empathicqubit/vscode-vsce
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add feature #389

Browse source
This commit is contained in:
Adam S 2019-10-17 18:27:55 -05:00
parent fca4c7ce19
commit e80056d64e
No known key found for this signature in database
GPG key ID: BC5B2007B40D87D7
2 changed files with 16 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/package.ts
View file

@ -183,6 +183,10 @@ function isGitHubRepository(repository: string): boolean {
return /^https:\/\/github\.com\/|^git@github\.com:/.test(repository || '');
}
function isGitHubBadge(href: string): boolean {
return isGitHubRepository(href) && /[A-Za-z0-9_-]{1,100}\/workflows\/[^<>:;,?"*|/]+\/badge\.svg$/.test(href || '');
}
class ManifestProcessor extends BaseProcessor {
constructor(manifest: Manifest) {
@ -449,7 +453,7 @@ export class MarkdownProcessor extends BaseProcessor {
throw new Error(`Images in ${this.name} must come from an HTTPS source: ${src}`);
}
if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
throw new Error(`SVGs are restricted in ${this.name}; please use other file image formats, such as PNG: ${src}`);
}
});
@ -694,7 +698,7 @@ export function validateManifest(manifest: Manifest): Manifest {
throw new Error(`Badge URLs must come from an HTTPS source: ${badge.url}`);
}
if (/\.svg$/i.test(srcUrl.pathname) && !isHostTrusted(srcUrl.host)) {
if (/\.svg$/i.test(srcUrl.pathname) && (!isHostTrusted(srcUrl.host) && !isGitHubBadge(srcUrl.href))) {
throw new Error(`Badge SVGs are restricted. Please use other file image formats, such as PNG: ${badge.url}`);
}
});

10
src/test/package.test.ts
View file

@ -1615,6 +1615,16 @@ describe('MarkdownProcessor', () => {
assert(file);
});
it('should allow SVG from GitHub actions in image tag', async() => {
const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
const contents = `![title](https://github.com/fakeuser/fakerepo/workflows/fakeworkflowname/badge.svg)`;
const processor = new ReadmeProcessor(manifest, {});
const readme = { path: 'extension/readme.md', contents };
const file = await processor.onFile(readme);
assert(file);
});
it('should prevent SVGs from not trusted sources in img tags', async () => {
const manifest = { name: 'test', publisher: 'mocha', version: '0.0.1', engines: Object.create(null), repository: 'https://github.com/username/repository' };
const contents = `<img src="https://foo/hello.svg" />`;