fix(ui): security and crash fixes for findings grouped view

[Alan-TheGentleman]

🔗 Part of Chained PRs

Field	Value
Feature Branch	fix/ui-findings-groups-improvements
Main PR	#10513
Chain Position	1 of 4

Chain Overview

         ┌──────────────────────────┐
         │ 📍 #THIS: Security &     │
         │    crash fixes           │
         └────────────┬─────────────┘
                      │
           ┌──────────┴──────────┐
           │                     │
           ▼                     ▼
  ┌─────────────────┐  ┌─────────────────┐
  │ PR #2: Code     │  │ PR #3: Pepe     │
  │ quality         │  │ blockers        │
  └────────┬────────┘  └────────┬────────┘
           │                    │
           └────────┬───────────┘
                    ▼
           ┌─────────────────┐
           │ PR #4: Pepe UX  │
           └────────┬────────┘
                    ▼
           ┌─────────────────┐
           │ #10513 Main PR  │
           │   → master      │
           └─────────────────┘

---

Context

Post-merge security and crash fixes for the findings grouped view (PR #10425 by @alejandrobailo). Issues were identified through adversarial code review (Judgment Day protocol with 2 independent blind judges).

---

Description

5 fixes, 26 tests (17 new), implemented with Strict TDD (Red → Green → Triangulate → Refactor):

1. SSRF/path traversal — checkId was interpolated directly into URL paths without encoding. Added encodeURIComponent(checkId) in both getFindingGroupResources and getLatestFindingGroupResources. Tests cover: normal IDs, path traversal (../../admin), URL-encoded slashes (%2F), and query/fragment injection (?, #).

2. SSR crash — createPortal(_, document.body) was called unconditionally, crashing during server-side rendering where document is undefined. Added isMounted state guard with useEffect. Tests verify portal is NOT called synchronously (before effects fire) and IS called after mount.

3. Invalid Tailwind — mt-[-10] has no unit, so Tailwind 4 generates no CSS (broken layout). Replaced with -mt-2.5 (10px in Tailwind's 4px scale). Test asserts correct class and absence of invalid class.

4. Unbounded page[size] — page[size] was set to resourceUids.length with no cap. Added Math.min(length, 500) as defense-in-depth alongside existing chunking. Tests verify: boundary (500), over-cap (501→split into [500,1]), and under-cap (3).

5. pageRef race condition — loadNextPage incremented pageRef.current before fetchPage, causing permanent page skip if abort fired concurrently. Moved increment inside fetchPage after successful response. Removed redundant pageRef.current = 1 pre-set from refresh(). Tests verify: race between refresh and loadNextPage, sequential page ordering.

TDD Cycle Evidence

Fix	Test File	Safety Net	RED	GREEN	TRIANGULATE
SSRF	finding-groups.test.ts	N/A (new)	✅ 4 failed	✅ 6/6	✅ /, %2F, ?#, normal
SSR	inline-resource-container.test.tsx	N/A (new)	✅ Written	✅ 4/4	✅ 3 guard tests
Tailwind	inline-resource-container.test.tsx	N/A (new)	✅ Failed	✅ 4/4	✅ +/- assertions
page[size]	findings-by-resource.test.ts	✅ 4/4	✅ Failed	✅ 7/7	✅ boundary, cap, chunk
pageRef	use-infinite-resources.test.ts	✅ 7/7	✅ Written	✅ 9/9	✅ race, sequence

Judgment Day: 3 rounds of adversarial review (6 judge delegations). Round 1 caught false-positive tests. Round 2 caught TypeScript error + "use server" export issue. Round 3: both judges CLEAN.

---

Steps to review

1. Check finding-groups.test.ts — verify SSRF test cases cover the attack vectors
2. Check inline-resource-container.test.tsx — verify createPortal spy correctly tests the SSR guard
3. Check use-infinite-resources.test.ts — verify race condition test setup
4. Run cd ui && pnpm vitest run actions/finding-groups/finding-groups.test.ts actions/findings/findings-by-resource.test.ts components/findings/table/inline-resource-container.test.tsx hooks/use-infinite-resources.test.ts — all 26 should pass

---

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me

• Review if the code is being covered by tests.
• Review if backport is needed. — No
• Review if is needed to change the Readme.md — No

UI

• All issue/task requirements work as expected on the UI
• Ensure new entries are added to ui/CHANGELOG.md — Will be in Main PR

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[alejandrobailo]

Review: Approve

Solid security and crash fixes, well-tested with TDD. A couple of observations:

1. pageRef race condition fix is incomplete in isolation

The fix correctly moves pageRef.current = page into fetchPage (post-success) and removes the pre-commit from loadNextPage. However, it also removes pageRef.current = 1 from refresh().

This creates a window where if refresh() is called and the subsequent fetchPage(1, ...) is aborted before completing (e.g., another refresh fires), pageRef.current retains its previous value. Then loadNextPage would calculate the wrong next page.

PR #10515 silently re-adds pageRef.current = 1 in refresh(), which fixes it. But the remove-in-#10514/add-in-#10515 dance is confusing for reviewers. Ideally this should have been complete within this PR.

Not blocking since #10515 fixes it, but worth noting.

2. Duplicate constant

MAX_RESOURCE_FINDING_PAGE_SIZE = 500 is defined alongside the existing FINDING_GROUP_RESOURCES_RESOLUTION_PAGE_SIZE = 500 in findings-by-resource.ts. Same value, same semantic purpose. Consider unifying or documenting why they're separate.