Fix: Incomplete Data Cleaning Could Allow Malicious Content Through in lib/handlers/handlerUtils/actHandlerUtils.ts

[kira-offgrid]

Context and Purpose:

This PR automatically remediates a security vulnerability:

• Description: val.trim().replace method will only replace the first occurrence when used with a string argument ("%"). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.
• Rule ID: javascript.lang.security.audit.incomplete-sanitization.incomplete-sanitization
• Severity: LOW
• File: lib/handlers/handlerUtils/actHandlerUtils.ts
• Lines Affected: 242 - 242

This change is necessary to protect the application from potential security risks associated with this vulnerability.

Solution Implemented:

The automated remediation process has applied the necessary changes to the affected code in lib/handlers/handlerUtils/actHandlerUtils.ts to resolve the identified issue.

Please review the changes to ensure they are correct and integrate as expected.

[changeset-bot]

⚠️ No Changeset found

Latest commit: f663bdb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[greptile-apps]

Greptile Summary

This PR fixes a security vulnerability in the parsePercent function within actHandlerUtils.ts. The change addresses incomplete string sanitization where the original code only replaced the first occurrence of the '%' character using replace('%', ''). The fix implements a global regex replacement using replace(/%/g, '') to ensure all '%' characters are properly removed from the input string.

This function is used in the scroll functionality of Stagehand, specifically in the scrollElementToPercentage handler, which allows scrolling elements or the page to a specific percentage. While the impact of this vulnerability was limited (since the parsed value is always clamped between 0 and 100), proper input sanitization is crucial for maintaining secure coding practices.

Confidence score: 5/5

1. This PR is completely safe to merge and improves code security
2. The change is minimal, focused, and uses a well-established pattern for global string replacement
3. No specific files need additional attention - the change is self-contained and straightforward

_{1 file reviewed, no comments
Edit PR Review Bot Settings | Greptile}