Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forms: hidden fields #40329

Draft
wants to merge 1 commit into
base: trunk
Choose a base branch
from
Draft

Forms: hidden fields #40329

wants to merge 1 commit into from
+184 −7

Conversation

CGastrell
Copy link
Contributor

WIP: this is a draft test

Proposed changes:

Add hidden fields on JP forms
TBD

Other information:

  • Have you written new tests for your changes, if applicable?
  • Have you checked the E2E test CI results, and verified that your changes do not break them?
  • Have you tested your changes on WordPress.com, if applicable (if so, you'll see a generated comment below with a script to run)?

Jetpack product discussion

Does this pull request change what data or activity we track or use?

No

Testing instructions:

TBD

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 25, 2024
edited
Loading

Are you an Automattician? Please test your changes on all WordPress.com environments to help mitigate accidental explosions.

  • To test on WoA, go to the Plugins menu on a WordPress.com Simple site. Click on the "Upload" button and follow the upgrade flow to be able to upload, install, and activate the Jetpack Beta plugin. Once the plugin is active, go to Jetpack > Jetpack Beta, select your plugin, and enable the add/forms-hidden-fields branch.

  • To test on Simple, run the following command on your sandbox:

    bin/jetpack-downloader test jetpack add/forms-hidden-fields

Interested in more tips and information?

  • In your local development environment, use the jetpack rsync command to sync your changes to a WoA dev blog.
  • Read more about our development workflow here: PCYsg-eg0-p2
  • Figure out when your changes will be shipped to customers here: PCYsg-eg5-p2

@github-actions github-actions bot added [Block] Contact Form Form block (also see Contact Form label) [Feature] Contact Form [Package] Forms [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress labels Nov 25, 2024
@github-actions GitHub Actions
Copy link
Contributor

Thank you for your PR!

When contributing to Jetpack, we have a few suggestions that can help us test and review your patch:

  • ✅ Include a description of your PR changes.
  • ✅ Add a "[Status]" label (In Progress, Needs Team Review, ...).
  • ✅ Add testing instructions.
  • ✅ Specify whether this PR includes any changes to data or privacy.
  • ✅ Add changelog entries to affected projects

This comment will be updated as you work on your PR and make changes. If you think that some of those checks are not needed for your PR, please explain why you think so. Thanks for cooperation 🤖

The e2e test report can be found here. Please note that it can take a few minutes after the e2e tests checks are complete for the report to be available.

Follow this PR Review Process:

  1. Ensure all required checks appearing at the bottom of this PR are passing.
  2. Choose a review path based on your changes:
    • A. Team Review: add the "[Status] Needs Team Review" label
      • For most changes, including minor cross-team impacts.
      • Example: Updating a team-specific component or a small change to a shared library.
    • B. Crew Review: add the "[Status] Needs Review" label
      • For significant changes to core functionality.
      • Example: Major updates to a shared library or complex features.
    • C. Both: Start with Team, then request Crew
      • For complex changes or when you need extra confidence.
      • Example: Refactor affecting multiple systems.
  3. Get at least one approval before merging.

Still unsure? Reach out in #jetpack-developers for guidance!

Jetpack plugin:

The Jetpack plugin has different release cadences depending on the platform:

  • WordPress.com Simple releases happen semi-continuously (PCYsg-Jjm-p2).
  • WoA releases happen weekly.
  • Releases to self-hosted sites happen monthly. The next release is scheduled for none scheduled (scheduled code freeze on undefined).

If you have any questions about the release process, please ask in the #jetpack-releases channel on Slack.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 25, 2024
View reviewed changes
projects/packages/forms/src/blocks/contact-form/edit.js
useEffect( () => {
if ( ! hiddenFields.length ) {
setAttributes( {
hiddenFields: [ { uuid: Math.random() * 1000000, name: '', value: '', edit: 'both' } ],

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix AI 1 day ago

To fix the problem, we should replace the use of Math.random() with a cryptographically secure random number generator. In a browser environment, we can use window.crypto.getRandomValues to generate secure random values. This will ensure that the uuid values are not predictable and thus more secure.

We need to modify the code on line 166 to use window.crypto.getRandomValues instead of Math.random(). This involves generating a random value using Uint32Array and then scaling it appropriately.

Suggested changeset 1
projects/packages/forms/src/blocks/contact-form/edit.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/projects/packages/forms/src/blocks/contact-form/edit.js b/projects/packages/forms/src/blocks/contact-form/edit.js
--- a/projects/packages/forms/src/blocks/contact-form/edit.js
+++ b/projects/packages/forms/src/blocks/contact-form/edit.js
@@ -165,3 +165,3 @@
 				setAttributes( {
-					hiddenFields: [ { uuid: Math.random() * 1000000, name: '', value: '', edit: 'both' } ],
+					hiddenFields: [ { uuid: window.crypto.getRandomValues(new Uint32Array(1))[0], name: '', value: '', edit: 'both' } ],
 				} );
EOF
@@ -165,3 +165,3 @@
setAttributes( {
hiddenFields: [ { uuid: Math.random() * 1000000, name: '', value: '', edit: 'both' } ],
hiddenFields: [ { uuid: window.crypto.getRandomValues(new Uint32Array(1))[0], name: '', value: '', edit: 'both' } ],
} );
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
projects/packages/forms/src/blocks/contact-form/edit.js
// if all hidden fields have some value, add an empty one at the end
every( newHiddenFields, 'value' ) &&
newHiddenFields.push( {
uuid: Math.random() * 1000000,

Check failure

Code scanning / CodeQL

Insecure randomness High

This uses a cryptographically insecure random number generated at
Math.random()
Loading
in a security context.

Copilot Autofix AI 1 day ago

To fix the problem, we should replace the use of Math.random() with a cryptographically secure random number generator. In a browser environment, we can use window.crypto.getRandomValues to generate secure random values. This ensures that the generated uuid is not easily predictable.

We will modify the code on line 305 to use window.crypto.getRandomValues to generate a secure random value. This change will involve importing the necessary cryptographic functions and updating the code to generate a secure random number.

Suggested changeset 1
projects/packages/forms/src/blocks/contact-form/edit.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/projects/packages/forms/src/blocks/contact-form/edit.js b/projects/packages/forms/src/blocks/contact-form/edit.js
--- a/projects/packages/forms/src/blocks/contact-form/edit.js
+++ b/projects/packages/forms/src/blocks/contact-form/edit.js
@@ -304,3 +304,3 @@
 				newHiddenFields.push( {
-					uuid: Math.random() * 1000000,
+					uuid: window.crypto.getRandomValues(new Uint32Array(1))[0],
 					name: '',
EOF
@@ -304,3 +304,3 @@
newHiddenFields.push( {
uuid: Math.random() * 1000000,
uuid: window.crypto.getRandomValues(new Uint32Array(1))[0],
name: '',
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
[Block] Contact Form Form block (also see Contact Form label) [Feature] Contact Form [Package] Forms [Plugin] Jetpack Issues about the Jetpack plugin. https://wordpress.org/plugins/jetpack/ [Status] In Progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@CGastrell