From fbbab60956acd77b6c336d8617d77756b220fb50 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sat, 29 Nov 2025 23:39:41 +0100
Subject: [PATCH 1/4] Potential fix for code scanning alert no. 7: Insecure
 randomness

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 server/db/names.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/db/names.ts b/server/db/names.ts
index 2da38f10..84949576 100644
--- a/server/db/names.ts
+++ b/server/db/names.ts
@@ -1,6 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
 import { db, resources, siteResources } from "@server/db";
+import { randomInt } from "crypto";
 import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
@@ -99,10 +100,10 @@ export async function getUniqueExitNodeEndpointName(): Promise<string> {
 export function generateName(): string {
     const name = (
         names.descriptors[
-            Math.floor(Math.random() * names.descriptors.length)
+            randomInt(names.descriptors.length)
         ] +
         "-" +
-        names.animals[Math.floor(Math.random() * names.animals.length)]
+        names.animals[randomInt(names.animals.length)]
     )
         .toLowerCase()
         .replace(/\s/g, "-");

From 3eab3b0827ec159958bae0f0fec2593897ab60eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sat, 29 Nov 2025 23:39:54 +0100
Subject: [PATCH 2/4] Potential fix for code scanning alert no. 8: DOM text
 reinterpreted as HTML

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/components/LoginForm.tsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/LoginForm.tsx b/src/components/LoginForm.tsx
index 8149989e..dcb7480a 100644
--- a/src/components/LoginForm.tsx
+++ b/src/components/LoginForm.tsx
@@ -410,7 +410,7 @@ export default function LoginForm({
 
                                 <div className="text-center">
                                     <Link
-                                        href={`${env.app.dashboardUrl}/auth/reset-password${form.getValues().email ? `?email=${form.getValues().email}` : ""}`}
+                                        href={`${env.app.dashboardUrl}/auth/reset-password${form.getValues().email ? `?email=${encodeURIComponent(form.getValues().email)}` : ""}`}
                                         className="text-sm text-muted-foreground"
                                     >
                                         {t("passwordForgot")}

From 8df62e8b6a2c577343a5c45f057228a2e8ecaae2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sat, 29 Nov 2025 23:40:20 +0100
Subject: [PATCH 3/4] Potential fix for code scanning alert no. 19: Inefficient
 regular expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 server/lib/validators.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/lib/validators.ts b/server/lib/validators.ts
index 59776105..71182365 100644
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -68,7 +68,7 @@ export function isUrlValid(url: string | undefined) {
     if (!url) return true; // the link is optional in the schema so if it's empty it's valid
     var pattern = new RegExp(
         "^(https?:\\/\\/)?" + // protocol
-            "((([a-z\\d]([a-z\\d-]*[a-z\\d])*)\\.)+[a-z]{2,}|" + // domain name
+            "((([a-z\\d](?:[a-z\\d-]{0,61}[a-z\\d])?)\\.)+[a-z]{2,}|" + // domain name
             "((\\d{1,3}\\.){3}\\d{1,3}))" + // OR ip (v4) address
             "(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*" + // port and path
             "(\\?[;&a-z\\d%_.~+=-]*)?" + // query string

From 336d31ce39e96cfc21a1e966bb2953d543cf2a8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Sch=C3=A4fer?= <git@marcschaeferger.de>
Date: Sun, 30 Nov 2025 02:41:03 +0100
Subject: [PATCH 4/4] fix(validators): restore 2+ char domain label requirement
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace (?:[a-z\\d-]{0,61}[a-z\\d])? with (?:[a-z\\d-]{1,61}[a-z\\d]) to keep labels 2–63 chars
- Avoid unintentionally allowing single-character labels (e.g. a.com) introduced by the previous regex change

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 server/lib/validators.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/lib/validators.ts b/server/lib/validators.ts
index 71182365..880a2ceb 100644
--- a/server/lib/validators.ts
+++ b/server/lib/validators.ts
@@ -68,7 +68,7 @@ export function isUrlValid(url: string | undefined) {
     if (!url) return true; // the link is optional in the schema so if it's empty it's valid
     var pattern = new RegExp(
         "^(https?:\\/\\/)?" + // protocol
-            "((([a-z\\d](?:[a-z\\d-]{0,61}[a-z\\d])?)\\.)+[a-z]{2,}|" + // domain name
+            "(((?:[a-z\\d-]{1,61}[a-z\\d])\\.)+[a-z]{2,}|" + // domain name
             "((\\d{1,3}\\.){3}\\d{1,3}))" + // OR ip (v4) address
             "(\\:\\d+)?(\\/[-a-z\\d%_.~+]*)*" + // port and path
             "(\\?[;&a-z\\d%_.~+=-]*)?" + // query string