empathicqubit/vscode-vsce
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cleanup github badge validation

Browse source
This commit is contained in:
João Moreno 2020-06-15 09:41:46 +02:00
parent 6adca5365f
commit 600505a065
No known key found for this signature in database
GPG key ID: 896B853774D1A575
2 changed files with 9 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/package.ts
View file

@ -171,16 +171,16 @@ const TrustedSVGSources = [
'www.versioneye.com'
];
function isHostTrusted(host: string): boolean {
return TrustedSVGSources.indexOf(host.toLowerCase()) > -1;
}
function isGitHubRepository(repository: string): boolean {
return /^https:\/\/github\.com\/|^git@github\.com:/.test(repository || '');
}
function isGitHubBadge(href: string): boolean {
return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*|/]+\/badge\.svg$/.test(href || '');
return /^https:\/\/github\.com\/[^/]+\/[^/]+\/workflows\/.*badge\.svg/.test(href || '');
}
function isHostTrusted(url: url.UrlWithStringQuery): boolean {
return TrustedSVGSources.indexOf(url.host.toLowerCase()) > -1 || isGitHubBadge(url.href);
}
class ManifestProcessor extends BaseProcessor {
@ -472,7 +472,7 @@ export class MarkdownProcessor extends BaseProcessor {
throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
}
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {
throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
}
});
@ -717,7 +717,7 @@ export function validateManifest(manifest: Manifest): Manifest {
throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
}
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl))) {
throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
}
});

4
src/test/package.test.ts
View file

@ -1642,7 +1642,7 @@ describe('MarkdownProcessor', () => {
assert(file);
});
it('should allow SVG from GitHub actions in image tag', async() => {
it('should allow SVG from GitHub actions in image tag', async () => {
const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
const contents = `![title](https://github.com/fakeuser/fakerepo/workflows/fakeworkflowname/badge.svg)`;
const processor = new ReadmeProcessor(manifest, {});
@ -1652,7 +1652,7 @@ describe('MarkdownProcessor', () => {
assert(file);
});
it('should prevent SVG from a GitHub repo in image tag', async() => {
it('should prevent SVG from a GitHub repo in image tag', async () => {
const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
const contents = `![title](https://github.com/eviluser/evilrepo/blob/master/malicious.svg)`;
const processor = new ReadmeProcessor(manifest, {});