starred/GeoIntel
1
0
Fork 0
mirror of https://github.com/atiilla/GeoIntel.git synced 2026-04-26 16:15:57 +03:00
Code Issues 2 Projects Releases Packages Wiki Activity

[PR #16] [MERGED] Potential fix for code scanning alert no. 45: Clear text storage of sensitive information #14

New issue
Closed
opened 2026-03-15 11:26:51 +03:00 by kerem · 0 comments
kerem commented 2026-03-15 11:26:51 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/atiilla/GeoIntel/pull/16
Author: @atiilla
Created: 3/9/2026
Status: Merged
Merged: 3/9/2026
Merged by: @atiilla

Base: mainHead: alert-autofix-45

📝 Commits (1)

  • 130096a Potential fix for code scanning alert no. 45: Clear text storage of sensitive information

📊 Changes

1 file changed (+4 additions, -2 deletions)

View changed files

📝 geointel_ui_template/index.html (+4 -2)

📄 Description

Potential fix for https://github.com/atiilla/GeoIntel/security/code-scanning/45

General approach: avoid persisting the raw API key in browser storage. If we can’t introduce a secure encryption key distinct from the API key itself, client‑side encryption would be effectively security‑through‑obscurity. The safest change, without adding a backend, is to keep the API key only in memory for the lifetime of the page and stop writing it to sessionStorage. We can still store the selected model in localStorage because that’s not sensitive.

Concrete fix:

  • Introduce an in‑memory variable (e.g. let inMemoryApiKey = null;) to hold the current key.
  • Change getStoredApiKey and storeApiKey so they no longer touch sessionStorage. Instead:
    • storeApiKey(key) assigns to inMemoryApiKey and updates indicators.
    • getStoredApiKey() just returns inMemoryApiKey.
  • Remove any direct use of sessionStorage.setItem / .getItem for the API key.
  • Keep the rest of the behavior intact: the API key is still loaded from the input, stored for use by other functions via getStoredApiKey, and the UI indicator logic remains the same.
  • The initialization on window.load that calls updateApiKeyIndicator() and conditionally opens the modal will still work, but now getStoredApiKey() returns a value only after the user has entered a key in this session (which is desirable).

All changes are contained in geointel_ui_template/index.html within the shown script section, around the API key helper functions.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/atiilla/GeoIntel/pull/16 **Author:** [@atiilla](https://github.com/atiilla) **Created:** 3/9/2026 **Status:** ✅ Merged **Merged:** 3/9/2026 **Merged by:** [@atiilla](https://github.com/atiilla) **Base:** `main` ← **Head:** `alert-autofix-45` --- ### 📝 Commits (1) - [`130096a`](https://github.com/atiilla/GeoIntel/commit/130096a938c4c1f48149b41666bd54b4fd0b21a6) Potential fix for code scanning alert no. 45: Clear text storage of sensitive information ### 📊 Changes **1 file changed** (+4 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `geointel_ui_template/index.html` (+4 -2) </details> ### 📄 Description Potential fix for [https://github.com/atiilla/GeoIntel/security/code-scanning/45](https://github.com/atiilla/GeoIntel/security/code-scanning/45) General approach: avoid persisting the raw API key in browser storage. If we can’t introduce a secure encryption key distinct from the API key itself, client‑side encryption would be effectively security‑through‑obscurity. The safest change, without adding a backend, is to keep the API key only in memory for the lifetime of the page and stop writing it to `sessionStorage`. We can still store the selected model in `localStorage` because that’s not sensitive. Concrete fix: - Introduce an in‑memory variable (e.g. `let inMemoryApiKey = null;`) to hold the current key. - Change `getStoredApiKey` and `storeApiKey` so they no longer touch `sessionStorage`. Instead: - `storeApiKey(key)` assigns to `inMemoryApiKey` and updates indicators. - `getStoredApiKey()` just returns `inMemoryApiKey`. - Remove any direct use of `sessionStorage.setItem` / `.getItem` for the API key. - Keep the rest of the behavior intact: the API key is still loaded from the input, stored for use by other functions via `getStoredApiKey`, and the UI indicator logic remains the same. - The initialization on `window.load` that calls `updateApiKeyIndicator()` and conditionally opens the modal will still work, but now `getStoredApiKey()` returns a value only after the user has entered a key in this session (which is desirable). All changes are contained in `geointel_ui_template/index.html` within the shown script section, around the API key helper functions. _Suggested fixes powered by Copilot Autofix. Review carefully before merging._ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
kerem 2026-03-15 11:26:51 +03:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
nextjs
No results found.
Labels
Clear labels   
pull-request

Mirrored from GitHub Pull Request

No labels
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/GeoIntel#14
No description provided.