsx:86 - [HIGH] [sast:aljefra/taint-ssrf] Server-Side Request Forgery via Tainted Data at app/admin-deleted/custom-registration/page.tsx:40 - [HIGH] [sast:aljefra/ssrf-http-client] SSRF via HTTP Client with Dynamic URL at app/admin-deleted/users/page.tsx:223 For each finding: - SQL injection: use parameterized queries - Command injection: use subprocess with list args, no shell=True - Path traversal: validate and sanitize paths - Insecure deserialization: use json instead of pickle - IaC misconfigs: apply the suggested fix from the rule