microsoft · Akhileswara-Microsoft · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025 · Dec 12, 2025
@@ -8,21 +8,19 @@ on:
       - 'App/frontend-app/**'
       - 'App/kernel-memory/**'
       - '.github/workflows/codeql.yml'
-    paths-ignore:
-      - '**/.gitignore'
-      - '**/Dockerfile'
-      - '**/.dockerignore'
+      - '!**/.gitignore'
+      - '!**/Dockerfile'
+      - '!**/.dockerignore'
   pull_request:
     branches: [ "main", "dev", "demo" ]
     paths:
       - 'App/backend-api/**'
       - 'App/frontend-app/**'
       - 'App/kernel-memory/**'
       - '.github/workflows/codeql.yml'
-    paths-ignore:
-      - '**/.gitignore'
-      - '**/Dockerfile'
-      - '**/.dockerignore'
+      - '!**/.gitignore'
+      - '!**/Dockerfile'
+      - '!**/.dockerignore'
   schedule:
     - cron: '37 2 * * 5'
 
@@ -55,6 +53,9 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config: |
+          queries:
+            - uses: security-extended
 
     - if: matrix.build-mode == 'manual'
       shell: bash
@@ -65,4 +66,4 @@ jobs:
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3
       with:
-        category: "/language:${{matrix.language}}"
+        category: "/language:${{matrix.language}}"
@@ -90,6 +90,10 @@
         "typescript": "^5.9.3",
         "vite": "^7.1.7"
     },
+    "resolutions": {
+        "qs": "^6.14.1",
+        "glob": "^10.5.0"
+    },
     "volta": {
         "node": "18.16.0",
         "yarn": "1.22.19"

@@ -17,5 +17,14 @@
 		<staticContent>
             <mimeMap fileExtension=".json" mimeType="application/json" />
         </staticContent>
+		<httpProtocol>
+      		<customHeaders>
+        		<!-- Use DENY to block all framing -->
+        		<add name="X-Frame-Options" value="DENY" />
+
+        		<!-- OR use SAMEORIGIN if you need iframe support within your own site -->
+        		<!-- <add name="X-Frame-Options" value="SAMEORIGIN" /> -->
+      		</customHeaders>
+    	</httpProtocol>
 	</system.webServer>
 </configuration>
@@ -601,9 +601,29 @@ export function ChatRoom({ searchResultDocuments, selectedDocuments, chatWithDoc
     );
 }
 function uuidv4() {
-    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function (c) {
-        const r = Math.random() * 16 | 0, v = c === 'x' ? r : (r & 0x3 | 0x8);
-        return v.toString(16);
-    });
+    // Use cryptographically secure random number generation for session IDs
+    const cryptoObj: Crypto | undefined =
+    typeof window !== "undefined" ? window.crypto : undefined;
+    if (cryptoObj && typeof cryptoObj.getRandomValues === "function") {
+        const bytes = new Uint8Array(16);
+        cryptoObj.getRandomValues(bytes);
+
+        // RFC 4122 v4 and variant bits
+        bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4
+        bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant RFC 4122
+
+        const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0"));
+        return (
+            hex.slice(0, 4).join("") + "-" +
+            hex.slice(4, 6).join("") + "-" +
+            hex.slice(6, 8).join("") + "-" +
+            hex.slice(8, 10).join("") + "-" +
+            hex.slice(10, 16).join("")
+        );
+    }
+
+// Avoid insecure fallback (Math.random); fail fast if unsupported.
+throw new Error("Secure UUID generation not supported in this environment.");
+
 }
 
@@ -13,10 +13,17 @@ export const PageNumberTab: React.FC<IPageNumberTabProps> = ({ selectedTab, sele
     return null;
   }
 
-  const imageUrl = window.ENV.STORAGE_URL +
-    selectedPageMetadata.document_url.replace(/^(?:\/\/|[^/]+)*\//, "") +
-    "/" 
-
+  const base = window.ENV.STORAGE_URL.replace(/\r|\n/g, "").replace(/\/+$/,"");
+  let path: string;
+  try {
+    path = new URL(selectedPageMetadata.document_url, base).pathname.replace(/^\/+/, "");
+  } catch (error) {
+    // Avoid rendering if the document_url is invalid and cannot be parsed as a URL.
+    console.error("Invalid document URL in PageNumberTab:", selectedPageMetadata.document_url, error);
+    return null;
+  }
+  const imageUrl = `${base}/${path}/`;
+
   return (
     <div className="grid w-full grid-cols-4 justify-between gap-4 overflow-y-auto" style={{ width: "200%" }}>
       <div className="col-span-3 grid justify-between gap-4 overflow-y-auto h-[80%] shadow-xl">

@@ -5132,11 +5132,6 @@ fresh@^2.0.0:
   resolved "https://registry.yarnpkg.com/fresh/-/fresh-2.0.0.tgz#8dd7df6a1b3a1b3a5cf186c05a5dd267622635a4"
   integrity sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==
 
-fs.realpath@^1.0.0:
-  version "1.0.0"
-  resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"
-  integrity sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==
-
 fsevents@^2.3.3, fsevents@~2.3.2, fsevents@~2.3.3:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/fsevents/-/fsevents-2.3.3.tgz#cac6407785d03675a2a5e1a5305c697b347d90d6"
@@ -5243,10 +5238,10 @@ glob-parent@^6.0.2:
   dependencies:
     is-glob "^4.0.3"
 
-glob@^10.3.10:
-  version "10.4.5"
-  resolved "https://registry.yarnpkg.com/glob/-/glob-10.4.5.tgz#f4d9f0b90ffdbab09c9d77f5f29b4262517b0956"
-  integrity sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==
+glob@^10.3.10, glob@^10.5.0, glob@^7.1.4:
+  version "10.5.0"
+  resolved "https://registry.yarnpkg.com/glob/-/glob-10.5.0.tgz#8ec0355919cd3338c28428a23d4f24ecc5fe738c"
+  integrity sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==
   dependencies:
     foreground-child "^3.1.0"
     jackspeak "^3.1.2"
@@ -5255,18 +5250,6 @@ glob@^10.3.10:
     package-json-from-dist "^1.0.0"
     path-scurry "^1.11.1"
 
-glob@^7.1.4:
-  version "7.2.3"
-  resolved "https://registry.yarnpkg.com/glob/-/glob-7.2.3.tgz#b8df0fb802bbfa8e89bd1d938b4e16578ed44f2b"
-  integrity sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==
-  dependencies:
-    fs.realpath "^1.0.0"
-    inflight "^1.0.4"
-    inherits "2"
-    minimatch "^3.1.1"
-    once "^1.3.0"
-    path-is-absolute "^1.0.0"
-
 globals@^14.0.0:
   version "14.0.0"
   resolved "https://registry.yarnpkg.com/globals/-/globals-14.0.0.tgz#898d7413c29babcf6bafe56fcadded858ada724e"
@@ -5532,15 +5515,7 @@ indent-string@^4.0.0:
   resolved "https://registry.yarnpkg.com/indent-string/-/indent-string-4.0.0.tgz#624f8f4497d619b2d9768531d58f4122854d7251"
   integrity sha512-EdDDZu4A2OyIK7Lr/2zG+w5jmbuk1DVBnEwREQvBzspBJkCEbRa8GxU1lghYcaGJCnRWibjDXlq779X1/y5xwg==
 
-inflight@^1.0.4:
-  version "1.0.6"
-  resolved "https://registry.yarnpkg.com/inflight/-/inflight-1.0.6.tgz#49bd6331d7d02d0c09bc910a1075ba8165b56df9"
-  integrity sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==
-  dependencies:
-    once "^1.3.0"
-    wrappy "1"
-
-inherits@2, inherits@2.0.4:
+inherits@2.0.4:
   version "2.0.4"
   resolved "https://registry.yarnpkg.com/inherits/-/inherits-2.0.4.tgz#0fa2c64f932917c3433a0ded55363aae37416b7c"
   integrity sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==
@@ -6399,7 +6374,7 @@ keyv@^4.5.4:
     i18next "^25.5.3"
     i18next-browser-languagedetector "^8.2.0"
     i18next-http-backend "^3.0.2"
-    km-app "file:../../../../../../../AppData/Local/Yarn/Cache/v6/npm-km-app-1.0.0-3364c375-9406-4ea7-a926-82d2ee61d0ba-1760537549847/node_modules/km-app"
+    km-app "file:../../../../../AppData/Local/Yarn/Cache/v6/npm-km-app-1.0.0-40f9f2ea-ee53-4cb7-ba64-cdd6b8e2ba8b-1767243556655/node_modules/km-app"
     marked "^16.3.0"
     notistack "^3.0.2"
     pdfjs-dist "^5.4.149"
@@ -6891,7 +6866,7 @@ min-indent@^1.0.0:
   resolved "https://registry.yarnpkg.com/min-indent/-/min-indent-1.0.1.tgz#a63f681673b30571fbe8bc25686ae746eefa9869"
   integrity sha512-I9jwMn07Sy/IwOj3zVkVik2JTvgpaykDZEigL6Rx6N9LbMywwUSMtxET+7lVoDLLd3O3IXwJwvuuns8UB/HeAg==
 
-minimatch@^3.0.4, minimatch@^3.1.1, minimatch@^3.1.2:
+minimatch@^3.0.4, minimatch@^3.1.2:
   version "3.1.2"
   resolved "https://registry.yarnpkg.com/minimatch/-/minimatch-3.1.2.tgz#19cd194bfd3e428f049a70817c038d89ab4be35b"
   integrity sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==
@@ -7100,7 +7075,7 @@ on-finished@^2.4.1:
   dependencies:
     ee-first "1.1.1"
 
-once@^1.3.0, once@^1.4.0:
+once@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/once/-/once-1.4.0.tgz#583b1aa775961d4b113ac17d9c50baef9dd76bd1"
   integrity sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==
@@ -7225,11 +7200,6 @@ path-exists@^4.0.0:
   resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-4.0.0.tgz#513bdbe2d3b95d7762e8c1137efa195c6c61b5b3"
   integrity sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==
 
-path-is-absolute@^1.0.0:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/path-is-absolute/-/path-is-absolute-1.0.1.tgz#174b9268735534ffbc7ace6bf53a5a9e1b5c5f5f"
-  integrity sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==
-
 path-key@^3.0.0, path-key@^3.1.0:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/path-key/-/path-key-3.1.1.tgz#581f6ade658cbba65a0d3380de7753295054f375"
@@ -7425,10 +7395,10 @@ pure-rand@^7.0.0:
   resolved "https://registry.yarnpkg.com/pure-rand/-/pure-rand-7.0.1.tgz#6f53a5a9e3e4a47445822af96821ca509ed37566"
   integrity sha512-oTUZM/NAZS8p7ANR3SHh30kXB+zK2r2BPcEn/awJIbOvq82WoMN4p62AWWp3Hhw50G0xMsw1mhIBLqHw64EcNQ==
 
-qs@^6.14.0:
-  version "6.14.0"
-  resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.0.tgz#c63fa40680d2c5c941412a0e899c89af60c0a930"
-  integrity sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==
+qs@^6.14.0, qs@^6.14.1:
+  version "6.14.1"
+  resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.1.tgz#a41d85b9d3902f31d27861790506294881871159"
+  integrity sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ==
   dependencies:
     side-channel "^1.1.0"
 

@@ -67,7 +67,9 @@ public Task CreateIndexDirectoryAsync(
     /// <inheritdoc />
     public async Task DeleteIndexDirectoryAsync(string index, CancellationToken cancellationToken = default)
     {
-        this._log.LogTrace("Deleting index '{0}'", index);
+        this._log.LogTrace(
+            "Deleting index {Index}",
+            index?.Replace("\r", string.Empty).Replace("\n", string.Empty));
         if (string.IsNullOrWhiteSpace(index))
         {
             throw new DocumentStorageException("The index name is empty, stopping the process to prevent data loss");
@@ -126,11 +128,15 @@ public async Task WriteFileAsync(
         var objectKey = $"{index}/{documentId}/{fileName}";
         var len = streamContent.Length;
 
-        this._log.LogTrace("Writing object {0} ...", objectKey);
+        this._log.LogTrace(
+            "Writing object {ObjectKey} ...",
+            objectKey?.Replace("\r", string.Empty).Replace("\n", string.Empty));
 
         if (streamContent.Length == 0)
         {
-            this._log.LogWarning("The file {0} is empty", objectKey);
+            this._log.LogWarning(
+                "The file {ObjectKey} is empty",
+                objectKey?.Replace("\r", string.Empty).Replace("\n", string.Empty));
         }
 
         await this._client.PutObjectAsync(new PutObjectRequest
@@ -140,7 +146,10 @@ await this._client.PutObjectAsync(new PutObjectRequest
             InputStream = streamContent
         }, cancellationToken: cancellationToken).ConfigureAwait(false);
 
-        this._log.LogTrace("Object {0} ready, size {1}", objectKey, len);
+        this._log.LogTrace(
+            "Object {ObjectKey} ready, size {Size}",
+            objectKey?.Replace("\r", string.Empty).Replace("\n", string.Empty),
+            len);
     }
 
     /// <inheritdoc />
@@ -177,7 +186,9 @@ public async Task<StreamableFileContent> ReadFileAsync(
         {
             if (logErrIfNotFound)
             {
-                this._log.LogInformation("File not found: {0}", objectKey);
+                this._log.LogInformation(
+                    "File not found: {ObjectKey}",
+                    objectKey?.Replace("\r", string.Empty).Replace("\n", string.Empty));
             }
 
             throw new DocumentStorageFileNotFoundException("File not found", e);
@@ -199,7 +210,9 @@ private async Task DeleteObjectsByPrefixAsync(string prefix, CancellationToken c
             throw new DocumentStorageException("The object prefix is empty, stopping the process to prevent data loss");
         }
 
-        this._log.LogTrace("Deleting objects with prefix '{0}'", prefix);
+        this._log.LogTrace(
+            "Deleting objects with prefix {Prefix}",
+            prefix.Replace("\r", string.Empty).Replace("\n", string.Empty));
 
         var allObjects = new List<S3Object>();
         var request = new ListObjectsV2Request

@@ -315,7 +315,7 @@ public async Task DeleteAsync(string index, MemoryRecord record, CancellationTok
 
         try
         {
-            this._log.LogDebug("Deleting record {0} from index {1}", id, index);
+            this._log.LogDebug("Deleting record {RecordId} from index {Index}", id?.Replace("\r", string.Empty).Replace("\n", string.Empty), index?.Replace("\r", string.Empty).Replace("\n", string.Empty));
             Response<IndexDocumentsResult>? result = await client.DeleteDocumentsAsync(
                     AzureAISearchMemoryRecord.IdField,
                     new List<string> { id },
@@ -325,7 +325,7 @@ public async Task DeleteAsync(string index, MemoryRecord record, CancellationTok
         }
         catch (RequestFailedException e) when (e.Status == 404)
         {
-            this._log.LogTrace("Index {0} record {1} not found, nothing to delete", index, id);
+            this._log.LogTrace("Index {Index} record {RecordId} not found, nothing to delete", index?.Replace("\r", string.Empty).Replace("\n", string.Empty), id?.Replace("\r", string.Empty).Replace("\n", string.Empty));
         }
     }
 
@@ -403,7 +403,7 @@ private async Task<bool> DoesIndexExistAsync(string index, CancellationToken can
     private SearchClient GetSearchClient(string index)
     {
         var normalIndexName = this.NormalizeIndexName(index);
-        this._log.LogTrace("Preparing search client, index name '{0}' normalized to '{1}'", index, normalIndexName);
+        this._log.LogTrace("Preparing search client, index name {Index} normalized to {NormalizedIndex}", index?.Replace("\r", string.Empty).Replace("\n", string.Empty), normalIndexName?.Replace("\r", string.Empty).Replace("\n", string.Empty));
 
         // Search an available client from the local cache
         if (!this._clientsByIndex.TryGetValue(normalIndexName, out SearchClient? client))

@@ -232,13 +232,13 @@ public async Task<StreamableFileContent> ReadFileAsync(
                     async () => (await blobClient.DownloadStreamingAsync(null, cancellationToken).ConfigureAwait(false)).Value.Content);
             }
 
-            if (logErrIfNotFound) { this._log.LogError("Unable to download file {0}", blobName); }
+            if (logErrIfNotFound) { this._log.LogError("Unable to download file {BlobName}", blobName?.Replace("\r", string.Empty).Replace("\n", string.Empty)); }
 
             throw new DocumentStorageFileNotFoundException("Unable to fetch blob content");
         }
         catch (RequestFailedException e) when (e.Status == 404)
         {
-            this._log.LogInformation("File not found: {0}", blobName);
+            this._log.LogInformation("File not found: {BlobName}", blobName?.Replace("\r", string.Empty).Replace("\n", string.Empty));
             throw new DocumentStorageFileNotFoundException("File not found", e);
         }
     }
@@ -279,7 +279,7 @@ private async Task InternalWriteAsync(
 
         options.HttpHeaders = new BlobHttpHeaders { ContentType = fileType };
 
-        this._log.LogTrace("Writing blob {0} ...", blobName);
+        this._log.LogTrace("Writing blob {BlobName} with type {ContentType} ...", blobName?.Replace("\r", string.Empty).Replace("\n", string.Empty), fileType?.Replace("\r", string.Empty).Replace("\n", string.Empty));
 
         long size;
         switch (content)
@@ -299,12 +299,12 @@ private async Task InternalWriteAsync(
 
         if (size == 0)
         {
-            this._log.LogWarning("The file {0}/{1} is empty", directoryName, fileName);
+            this._log.LogWarning("The file {Directory}/{FileName} is empty", directoryName?.Replace("\r", string.Empty).Replace("\n", string.Empty), fileName?.Replace("\r", string.Empty).Replace("\n", string.Empty));
         }
 
         await this.ReleaseBlobAsync(blobLeaseClient, lease, cancellationToken).ConfigureAwait(false);
 
-        this._log.LogTrace("Blob {0} ready, size {1}", blobName, size);
+        this._log.LogTrace("Blob {BlobName} ready, size {Size}", blobName?.Replace("\r", string.Empty).Replace("\n", string.Empty), size);
     }
 
     private async Task DeleteBlobsByPrefixAsync(string prefix, CancellationToken cancellationToken)
@@ -314,7 +314,7 @@ private async Task DeleteBlobsByPrefixAsync(string prefix, CancellationToken can
             throw new DocumentStorageException("The blob prefix is empty, stopping the process to prevent data loss");
         }
 
-        this._log.LogInformation("Deleting blobs at {0}", prefix);
+        this._log.LogInformation("Deleting blobs at {Prefix}", prefix.Replace("\r", string.Empty).Replace("\n", string.Empty));
 
         AsyncPageable<BlobItem>? blobList = this._containerClient.GetBlobsAsync(prefix: prefix, cancellationToken: cancellationToken);
         await foreach (Page<BlobItem> page in blobList.AsPages().WithCancellation(cancellationToken).ConfigureAwait(false))