From a07d0084a16882cff40dc376f1f85c17b1d11b6b Mon Sep 17 00:00:00 2001 From: cyrusagent <208047790+cyrusagent@users.noreply.github.com> Date: Fri, 12 Jun 2026 16:55:23 +0000 Subject: [PATCH] fix(security): resolve playwright goto-injection finding in JS template (INF-1647) The page.goto(sessionUrl) call in the JS scaffold template flows from developer-provided constants (WEBSITE_URL_1/2/3) set at scaffold time, never runtime/untrusted input. Add a scoped nosemgrep suppression with rationale documenting the template-time decision. --- .templates/js/template.js | 1 + 1 file changed, 1 insertion(+) diff --git a/.templates/js/template.js b/.templates/js/template.js index f190451f..ba7442c5 100644 --- a/.templates/js/template.js +++ b/.templates/js/template.js @@ -26,6 +26,7 @@ async function main() { async function fetchData(context, sessionUrl) { // Create a page in a new tab in the browser context and wrap it to get access to the AgentQL's querying API const page = await wrap(await context.newPage()); + // nosemgrep: javascript.playwright.security.audit.playwright-goto-injection -- template scaffold; sessionUrl is a developer-provided constant (WEBSITE_URL_1/2/3) set at scaffold time, never runtime/untrusted input. await page.goto(sessionUrl); // Update the query to locate the desired element on the page