Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Using
parseInt
is preferred overeval
for handling environment variables becauseparseInt
safely converts a string to an integer without executing any code. In contrast,eval
can execute arbitrary code, which poses a significant security risk if the environment variable contains malicious input. By usingparseInt
, we mitigate the risk of code injection attacks and ensure that only numerical values are processed.While this isn't used in a whole lot of places and the chances of a malicious environment variable is low, it's also a significant performance boost.
Running this script:
I get this output on my local machine (MBA M1-series first gen):
Change Type
Please delete any irrelevant options.
Testing
Tests should pass as normal and no changes should be seen within the app. It should work the same, unless there were environment variable based code being injected.
Checklist
Please delete any irrelevant options.
Copilot Summary
This pull request includes changes to improve the security and robustness of the codebase. The most important changes involve replacing the
eval
function withparseInt
in several files to parse environment variables. This change improves security by avoiding the potential execution of malicious code.Changes to environment variable parsing:
api/models/Session.js
: Replacedeval
withparseInt
for parsing theREFRESH_TOKEN_EXPIRY
environment variable.api/models/userMethods.js
: Replacedeval
withparseInt
for parsing theSESSION_EXPIRY
environment variable.api/server/services/AuthService.js
: Replacedeval
withparseInt
for parsing theREFRESH_TOKEN_EXPIRY
environment variable.Changes to utility functions:
api/server/utils/math.js
: Replacedeval
withparseInt
in themath
function and updated the error message to reflect the change.